Best-in-class security

Karbon is SOC 2 Type 2 certified, which confirms we have implemented the necessary systems and processes that comply with best practices for security, availability, and confidentiality according to standards set by the American Institute of Certified Public Accountants (AICPA). Download our SOC 3 report, or contact us to request our SOC 2 Type 2 report.

We have implemented an Information Security Management System (ISMS), in accordance with the requirements set out in ISO 27001. However, we have not yet been independently certified ISO 27001 compliant.

We are committed to your business and the protection of your data to ensure GDPR-compliance.

We are committed to preventing unauthorized access or disclosure to our customer’s information. Read our privacy policy.

The Karbon platform uses Transport Layer Security (TLS v1.2, v1.1 and v1.0) encryption on all requests sent between client and server. System controls have been implemented to prevent cross site scripting and SQL injection attacks.

All data captured in Karbon is encrypted and stored on Microsoft Azure servers in accordance with ISO 27001 requirements.

Karbon has operational support staff available on call 24hrs a day. In the event of an unscheduled outage, business continuity and disaster recovery procedures are initiated to maintain continued business operations and system performance.

System vulnerability assessments and internal security controls have been implemented to identify security vulnerabilities and reduce the risk of exposure to common cyber attacks. Our Vulnerability Disclosure Program enables us to identify and proactively address inbound security vulnerabilities provided by customers and the broader technical community.

Our incident management process ensures we rapidly respond to security events that may affect the integrity or availability of the Karbon platform and the data stored within it. Events that affect customers are given the highest priority.

Karbon data is stored across multiple databases and file stores. Data and audit logs, for all databases, are backed up on a regular frequency. Full backups are performed every gigabyte of growth or each week — whichever is sooner.

All your information is stored using enterprise-grade cloud servers, secure data storage and highly scalable databases.

Access to Karbon’s deployment environments is strictly controlled.

Testing and Staging environments are logically separated from the Production environment.

All user actions that create, modify or remove data in Karbon are audited. These audit records are retained for 14 days and can be provided to customers on a request-by-request basis.

Karbon is a multi-tenanted system. Each customer account has a unique identifier that is used across the entire platform to identify data owned by that account.

The Client Task app is powered by Secure Sockets Layer (SSL) to maintain connection security and encrypt and share data safely.

The Karbon product development team identify and assess any security related risks as part of all new feature development work.

Annual third-party vendor risk assessments are performed to evaluate the risks associated with the services provided by third parties.

Monitoring tools are in place to identify suspicious behaviour, unauthorised attempts to access Karbon, and potential denial of service (DoS) type attacks.

Karbon can be configured to work with a Single Sign On (SSO) provider such as Okta.

Access to Karbon is connected to a user’s email account. Multi or two-factor authentication can be set for the user’s email account login. Karbon does store any passwords.

All users must be invited to join a tenant and accept that invitation before they can access any tenant data. A selected authentication provider is recorded for the user and all future login attempts require authentication using the same provider.

Access to production databases is restricted to allow access only from trusted IP addresses.

Access to production databases is strictly controlled and only users with a need to access production data for customer support or problem resolution have access. On request, Karbon will securely delete a customer’s Karbon data.

Data backups are encrypted and sensitive data is encrypted/masked in the live database.

In-app user permissions allow you to control what data a user can access and what company-wide actions and settings can be controlled.

A comprehensive set of security policies are enforced to all Karbon employees and contractors with access to Karbon information assets. This includes policies for the use of two-factor authentication, protection of passwords, personal firewalls, and avoiding unsecured devices and networks.

Every Karbon employee undergoes security training as part of the orientation and onboarding process. New employees receive information on Karbon’s commitment to keep customer information safe and secure.

All new Karbon employees are required to sign Non-Disclosure and Confidentiality agreements.