Six layers between
your data and a bad day.
The short version of how we protect your data. The longer version is in the DPA. The longest version we’ll send to your procurement team if they ask.
Encryption everywhere
TLS 1.3 in transit, AES-256 at rest. Database, backups, logs — encrypted by default, no opt-in required.
Row-level security
Multi-tenancy enforced at the database level via Postgres RLS. Application bugs can’t leak another tenant’s data because the query never returns it.
Scoped API keys
Every API key belongs to one organisation. Revocable from the dashboard. Sandbox keys exist as a separate type so test traffic never touches live quotas.
Hash-chained audit log
Every state-changing action writes to an append-only audit log. Each entry hashes the previous — tampering is detectable. Retained 7 years.
EU data residency
Primary database in Frankfurt (eu-west-1). Edge functions occasionally serve from non-EU regions for latency, with Standard Contractual Clauses in place.
MFA available
TOTP-based MFA on every account. Enforced AAL2 means session-resume re-validates. Backup codes for recovery, behind a short-lived HMAC cookie.
Compliance & methodology
What we’re aligned with today, and what’s on the way.
GDPR
Article 28 DPA pre-signed at /dpa
ISO 14040 / 14067
Methodology compliance for carbon math
GHG Protocol
Scope 3 Categories 1 and 11
SOC 2
Underway — Q3 2026
ISO 27001
Underway — 2027
Reporting a vulnerability
Spotted something concerning? Email security@carbontrace.cloud. We acknowledge within 24 hours and triage within 72. We don’t run a paid bounty programme yet, but credit is given where it’s asked for.
Need our procurement pack?
DPA, sub-processor list, security overview, recent pentest summary. We’ll happily fill out your vendor security questionnaire too.
Request the pack