Karbon
Practice Management Software for Enterprise Accounting Firms

Best-in-class security

With security at the core of Karbon, your data is safe. Information is encrypted in transit, stored securely in enterprise-grade cloud servers and major data protection regulations are adhered to.

Your data and privacy is protected.

We take a security-first approach towards product development, quality assurance and operational support. Leading technologies and industry best practices are utilized to maintain the security and availability of the Karbon platform, and protect everything stored within it.

SOC 2Type II
GDPRCompliant
DataAuto Backup
PrivacyProtected

Compliance & Certification

Security Compliance

SOC 2 Type II
Karbon is SOC 2 Type 2 certified, which confirms we have implemented the necessary systems and processes that comply with best practices for security, availability, and confidentiality according to standards set by the American Institute of Certified Public Accountants (AICPA). Download our SOC 3 report, or contact us to request our SOC 2 Type 2 report.
ISO 27001
We have implemented an Information Security Management System (ISMS), in accordance with the requirements set out in ISO 27001. However, we have not yet been independently certified ISO 27001 compliant.
GDPR
We are committed to your business and the protection of your data to ensure GDPR-compliance.

Privacy

Privacy Policy
We are committed to preventing unauthorized access or disclosure to our customer’s information. Read our privacy policy.

Cloud Security

Encryption

Encryption in Transit
The Karbon platform uses Transport Layer Security (TLS v1.2, v1.1 and v1.0) encryption on all requests sent between client and server. System controls have been implemented to prevent cross site scripting and SQL injection attacks.
Encryption at rest
All data captured in Karbon is encrypted and stored on Microsoft Azure servers in accordance with ISO 27001 requirements.

Availability & Continuity

Service Recovery
Karbon has operational support staff available on call 24hrs a day. In the event of an unscheduled outage, business continuity and disaster recovery procedures are initiated to maintain continued business operations and system performance.
Vulnerability Management
System vulnerability assessments and internal security controls have been implemented to identify security vulnerabilities and reduce the risk of exposure to common cyber attacks. Our Vulnerability Disclosure Program enables us to identify and proactively address inbound security vulnerabilities provided by customers and the broader technical community.
Incident Management
Our incident management process ensures we rapidly respond to security events that may affect the integrity or availability of the Karbon platform and the data stored within it. Events that affect customers are given the highest priority.

Data Backups

Data Hosting
Karbon data is stored across multiple databases and file stores. Data and audit logs, for all databases, are backed up on a regular frequency. Full backups are performed every gigabyte of growth or each week — whichever is sooner.
Enterprise-grade Servers
All your information is stored using enterprise-grade cloud servers, secure data storage and highly scalable databases.

Application Security

Secure Development

Access to Environments
Access to Karbon’s deployment environments is strictly controlled.
Separate Environments
Testing and Staging environments are logically separated from the Production environment.

User Security

Auditing of User Actions
All user actions that create, modify or remove data in Karbon are audited. These audit records are retained for 14 days and can be provided to customers on a request-by-request basis.
Unique Tenant Identifiers
Karbon is a multi-tenanted system. Each customer account has a unique identifier that is used across the entire platform to identify data owned by that account.
Client File Transfer
The Client Task app is powered by Secure Sockets Layer (SSL) to maintain connection security and encrypt and share data safely.

Vulnerability Management

Security Risk Assessment
The Karbon product development team identify and assess any security related risks as part of all new feature development work.
Third-Party Risk Assessment
Annual third-party vendor risk assessments are performed to evaluate the risks associated with the services provided by third parties.
Monitoring Alerts
Monitoring tools are in place to identify suspicious behaviour, unauthorised attempts to access Karbon, and potential denial of service (DoS) type attacks.

Product Security

Authentication Security

Email Authentication
Authentication to our platform is performed via an encrypted connection to your preferred Microsoft or Google email account.
Multi-Factor Authentication
Access to Karbon is connected to a user’s email account. Multi or two-factor authentication can be set for the user’s email account login. Karbon does store any passwords.
User Security
All users must be invited to join a tenant and accept that invitation before they can access any tenant data. A selected authentication provider is recorded for the user and all future login attempts require authentication using the same provider.
IP Restrictions
Access to production databases is restricted to allow access only from trusted IP addresses.

Data Security

Administrative Data Access
Access to production databases is strictly controlled and only users with a need to access production data for customer support or problem resolution have access. On request, Karbon will securely delete a customer’s Karbon data.
Data Backups
Data backups are encrypted and sensitive data is encrypted/masked in the live database.
User Permissions
In-app user permissions allow you to control what data a user can access and what company-wide actions and settings can be controlled.

Human Resources Security

Security Awareness

Security Awareness Policies
A comprehensive set of security policies are enforced to all Karbon employees and contractors with access to Karbon information assets. This includes policies for the use of two-factor authentication, protection of passwords, personal firewalls, and avoiding unsecured devices and networks.
Security Awareness Training
Every Karbon employee undergoes security training as part of the orientation and onboarding process. New employees receive information on Karbon’s commitment to keep customer information safe and secure.

Confidentiality

Confidentiality Agreements
All new Karbon employees are required to sign Non-Disclosure and Confidentiality agreements.

Trusted by accounting firms world-wide.

98% Positive reviews on G2.com
4.8 stars on G2.com
98% Service satisfaction rating
jeffreys henry logo
crc logo
bakertilly logo
armanino logo
viden logo