Building a Carbon & ESG management SaaS - Episode 1: Security

Building a Carbon & ESG management SaaS - Episode 1: Security

While data on the climate impact of companies are increasingly public, why is data security crucial when offering an online carbon management solution and how do we address this at Traace?

Patrick Nollet

Patrick Nollet

Co-founder

Update :
14/10/2024
Publication:
15/6/2023

The importance of securing carbon data and climate strategy for companies.

Traace is a software platform distributed in SaaS allowing companies to measure their carbon footprint and to set up action plans to reduce it. If more and more companies tend, under the regulatory constraint or not, to share their CSR approaches and the global result of their Carbon Footprint, the fact remains that the measurement of the carbon footprint is generally done from operational data sometimes very sensitive: purchases, energy expenses, employee travel, industrial processes...

This is all the more true when a carbon assessment is carried out according to the most rigorous carbon methodological standards such as it is the case at Traace, these standards requiring to go into the details of the value chain of the companies: production methods, suppliers and service providers, investments, logistics, etc.

The establishment of a Carbon Footprint being only the necessary prerequisite to take action to reduce emissions, Traace customers also manage on the platform their reduction trajectories and especially the associated decarbonisation action plans. Traace allows to model in a fine way both the carbon impact and the financial impact of the reduction actions. This requires the processing of strategic and thus critical business data for our customers.

It is therefore natural for Traace customers to want to ensure that the data they entrust to us is properly secured.

Traace is compliant with SOC 2 security standards.

Since the creation of Traace, we have applied a number of key principles to the design of our ESG software, to ensure the implementation of a safe and reliable system. But more than the product itself, it's the company's entire organization that must be aligned to ensure that our product meets a high level of security and operational quality.

If there are nowadays regulations to comply with such as the GDPR (to which Traace is of course compliant) framing the processing of personal data and guaranteeing their good management, it remains nevertheless essential for our customers that the good application of the best security principles by their suppliers is recognized by an independent body.

Standards have been developed to audit and evaluate companies like Traace on their ability to respect best practices in terms of security. Some of these standards are specialized on a sector, like the PCI-DSS for payment processing companies, and others are more generalized.

In November 2022, Traace began by carrying out a SOC 2 Type 1 audit tocertify the ability of the organization and its product to meet the most stringent security requirements.

In June 2023, we carried out another audit, in a more ambitious version: SOC 2 Type 2. The difference between Type 2 and Type 1 is that, this time, compliance with our security commitments and procedures was tested over several months, rather than at a given point in time. This is an even greater guarantee of safety. And in our case, no failure to comply with our procedures has been identified.

SOC 2 audit categories

In general, a SOC 2 audit may assess criteria grouped into five broad categories:

  • Security: The technical infrastructure must be protected from the risks it may face.
  • Availability: The technical infrastructure must remain available so that our tool remains accessible to customers.
  • Processing integrity: At all times, the information provided by the system must be reliable.
  • Confidentiality: information should only be available to authorized personnel.
  • Personal data: Personal data must be managed and stored in an appropriate manner.

In our audit, the focus was on security.

How is the data processed in Traace?

What does this mean in practice for Traace customer data?

Here are some examples:

  • Our customers' data is encrypted at rest and in transit, i.e. when the data flows from one computer to another.
  • We have strict rules in place for managing access to our internal tools.
  • Our workstations are regularly updated, protected by anti-virus, anti-malware and firewall solutions and the disks are encrypted.
  • We regularly conduct penetration tests and vulnerability scans on our technical infrastructure.
  • All Traace employees are made aware of security issues, and phishing simulation campaigns are regularly conducted.
  • We have procedures in place to manage potential incidents, and we test them regularly.
  • We have a strict policy for managing our subcontractors.

These are only a few examples, but it is clear that the implementation of a secure and reliable platform cannot be improvised and requires time and investment from all Traace collaborators.

Nevertheless, this remains essential in order to keep the trust of our clients, to meet the expectations of large companies and to be able to support all our clients in their climate strategies in the most precise and ambitious way possible.

Detailed results of Traace's SOC 2 Type 2 audit are available on request by email to: contact@traace.co.

On the same topic
Let's talk about your decarbonisation challenges
Request a demo