Â鶹ԭ´´

Security at Â鶹ԭ´´

?

Last Updated: October 6, 2023

Overview

From inception, Â鶹ԭ´´ recognized the need to have security architected throughout the Â鶹ԭ´´ Climate Management & Account Platform (CMAP) and our supporting services. Our customers share data to calculate their carbon footprint and expect their data to be kept secure and confidential. To that end, we have invested heavily in our platform to enable enterprise-grade security features and processes. With this, Â鶹ԭ´´'s security posture is guided and maintained by four (4) security principles as described further on this page:

1. Provision and Manage Users with the Principle of Least Privilege
2. Architect and Develop for Security and Privacy
3. Train and Educate on Security Repeatedly
4. Align and Comply with Industry Security Standards

For further information of Â鶹ԭ´´'s security and privacy controls or to request copies of Â鶹ԭ´´'s audit reports and certifications, please visit .

Shared Security Responsibility Model (SSRM)

As a Software as a Service (SaaS) application hosted in Amazon Web Services (AWS), we maintain a list of security responsibilities that are shared between AWS, Â鶹ԭ´´, and Â鶹ԭ´´¡¯s customers. At a summary level those responsibilities are:?

• AWS is responsible for the physical data centers, networking, perimeter security, hardware configurations, and availability of the Platform-as-a-Service (PaaS) services provided to Â鶹ԭ´´ for use in the CMAP.?
• Â鶹ԭ´´ is responsible for security configurations including but not limited to data encryption at rest and in transit, network and firewall restrictions, and application, database,? container, and infrastructure security.
• Â鶹ԭ´´'s customers are responsible for the proper use of and security access configurations in the CMAP. Other responsibilities include but are not limited to user setup and management, user access reviews, data quality, data classification standards, third-party integration setup, and, as applicable, the single sign-on (SSO) setup.

Principle 1: Provision and Manage Users with the Principle of Least Privilege

• The security principle of "least privilege" is utilized across all Â鶹ԭ´´ systems. Access to platform code and data depends on the resource¡¯s role, and production access by employees is particularly controlled and restricted.
• Â鶹ԭ´´ utilizes Privileged Access Management (PAM) to manage and audit access to production environments. Using PAM, developers must request access to a production environment and the request must be approved by Â鶹ԭ´´¡¯s Engineering leadership. Once access is granted, the access duration is limited to a specific duration and activity logs are available for later review.
• Â鶹ԭ´´ reviews Â鶹ԭ´´ personnel access to all? systems at least quarterly.
• Customers are responsible for reviewing access to their Â鶹ԭ´´ account following their own access review policies and procedures. Â鶹ԭ´´ resources with direct access to customer accounts are always shown in Â鶹ԭ´´ User Manager screen, so customers have a full view of all users with access to their data.

Principle 2: Architect and Develop for Security and Privacy

Architecture

• The Â鶹ԭ´´ CMAP consists of a multi-tier, multi-tenant SaaS application hosted in AWS and is architected into four distinct tiers or layers: the highly protected database tier, API tier, front-end tier, and web browser (which is managed by the customer).?
• Web application firewalls, security groups, access control lists, and other security detection and control mechanisms are deployed between layers to provide multiple layers of protection between the internet and database tier.?

Authentication

• Â鶹ԭ´´ supports identity provider (IdP) initiated SSO via the SAML protocol with IdPs such as Okta, Microsoft, and Ping.?
• If SSO is not utilized, and username and password authentication is chosen instead, Â鶹ԭ´´ supports multi-factor authentication and IP allow listing to enhance access control to the CMAP. In this configuration, passwords are hashed with bcrypt and salted.?

Data Storage and Backup

• Â鶹ԭ´´'s multi-tenant architecture concurrently stores data in AWS US-East 2 (Ohio), US-East 1 (Virginia), EU-West 1 (Ireland), and AP-Northeast 1 (Tokyo). Note: If you have specific data residency needs, please ask your Â鶹ԭ´´ Sales Representative about Â鶹ԭ´´'s single tenant architecture model.
• Data within the Â鶹ԭ´´ Platform is backed up continuously and can be restored to any point in the last 72 hours.?
• Additionally, backups are taken each day and maintained for at least a year.?
• Backups will always be encrypted using Advanced Encryption Standard (AES) 256-bit encryption and are stored in secure, geographically dispersed AWS S3 buckets.

Encryption

• Â鶹ԭ´´ utilizes encryption at rest using Advanced Encryption Standard (AES) 256 and encryption in transit via TLS 1.2 or above. Â鶹ԭ´´ also utilizes Perfect Forward Secrecy (PFS) ciphers for data transmission outside the CMAP.
• Â鶹ԭ´´'s multi-tenant architecture utilizes AWS managed encryption keys. Note: If you require customer managed encryption keys, please ask your Â鶹ԭ´´ Sales Representative about Â鶹ԭ´´'s single tenant architecture model.

Monitoring & Logging

• Â鶹ԭ´´ maintains monitoring and logging for each level of the platform's architecture, including databases, containers, load balancers, firewalls, and other application components.
• Â鶹ԭ´´ maintains all log information for at least one year for security reviews.
• If a security event is identified to be a threat, Â鶹ԭ´´ Engineering and Information Security teams are notified immediately to triage, classify, contain, and remediate the security event or incident, including details such as the time of the event and impact to the platform.

Physical Security

• Â鶹ԭ´´ is hosted in Amazon Web Services (AWS), and AWS data centers maintain several physical security controls to protect Â鶹ԭ´´ and customer data. Â鶹ԭ´´ reviews and validates AWS security controls at least annually to affirm they are operating effectively. Please navigate the page for further information on its data center controls.?

Secure Development Lifecycle (SDLC)

• Â鶹ԭ´´ implements automated and manual review processes to ensure quality and security assurance in our software development processes starting from product design and feature creation through deployment to production.
• Static Application Security Testing (SAST) of the platform's containers, software packages, and code is conducted with each software build.

Vulnerability Management

Network & System Hardening Standards

• Â鶹ԭ´´ implements its application infrastructure and network configurations with guidance from industry-leading security standards such as NIST Cybersecurity and CIS Level 2 frameworks.
• Â鶹ԭ´´ maintains and executes security baseline requirements for each layer of the platform architecture.

Principle 3: Train and Educate on Security Repeatedly

• All Â鶹ԭ´´ employees and contractors undergo security awareness and data privacy training upon hire and annually thereafter.
• All Â鶹ԭ´´ employees and contractors undergo criminal background checks before starting at Â鶹ԭ´´.
• All Â鶹ԭ´´ Engineering personnel undergo secure development + OWASP 10 training upon hire and annually thereafter.
• Informal security awareness training is conducted every two weeks during Â鶹ԭ´´ all company meetings.

Principle 4: Align and Comply with Industry Security & Privacy Standards?

Security Compliance

Privacy Compliance

• Â鶹ԭ´´ is prepared to comply with obligations applicable to it according to global data protection laws, including GDPR and CCPA. Please see our Privacy Policy for further information on your data privacy rights and how we comply with these regulations.
• Since Personally Identifiable Information (PII) is not required for carbon accounting calculations, Â鶹ԭ´´ stores and processes very limited PII. Only users¡¯ first name, last name, business email address, and IP address are stored in order to support authentication, logging, and audit requirements.
• Further to the shared data security responsibility principles, Â鶹ԭ´´ specifically requests that customers do not upload other PII to the CMAP.