Best-in-class security
With security at the core of Karbon, your data is safe. Information is encrypted in transit, stored securely in enterprise-grade cloud servers and major data protection regulations are adhered to.
Practice Management Software for Enterprise Accounting Firms
Your data and privacy is protected.
We take a security-first approach towards product development, quality assurance and operational support. Leading technologies and industry best practices are utilized to maintain the security and availability of the Karbon platform, and protect everything stored within it.
SOC 2Type II
GDPRCompliant
DataAuto Backup
PrivacyProtected
Compliance & Certification
Security Compliance
- SOC 2 Type II
- Karbon is SOC 2 Type 2 certified, which confirms we have implemented the necessary systems and processes that comply with best practices for security, availability, and confidentiality according to standards set by the American Institute of Certified Public Accountants (AICPA). Download our SOC 3 report, or contact us to request our SOC 2 Type 2 report.
- ISO 27001
- We have implemented an Information Security Management System (ISMS), in accordance with the requirements set out in ISO 27001. However, we have not yet been independently certified ISO 27001 compliant.
- GDPR
- We are committed to your business and the protection of your data to ensure GDPR-compliance.
Privacy
- Privacy Policy
- We are committed to preventing unauthorized access or disclosure to our customer’s information. Read our privacy policy.
Cloud Security
Encryption
- Encryption in Transit
- The Karbon platform uses Transport Layer Security (TLS v1.2, v1.1 and v1.0) encryption on all requests sent between client and server. System controls have been implemented to prevent cross site scripting and SQL injection attacks.
- Encryption at rest
- All data captured in Karbon is encrypted and stored on Microsoft Azure servers in accordance with ISO 27001 requirements.
Availability & Continuity
- Service Recovery
- Karbon has operational support staff available on call 24hrs a day. In the event of an unscheduled outage, business continuity and disaster recovery procedures are initiated to maintain continued business operations and system performance.
- Vulnerability Management
- System vulnerability assessments and internal security controls have been implemented to identify security vulnerabilities and reduce the risk of exposure to common cyber attacks. Our Vulnerability Disclosure Program enables us to identify and proactively address inbound security vulnerabilities provided by customers and the broader technical community.
- Incident Management
- Our incident management process ensures we rapidly respond to security events that may affect the integrity or availability of the Karbon platform and the data stored within it. Events that affect customers are given the highest priority.
Data Backups
- Data Hosting
- Karbon data is stored across multiple databases and file stores. Data and audit logs, for all databases, are backed up on a regular frequency. Full backups are performed every gigabyte of growth or each week — whichever is sooner.
- Enterprise-grade Servers
- All your information is stored using enterprise-grade cloud servers, secure data storage and highly scalable databases.
Application Security
Secure Development
- Access to Environments
- Access to Karbon’s deployment environments is strictly controlled.
- Separate Environments
- Testing and Staging environments are logically separated from the Production environment.
User Security
- Auditing of User Actions
- All user actions that create, modify or remove data in Karbon are audited. These audit records are retained for 14 days and can be provided to customers on a request-by-request basis.
- Unique Tenant Identifiers
- Karbon is a multi-tenanted system. Each customer account has a unique identifier that is used across the entire platform to identify data owned by that account.
- Client File Transfer
- The Client Task app is powered by Secure Sockets Layer (SSL) to maintain connection security and encrypt and share data safely.
Vulnerability Management
- Security Risk Assessment
- The Karbon product development team identify and assess any security related risks as part of all new feature development work.
- Third-Party Risk Assessment
- Annual third-party vendor risk assessments are performed to evaluate the risks associated with the services provided by third parties.
- Monitoring Alerts
- Monitoring tools are in place to identify suspicious behaviour, unauthorised attempts to access Karbon, and potential denial of service (DoS) type attacks.
Product Security
Authentication Security
- Single Sign-On
- Karbon can be configured to work with a Single Sign On (SSO) provider such as Okta.
- Multi-Factor Authentication
- Access to Karbon is connected to a user’s email account. Multi or two-factor authentication can be set for the user’s email account login. Karbon does store any passwords.
- User Security
- All users must be invited to join a tenant and accept that invitation before they can access any tenant data. A selected authentication provider is recorded for the user and all future login attempts require authentication using the same provider.
- IP Restrictions
- Access to production databases is restricted to allow access only from trusted IP addresses.
Data Security
- Administrative Data Access
- Access to production databases is strictly controlled and only users with a need to access production data for customer support or problem resolution have access. On request, Karbon will securely delete a customer’s Karbon data.
- Data Backups
- Data backups are encrypted and sensitive data is encrypted/masked in the live database.
- User Permissions
- In-app user permissions allow you to control what data a user can access and what company-wide actions and settings can be controlled.
Human Resources Security
Security Awareness
- Security Awareness Policies
- A comprehensive set of security policies are enforced to all Karbon employees and contractors with access to Karbon information assets. This includes policies for the use of two-factor authentication, protection of passwords, personal firewalls, and avoiding unsecured devices and networks.
- Security Awareness Training
- Every Karbon employee undergoes security training as part of the orientation and onboarding process. New employees receive information on Karbon’s commitment to keep customer information safe and secure.
Confidentiality
- Confidentiality Agreements
- All new Karbon employees are required to sign Non-Disclosure and Confidentiality agreements.
Trusted by accounting firms world-wide.
98% Positive reviews on G2.com
4.8 stars on G2.com
98% Service satisfaction rating
