Security at 黑料海角91入口
?
Last Updated: October 6, 2023
Overview
From inception, 黑料海角91入口 recognized the need to have security architected throughout the 黑料海角91入口 Climate Management & Account Platform (CMAP) and our supporting services. Our customers share data to calculate their carbon footprint and expect their data to be kept secure and confidential. To that end, we have invested heavily in our platform to enable enterprise-grade security features and processes. With this, 黑料海角91入口's security posture is guided and maintained by four (4) security principles as described further on this page:
- Provision and Manage Users with the Principle of Least Privilege
- Architect and Develop for Security and Privacy
- Train and Educate on Security Repeatedly
- Align and Comply with Industry Security Standards
For further information of 黑料海角91入口's security and privacy controls or to request copies of 黑料海角91入口's audit reports and certifications, please visit .
Shared Security Responsibility Model (SSRM)
As a Software as a Service (SaaS) application hosted in Amazon Web Services (AWS), we maintain a list of security responsibilities that are shared between AWS, 黑料海角91入口, and 黑料海角91入口’s customers. At a summary level those responsibilities are:?
- AWS is responsible for the physical data centers, networking, perimeter security, hardware configurations, and availability of the Platform-as-a-Service (PaaS) services provided to 黑料海角91入口 for use in the CMAP.?
- 黑料海角91入口 is responsible for security configurations including but not limited to data encryption at rest and in transit, network and firewall restrictions, and application, database,? container, and infrastructure security.
- 黑料海角91入口's customers are responsible for the proper use of and security access configurations in the CMAP. Other responsibilities include but are not limited to user setup and management, user access reviews, data quality, data classification standards, third-party integration setup, and, as applicable, the single sign-on (SSO) setup.
Principle 1: Provision and Manage Users with the Principle of Least Privilege
- The security principle of "least privilege" is utilized across all 黑料海角91入口 systems. Access to platform code and data depends on the resource’s role, and production access by employees is particularly controlled and restricted.
- 黑料海角91入口 utilizes Privileged Access Management (PAM) to manage and audit access to production environments. Using PAM, developers must request access to a production environment and the request must be approved by 黑料海角91入口’s Engineering leadership. Once access is granted, the access duration is limited to a specific duration and activity logs are available for later review.
- 黑料海角91入口 reviews 黑料海角91入口 personnel access to all? systems at least quarterly.
- Customers are responsible for reviewing access to their 黑料海角91入口 account following their own access review policies and procedures. 黑料海角91入口 resources with direct access to customer accounts are always shown in 黑料海角91入口 User Manager screen, so customers have a full view of all users with access to their data.
Principle 2: Architect and Develop for Security and Privacy
Architecture
- The 黑料海角91入口 CMAP consists of a multi-tier, multi-tenant SaaS application hosted in AWS and is architected into four distinct tiers or layers: the highly protected database tier, API tier, front-end tier, and web browser (which is managed by the customer).?
- Web application firewalls, security groups, access control lists, and other security detection and control mechanisms are deployed between layers to provide multiple layers of protection between the internet and database tier.?
Authentication
- 黑料海角91入口 supports identity provider (IdP) initiated SSO via the SAML protocol with IdPs such as Okta, Microsoft, and Ping.?
- If SSO is not utilized, and username and password authentication is chosen instead, 黑料海角91入口 supports multi-factor authentication and IP allow listing to enhance access control to the CMAP. In this configuration, passwords are hashed with bcrypt and salted.?
Data Storage and Backup
- 黑料海角91入口's multi-tenant architecture concurrently stores data in AWS US-East 2 (Ohio), US-East 1 (Virginia), EU-West 1 (Ireland), and AP-Northeast 1 (Tokyo). Note: If you have specific data residency needs, please ask your 黑料海角91入口 Sales Representative about 黑料海角91入口's single tenant architecture model.
- Data within the 黑料海角91入口 Platform is backed up continuously and can be restored to any point in the last 72 hours.?
- Additionally, backups are taken each day and maintained for at least a year.?
- Backups will always be encrypted using Advanced Encryption Standard (AES) 256-bit encryption and are stored in secure, geographically dispersed AWS S3 buckets.
Encryption
- 黑料海角91入口 utilizes encryption at rest using Advanced Encryption Standard (AES) 256 and encryption in transit via TLS 1.2 or above. 黑料海角91入口 also utilizes Perfect Forward Secrecy (PFS) ciphers for data transmission outside the CMAP.
- 黑料海角91入口's multi-tenant architecture utilizes AWS managed encryption keys. Note: If you require customer managed encryption keys, please ask your 黑料海角91入口 Sales Representative about 黑料海角91入口's single tenant architecture model.
Monitoring & Logging
- 黑料海角91入口 maintains monitoring and logging for each level of the platform's architecture, including databases, containers, load balancers, firewalls, and other application components.
- 黑料海角91入口 maintains all log information for at least one year for security reviews.
- If a security event is identified to be a threat, 黑料海角91入口 Engineering and Information Security teams are notified immediately to triage, classify, contain, and remediate the security event or incident, including details such as the time of the event and impact to the platform.
Physical Security
- 黑料海角91入口 is hosted in Amazon Web Services (AWS), and AWS data centers maintain several physical security controls to protect 黑料海角91入口 and customer data. 黑料海角91入口 reviews and validates AWS security controls at least annually to affirm they are operating effectively. Please navigate the page for further information on its data center controls.?
Secure Development Lifecycle (SDLC)
- 黑料海角91入口 implements automated and manual review processes to ensure quality and security assurance in our software development processes starting from product design and feature creation through deployment to production.
- Static Application Security Testing (SAST) of the platform's containers, software packages, and code is conducted with each software build.
Vulnerability Management
- 黑料海角91入口 is vulnerability tested and secured through several threat management processes, including:
- External network vulnerability scanning is conducted monthly.
- Penetration testing is conducted at least quarterly by a third-party vendor, including the following testing types:
- External Network
- API
- Gray Box Application
Network & System Hardening Standards
- 黑料海角91入口 implements its application infrastructure and network configurations with guidance from industry-leading security standards such as NIST Cybersecurity and CIS Level 2 frameworks.
- 黑料海角91入口 maintains and executes security baseline requirements for each layer of the platform architecture.
Principle 3: Train and Educate on Security Repeatedly
- All 黑料海角91入口 employees and contractors undergo security awareness and data privacy training upon hire and annually thereafter.
- All 黑料海角91入口 employees and contractors undergo criminal background checks before starting at 黑料海角91入口.
- All 黑料海角91入口 Engineering personnel undergo secure development + OWASP 10 training upon hire and annually thereafter.
- Informal security awareness training is conducted every two weeks during 黑料海角91入口 all company meetings.
Principle 4: Align and Comply with Industry Security & Privacy Standards?
Security Compliance
- 黑料海角91入口 maintains a robust information security management system (ISMS) that a third-party auditor audits annually to maintain compliance with the following industry-standard security frameworks:
- SOC 1 Type II: An attestation that provides an external auditor’s validation that 黑料海角91入口 maintains appropriate controls around the Climate Management and Accounting Platform (CMAP) for customer financial reporting purposes (specific to carbon accounting). 黑料海角91入口 received a clean, unqualified audit report with no exceptions.
- SOC 2 Type II: An attestation that provides an external auditor’s validation that 黑料海角91入口's security controls were in place and effective for the report’s coverage period as related to the American Institute of Certified Public Accountant's (AICPA) trust service principles. 黑料海角91入口 was audited against the Security, Availability, and Confidentiality trust service principles and received a clean, unqualified audit report with no exceptions.
- ISO 27001: A certification that provides external auditor validation that an effective Information Security Management System (ISMS) has been established to identify and manage information risks through a comprehensive set of company-wide processes and security controls, including procedures and controls that continually improve the ISMS. To access our ISO 27001 certification, please enter our registrant name, “黑料海角91入口” in the link .
- ISO 27017: A certification that provides external auditor validation that 黑料海角91入口's ISMS includes controls for the secure management of 黑料海角91入口's cloud infrastructure as well as cloud service security for users of the 黑料海角91入口 CMAP. To access our ISO 27017 certification, please enter our registrant name, “黑料海角91入口” in the link . Note: ISO 27017 is an extension of the ISO 27001 security framework, and as such, 黑料海角91入口's ISO 27017 certification is included in 黑料海角91入口's ISO 27001 certificate.
- CSA STAR Level 2 Gold: A certification that provides external auditor validation that 黑料海角91入口’s security controls are implemented according to the Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ). To access our CSA STAR certificate and CAIQ, please navigate the CSA Registry in the link .
Privacy Compliance
- 黑料海角91入口 is prepared to comply with obligations applicable to it according to global data protection laws, including GDPR and CCPA. Please see our Privacy Policy for further information on your data privacy rights and how we comply with these regulations.
- Since Personally Identifiable Information (PII) is not required for carbon accounting calculations, 黑料海角91入口 stores and processes very limited PII. Only users’ first name, last name, business email address, and IP address are stored in order to support authentication, logging, and audit requirements.
- Further to the shared data security responsibility principles, 黑料海角91入口 specifically requests that customers do not upload other PII to the CMAP.