Technical and Organizational Security Measures

Security is a core component of CarbonX’s platform, products, and operations. This document outlines CarbonX’s comprehensive security program, including our certifications, policies, and physical, technical, organizational, and administrative controls (collectively, the “Security Measures”). These measures are designed to protect Customer Data from unauthorized access, destruction, use, modification, or disclosure, and to ensure the confidentiality, integrity, and availability of our services.

Written By CarbonX Registry

Last updated 4 months ago

CarbonX implements and maintains these Security Measures in accordance with industry standards for leading software-as-a-service (SaaS) providers, including controls and frameworks based on NIST 800-53, ISO/IEC 27001, and related best practices for cloud security and data protection.

The Security Measures described here reflect CarbonX’s ongoing commitment to safeguarding customer information, maintaining trust, and ensuring compliance with applicable data protection laws and contractual obligations.

Any capitalized terms used but not otherwise defined in this document shall have the meanings assigned to them in the Agreement or the Data Processing Addendum (DPA).

1. Access Control

CarbonX has implemented and maintains a comprehensive set of formal policies, technical controls, and organizational practices to ensure appropriate access control and the protection of Customer Data.
These measures are designed to prevent unauthorized access, ensure accountability, and align with industry standards for identity and access management, including Zero Trust principles.

The Access Control framework includes the following key components:

  • Access Management Policy — A documented policy defining standards, procedures, and responsibilities for access control, user provisioning, and authentication across all systems, applications, and infrastructure.

  • Zero Trust Architecture — A multi-layered security model that classifies systems and data into criticality tiers, enforcing multi-factor authentication (MFA) and additional security measures on higher-tier and sensitive systems.

  • Role-Based Access Control (RBAC) — User access is granted based on job function and the principle of least privilege, ensuring individuals receive only the minimum level of access required to perform their duties.

  • Need-to-Know Restriction — CarbonX personnel are permitted to access Customer Data strictly on a need-to-know basis, and only when access is necessary for legitimate operational purposes.

  • Segregation of Duties — Functional and technical segregation is enforced to prevent conflicts of interest, including but not limited to:

    • Regular access control reviews,

    • Security group management through HR applications, and

    • Workflow and approval mechanisms for sensitive operations.

  • Access Authorization and Review — All user accounts require management approval prior to granting access to data, applications, or network resources. Access privileges are regularly reviewed and adjusted based on role changes or employment status.

  • Technical Access Controls — The use of VPNs, MFA, and device posture verification is mandated for access to classified systems and environments, consistent with CarbonX’s Zero Trust Model.

  • Endpoint and Mobile Device Security — A centrally managed Mobile Device Management (MDM) solution enforces security configurations, lockout periods, encryption, and compliance checks for all authorized endpoints and mobile devices.

2. Awareness and Training

CarbonX has established and maintains a comprehensive Security Awareness and Training Program designed to ensure that all personnel understand their responsibilities for protecting Customer Data and maintaining the security and integrity of CarbonX systems.

The program combines general awareness, role-specific education, and continuous engagement to promote a strong and enduring security culture across the organization.

Key components include:

  • Mandatory Security and Privacy Training — All new employees, contractors, and partners complete extensive onboarding training covering security, privacy, compliance, and acceptable use. Annual refresher courses reinforce these principles.

  • Varied Learning Formats — Training is delivered through diverse channels including online modules, in-person sessions, recorded webinars, and interactive phishing simulations to maximize engagement and retention.

  • Role-Specific Training — Personnel with elevated access privileges or specialized responsibilities (e.g., engineers, administrators, and security staff) receive targeted training addressing advanced risks, secure system management, and incident prevention practices.

  • Training Records and Tracking — All training completions and certifications are centrally recorded in a Learning Management System (LMS) to ensure traceability and auditability.

  • Automated Reminders and Escalation — The LMS issues automated reminders for training deadlines and includes an escalation workflow to notify the relevant manager if completion is delayed.

  • Ongoing Security Awareness — CarbonX provides continuous awareness activities for all personnel, including contractors and third-party partners, focused on emerging threats, evolving compliance requirements, and evolving best practices.

  • Secure Development Education — Security champions within engineering teams deliver secure coding and application security training sessions, ensuring that security-by-design principles are embedded in the software development lifecycle.

  • Annual Security Events and Campaigns — Mandatory yearly security awareness events, workshops, and campaigns reinforce key security values, emphasizing the shared responsibility of every employee in maintaining a secure environment.

3. Audit and Accountability

CarbonX maintains a comprehensive set of formal policies, controls, and practices to ensure proper auditing, monitoring, and accountability across its systems, services, and cloud environments.
These measures enable the timely detection of anomalies, facilitate forensic analysis, and ensure compliance with internal policies and regulatory requirements.

Key components of the Audit and Accountability Program include:

  • Comprehensive Logging Standards — Detailed logging standards are defined as part of CarbonX’s Policy Management Framework. These standards undergo annual reviews and senior management approval to ensure continued effectiveness and alignment with industry best practices.

  • Centralized Log Management — All relevant system and security logs are securely forwarded and stored within a centralized log management platform in CarbonX’s cloud infrastructure. Access to logs is restricted to read-only permissions and limited to authorized personnel.

  • Continuous Monitoring and Review — Security audit logs are actively monitored to identify unusual or suspicious activity. Defined procedures ensure timely review, investigation, and remediation of detected anomalies.

  • Dynamic Log Scope and Updates — The scope of logged information and system events is periodically reviewed and updated to reflect new features, technologies, and infrastructure changes within CarbonX’s Cloud Products.

  • Reliable Time Synchronization — All system clocks and timestamps are synchronized using time synchronization services from trusted cloud providers (e.g., AWS, Microsoft Azure) to maintain accurate and consistent logging across all deployed instances.

Through these measures, CarbonX ensures traceability, accountability, and operational transparency in line with industry standards such as ISO/IEC 27001:2022, NIST SP 800-53 (AU controls), and SOC 2.

4. Assessment, Authorization, and Monitoring

CarbonX has established and maintains a robust set of formal policies, controls, and operational practices to ensure continuous system monitoring, independent verification, and effective security assessment throughout its infrastructure and product lifecycle.
These measures ensure the integrity, compliance, and ongoing improvement of CarbonX’s information security management system.

Key elements include:

  • Comprehensive Audit and Assurance Policies — A detailed set of audit and assurance policies is maintained under CarbonX’s compliance framework, subject to annual reviews, updates, and management approval to ensure alignment with evolving regulatory and contractual requirements.

  • Centralized Policy Governance — A centralized internal policy program organizes global security and compliance policies into clearly defined domains, with each domain reviewed annually and approved by senior management.

  • Audit Management Lifecycle — CarbonX’s audit management process encompasses the planning, risk analysis, security control assessments, audit conclusions, remediation scheduling, and thorough review of historical audit findings to ensure continuous improvement.

  • Internal and External Audits — Both internal assessments and independent external audits are conducted annually to evaluate adherence to legal, regulatory, and contractual obligations, as well as to validate the effectiveness of security controls and operational processes.

  • Ongoing Compliance Verification — Regular reviews confirm alignment with globally recognized standards such as ISO/IEC 27001, SOC 2, and other applicable frameworks.

  • Nonconformity Management and Corrective Actions — Identified nonconformities are documented, analyzed, and remediated based on root-cause analysis and severity rating. Corrective actions are tracked to completion to ensure accountability and continuous improvement.

  • Penetration Testing and Bug Bounty Programs — CarbonX conducts annual penetration tests on its products and platforms, supplemented by proactive bug bounty programs to identify and mitigate potential vulnerabilities before they can be exploited.

  • Continuous Vulnerability Scanning — Automated and continuous vulnerability assessments are performed across systems and infrastructure. Identified vulnerabilities are prioritized and remediated according to CarbonX’s internal security policy and defined risk severity levels.

Through these practices, CarbonX ensures a rigorous, transparent, and proactive approach to risk management, control validation, and compliance assurance across its entire operational environment.

5. Configuration Management

CarbonX maintains a comprehensive and formally documented Configuration Management Program that ensures all systems, infrastructure, and applications are securely configured, consistently maintained, and continuously monitored throughout their lifecycle.
These practices support system stability, minimize risk, and ensure all changes are implemented in a controlled and auditable manner.

Key components include:

  • Change Management Policy — CarbonX enforces formal change management policies covering the full lifecycle of system, application, and infrastructure changes. All changes are assessed for security risk and business impact, and the policies are reviewed annually by senior management.

  • Secure Encryption and Cryptographic Controls — Defined procedures govern all changes involving encryption, key management, and cryptography, ensuring secure handling of data and cryptographic materials according to their security classification.

  • Centralized Policy Governance — A centralized internal policy framework organizes CarbonX’s global policies into multiple control domains, each subject to annual review and executive approval to maintain compliance and operational integrity.

  • Technical and Security Configuration Standards — CarbonX maintains stringent policies and standards covering:

    • Encryption and key management

    • Cryptography controls

    • Endpoint configuration management

    • Asset tracking and lifecycle governance
      These are implemented in accordance with industry best practices and recognized international standards.

  • Configuration Baselines and Change Controls — All system and application configurations follow established baseline standards, requiring testing documentation and authorized approval prior to deployment or modification.

  • Peer Review and Green Build Process — All production code and infrastructure changes undergo peer review and a green build process, ensuring multiple levels of validation, successful testing, and approval prior to release.

  • Emergency Change Procedures — Emergency changes are subject to post-implementation review and approval, verifying that the change was necessary, effective, and securely implemented.

  • Automated Monitoring and Intrusion Detection — CarbonX utilizes automated configuration management systems integrated with Intrusion Detection Systems (IDS) to identify, log, and prevent unauthorized changes in real time.

  • Asset Inventory and Tracking — All physical and logical assets are catalogued, tracked, and reviewed annually to ensure an accurate and up-to-date inventory aligned with CarbonX’s asset management policy.

Through these measures, CarbonX ensures that configuration changes are secure, traceable, and controlled, maintaining the confidentiality, integrity, and availability of its systems and Customer Data.

6. Contingency Planning

CarbonX has implemented and maintains a comprehensive set of formal policies, controls, and operational procedures to ensure effective business continuity and disaster recovery (BCDR) across all global operations and cloud-based environments.
These measures are designed to preserve the availability of CarbonX’s products and services, protect Customer Data, and enable rapid recovery from disruptions, ensuring operational resilience under all conditions.

Key components of CarbonX’s Contingency Planning framework include:

  • Skilled Workforce and Infrastructure Readiness — A highly trained workforce and resilient IT infrastructure, including critical telecommunications and cloud technologies, ensure uninterrupted delivery of CarbonX Products and Services.

  • Business Continuity and Disaster Recovery Plans (BCDR Plans) — Documented and tested BCDR Plans define clear Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for essential systems, services, and data.

  • Data Continuity and Availability — Business continuity strategies encompass secure data storage, redundancy, and continuity-of-use mechanisms designed to prevent interruptions to Customer Data access and utilization.

  • Geographic and Cloud Resilience — CarbonX leverages geographically distributed infrastructure and a global workforce to minimize localized risk and maintain service continuity in the event of regional disruptions.

  • Operational Resilience Controls — Daily backups, annual restoration testing, and the use of alternative cloud storage and failover sites strengthen resilience and enable swift recovery following potential data loss events.

  • Cyber Event Response and Resilience Framework — CarbonX maintains an integrated incident response and resilience framework with defined procedures for cyber event detection, mitigation, and recovery to preserve business continuity.

  • Regular Testing and Continuous ImprovementQuarterly disaster recovery tests and scenario-based exercises are conducted to evaluate response readiness. Post-test analyses identify areas for enhancement, driving continuous improvement of BCDR capabilities.

  • Capacity and Availability Management — Continuous monitoring and capacity planning ensure optimal service performance and uptime, including DDoS mitigation and scaling mechanisms for CarbonX Cloud Products and infrastructure.

  • Centralized Policy Oversight — A centralized internal policy program governs all global business continuity policies, with annual reviews and updates approved by senior management.

  • Robust Data Backup Protocols — Comprehensive backup procedures include:

    • End-to-end data encryption during transfer and storage,

    • Redundancy across multiple data centers, and

    • Periodic backup testing to validate data integrity and ensure recoverability.

7. Identification and Authentication

CarbonX has implemented and maintains a comprehensive framework of formal policies, technical controls, and operational practices to ensure robust identification and authentication of users accessing systems, applications, and Customer Data.
These measures enforce accountability, minimize the risk of unauthorized access, and align with Zero Trust and defense-in-depth security principles.

Key components include:

  • Unique Employee Identification — Each CarbonX employee is uniquely identified through a centrally managed Active Directory service, ensuring traceable and auditable account management across all systems.

  • Single Sign-On (SSO) — Access to corporate applications and services is facilitated through Single Sign-On (SSO), streamlining authentication while maintaining centralized visibility and control.

  • Multi-Factor Authentication (MFA)MFA is mandatory for all secure access points, including VPN connections and application launches via SSO, as defined by CarbonX’s Zero Trust Model. This ensures that access requires both user credentials and an additional verification factor.

  • Password Security and Policy — Password creation and management follow the NIST SP 800-63B Digital Identity Guidelines, emphasizing password strength, protection against common passwords, and secure reset mechanisms.

  • Credential Storage and Protection — All stored credentials, including passwords, secrets, and tokens, are safeguarded using strong encryption algorithms and secure password and secret management systems, ensuring confidentiality and integrity.

  • Account Governance and Review — Access and identity data are subject to documented approvals, regular access reviews, and automated synchronization between HR systems and identity management platforms to maintain accuracy, integrity, and lifecycle consistency.

8. Security Incident Response

CarbonX maintains a comprehensive and formally documented Security Incident Response Program designed to ensure timely detection, analysis, containment, remediation, and communication of all Security Incidents.
This program aligns with globally recognized frameworks and emphasizes preparedness, regulatory compliance, and continuous improvement.

Key elements include:

  • Security Incident Response Plans — Documented and regularly updated plans define the full incident lifecycle, including preparation, detection, containment, eradication, recovery, and post-incident review. These plans integrate data protection and regulatory reporting requirements to ensure full compliance.

  • Dedicated Cross-Functional Teams — A Security Incident Response Team (SIRT), consisting of specialists from security, engineering, legal, compliance, and communications, manages incidents collaboratively to ensure rapid, coordinated responses.

  • Event Triage and Escalation — Clearly defined processes govern the identification, categorization, and escalation of potential security events, ensuring that threats are quickly validated and prioritized based on impact and severity.

  • Testing and Continuous Improvement — Incident response plans are regularly tested through simulated exercises and tabletop drills. Performance metrics and lessons learned are tracked to continuously improve detection and response capabilities.

  • Annual Reviews and Updates — Company-wide incident response policies are reviewed and updated annually to reflect emerging threats, new technologies, and best practices shared across the organization.

  • Post-Incident Reviews (PIRs) — For all high-severity incidents, a root cause analysis is performed as part of a PIR process, identifying systemic improvements and implementing corrective actions to prevent recurrence.

  • Integration with Business Processes — Incident response procedures are embedded in critical operational and business workflows, minimizing service disruption and security exposure during potential incidents.

  • Customer Reporting Channels — Customers can report security incidents, vulnerabilities, or system defects through established reporting channels. All reports receive prompt investigation and follow-up by the CarbonX Security Team.

  • Customer Notification and Support — In accordance with the CarbonX Data Processing Addendum (DPA), Customers are notified without undue delay in the event of a confirmed Security Incident affecting their data. CarbonX also provides timely assistance and relevant information necessary for compliance with Applicable Data Protection Laws.

9. Maintenance

CarbonX maintains a comprehensive set of formal policies, operational controls, and monitoring practices to ensure the continued effectiveness, reliability, and availability of its Cloud Products and supporting infrastructure.
These measures ensure that systems remain secure, resilient, and performant throughout their lifecycle.

Key elements include:

  • Regular Testing of BCDR Plans — Business Continuity and Disaster Recovery (BCDR) Plans are tested and validated quarterly, ensuring their effectiveness in maintaining service availability during disruptive events. Independent external audits verify adherence to defined recovery objectives and overall operational readiness.

  • Real-Time Availability and Reliability Monitoring — Continuous, real-time monitoring is conducted across multiple geographic regions to ensure high availability and rapid detection of anomalies. Routine infrastructure reliability testing validates uptime commitments and performance consistency across all production environments.

  • Integrated Oversight and Coordination — Maintenance activities are coordinated in alignment with the relevant CarbonX security and compliance programs, including:

    • Section 4 – Assessment, Authorisation, and Monitoring,

    • Section 6 – Contingency Planning, and

    • Section 18 – System and Communications Protection.
      Together, these frameworks ensure a holistic approach to ongoing security, system health, and operational resilience.

10. Media Protection

CarbonX has implemented and maintains a comprehensive framework of formal policies, controls, and operational practices to ensure the secure handling, storage, and disposal of all physical and digital media containing Customer Data.
These measures protect the confidentiality, integrity, and availability of information throughout its lifecycle — from creation and processing to transfer and destruction.

Key components include:

  • Trusted Infrastructure Providers — CarbonX leverages secure and reputable third-party cloud service providers (e.g., Microsoft Azure, AWS) as Sub-processors responsible for operating the physical infrastructure used to process and store Customer Data. These providers maintain rigorous security certifications and undergo regular third-party audits.

  • Secure Media Sanitization and Disposal — All equipment and media used by CarbonX’s infrastructure providers are subject to secure sanitization or degaussing before reuse or disposal, following recognized industry standards such as ISO/IEC 27001, NIST SP 800-88, and the providers’ internal data destruction policies.

  • Encryption of Data at RestFull-disk encryption using strong cryptographic standards (e.g., AES-256) is enforced for data drives on servers, databases, and storage systems containing Customer Data. All endpoint devices accessing Customer Data are also required to use encryption.

  • Bring Your Own Device (BYOD) Security — CarbonX enforces a strict BYOD policy, ensuring that access to Customer Data is permitted only from secure, compliant, and managed devices. Access is controlled via VPN, Multi-Factor Authentication (MFA), and other technical safeguards within CarbonX’s Zero Trust Model architecture.

  • Secure Workspace Practices — Employees are required to maintain clean and secure workspaces, ensuring that no confidential information is visible or accessible when unattended, in accordance with CarbonX’s secure workplace guidelines.

11. Physical and Environmental Protection

CarbonX has implemented and maintains a comprehensive framework of formal policies, physical safeguards, and operational controls to ensure the physical and environmental protection of facilities, systems, and infrastructure where Customer Data is processed or stored.
These measures are designed to prevent unauthorized physical access, environmental damage, or service disruption across all CarbonX offices and data center environments.

Key components include:

  • Secure Office Environment — CarbonX provides a safe and secure working environment across all global offices, with access controls and protective measures implemented consistently to safeguard personnel, assets, and Customer Data.

  • Access Control and Monitoring — Employee access to CarbonX offices is managed through electronic badge systems, camera surveillance, and time-based access restrictions, ensuring that only authorized personnel may enter secure areas.

  • Access Logging and Investigations — Office entry and exit activities are recorded and maintained in secure access logs, which are periodically reviewed and available for investigative or forensic purposes when necessary.

  • Data Center Security by Trusted Providers — CarbonX’s cloud infrastructure is hosted by third-party data center providers (e.g., Microsoft Azure, AWS) that maintain multiple compliance certifications (e.g., ISO 27001, SOC 2, PCI DSS) and employ robust physical security controls, including:

    • Biometric identity verification for access to restricted zones,

    • On-site security personnel, and

    • 24/7 monitoring and incident response coverage.

  • Environmental and Infrastructure Safeguards — Data center providers implement controlled access points, advanced video surveillance, and protection for power and telecommunications cables to prevent tampering or service interruption.
    Environmental controls, including fire suppression systems, temperature regulation, and redundant power supplies, are in place to mitigate risks from natural or technical incidents.

  • Low-Risk Equipment Placement — Critical infrastructure and hardware are located in low-risk environmental zones designed to reduce exposure to flooding, fire, or other physical hazards — both within CarbonX facilities and at third-party data centers.

12. Planning

CarbonX maintains a comprehensive set of formal policies, governance frameworks, and operational practices to ensure the effective planning, coordination, and continuous improvement of its business and security operations.
These measures ensure that strategic decisions, system enhancements, and regulatory obligations are consistently aligned with CarbonX’s commitment to security, compliance, and customer trust.

Key components include:

  • Regulatory Monitoring and Documentation — CarbonX’s Legal and Compliance Teams actively monitor applicable laws, regulations, and industry standards to ensure that business operations, data protection activities, and contractual commitments remain compliant. All obligations are documented and periodically reviewed to address evolving regulatory requirements.

  • System Security Planning — A comprehensive System Security Plan (SSP) defines the security boundaries, technical architecture, and control framework for CarbonX systems and products. The SSP includes detailed documentation of system interconnections, dependencies, and security responsibilities.

  • Change Communication — CarbonX ensures transparent communication with internal teams and customers regarding significant changes to key products, services, or underlying systems. This includes updates related to new security features, infrastructure changes, or modifications that could affect data handling practices.

  • Program Review and Continuous Improvement — The Security Management Program is reviewed and updated periodically to reflect emerging risks, new technologies, and lessons learned from audits, assessments, and security incidents. Updates are approved by senior management to maintain strategic alignment and accountability.

Through these structured planning activities, CarbonX ensures that operational decisions and security initiatives are well-coordinated, risk-informed, and forward-looking, supporting the organization’s long-term resilience and compliance posture.

13. Program Management

CarbonX has implemented and maintains a comprehensive Information Security and Risk Management Program supported at the executive leadership level.
This program provides the governance structure, accountability mechanisms, and continual improvement processes required to maintain the confidentiality, integrity, and availability of Customer Data and CarbonX systems.

Key components include:

  • Executive-Level Governance — The Security Management Program is supported and sponsored by executive leadership, ensuring that all information security and privacy initiatives receive the necessary oversight, visibility, and resources.

  • Documented Information Security Policies — CarbonX maintains formally documented security policies that define:

    • Clearly assigned roles and responsibilities,

    • Risk mitigation and control procedures, and

    • A comprehensive service provider security management program to ensure supplier compliance and oversight.

  • Risk Assessment and ResponsePeriodic risk assessments are conducted for systems processing Customer Data to identify, analyze, and mitigate emerging threats. Each Security Incident is reviewed promptly, and corrective actions are implemented to prevent recurrence.

  • Formal Security Controls Framework — CarbonX’s control environment aligns with recognized international standards, including SOC 2, ISO/IEC 27001, and NIST SP 800-53, ensuring comprehensive coverage of governance, operational, and technical controls.

  • Risk Identification and Mitigation — Security risks are identified, quantified, and documented within the Enterprise Risk Management (ERM) process. Mitigation plans are developed, approved by the Chief Trust Officer, and tracked through completion.

  • Comprehensive Security Testing — CarbonX employs a diverse testing strategy, including penetration testing, vulnerability assessments, and application security reviews, to proactively evaluate exposure to potential attack vectors.

  • Continuous Program Review — The overall Security Management Program undergoes annual reviews, testing, and updates to maintain alignment with evolving risks, business priorities, and technological advancements.

  • Security Talent Development — CarbonX invests in a continuous training and development program for security staff, supported by a defined organizational structure that clearly delineates reporting lines, roles, and responsibilities.

  • Strategic Oversight and Performance Review — Executive management establishes and reviews strategic operational objectives to ensure alignment between business goals and security outcomes.

  • Enterprise Risk Management (ERM) Review — The Head of Risk and Compliance leads an annual review of the ERM framework, including the risk management policy, enterprise-wide risk assessments, and fraud risk evaluations, ensuring that governance remains robust and up to date.

14. Personnel Security

CarbonX has implemented and maintains a comprehensive framework of formal policies, controls, and practices to ensure the integrity, trustworthiness, and accountability of all personnel who have access to Customer Data.
These measures safeguard against insider threats, promote compliance with internal and regulatory obligations, and foster a culture of security awareness throughout the organization.

Key components include:

  • Pre-Employment Screening — Prior to hiring, CarbonX conducts background verification checks, including criminal record inquiries and employment history verification, in accordance with applicable local laws and regulations. Screening is particularly thorough for executive, financial, and security-sensitive roles.

  • Secure Onboarding Process — All new employees complete an extensive onboarding program that includes:

    • Execution of employment contracts and confidentiality agreements,

    • Formal acknowledgment of corporate policies, codes of conduct, and information security standards, and

    • Introduction to CarbonX’s ethical, privacy, and compliance obligations.

  • Employment Policies and ReviewsGlobal and local employment policies are maintained, reviewed, and updated annually to ensure ongoing compliance with labor laws and best practices.

  • Access Lifecycle Management — Role changes, transfers, and terminations follow a controlled access management process. Access rights are automatically de-provisioned upon termination, and managerial approval is required before any re-provisioning. Standardized exit checklists ensure a secure and complete offboarding process.

  • Ongoing Security and Compliance Training — All employees receive continuous education in security, privacy, and compliance. Specialized, role-specific training is provided for individuals in technical or elevated-privilege positions, supported by security champions within teams.

  • Security Awareness Initiatives — CarbonX hosts an annual Security Awareness Month featuring workshops, campaigns, and recognition programs that promote best practices and celebrate collective achievements in maintaining organizational security.

  • Disciplinary Measures — Established disciplinary procedures address any violations of CarbonX’s policies or security standards, ensuring consistent accountability across the organization.

15. Personal Data Processing and Transparency

CarbonX maintains a comprehensive framework of formal policies, technical controls, and governance practices to ensure that all personal data processing activities are conducted in full compliance with Applicable Data Protection Laws and in accordance with the principles of lawfulness, fairness, transparency, and accountability.

Key components include:

  • Global Privacy Compliance Program — CarbonX operates a global privacy compliance program that continuously monitors and adapts to evolving data protection laws and regulations worldwide. This program establishes safeguards, controls, and governance processes to ensure ongoing compliance.

  • Internal Data Processing Policy — A formal Personal Data Processing Policy defines clear categories of personal data, processing purposes, and applicable processing principles. This policy applies across all CarbonX entities, products, and services.

  • Detailed Processing Standards — Comprehensive internal standards govern the processing of different categories of personal data, addressing key areas such as:

    • Lawful processing principles and applicable legal bases,

    • Data minimization, accuracy, and purpose limitation,

    • Retention and destruction schedules, and

    • Security and confidentiality of processing.

  • Pseudonymisation and Data Minimization — CarbonX maintains established methodologies for creating pseudonymised data sets using industry-standard practices. Technical and organizational measures govern the systems capable of remapping pseudonymous identifiers, ensuring strong protection against re-identification.

  • Transparency and Privacy Communication — CarbonX provides clear and transparent privacy policies for users, customers, and partners, outlining how personal data is collected, used, shared, and retained. Internal privacy guidelines ensure consistent employee awareness and adherence.

  • Comprehensive Compliance Documentation — CarbonX maintains detailed compliance records, including but not limited to:

    • Records of Processing Activities (RoPA),

    • Privacy Impact Assessments (PIAs),

    • Transfer Impact Assessments (TIAs),

    • User consents and preference management, and

    • Data Processing Agreements (DPAs) with customers, partners, and vendors.

  • Privacy by Design and Secure Development — CarbonX integrates data protection and privacy-by-design principles throughout the software development lifecycle, ensuring that security and compliance are embedded from the earliest design stages.

  • Respect for Data Subject Rights — CarbonX upholds and facilitates the exercise of individuals’ rights under applicable data protection laws, including the rights to access, correct, delete, restrict, and port their personal data, as well as to object to processing where permitted.

16. Risk Assessment

CarbonX has established and maintains a comprehensive Information Security Management System (ISMS) supported by a formal Risk Management Program designed to identify, assess, and mitigate security and operational risks that could impact the confidentiality, integrity, and availability of Customer Data and CarbonX systems.

This structured approach enables informed decision-making, proactive risk reduction, and continuous improvement across the organization.

Key components include:

  • Comprehensive Risk Management Program — A formal, enterprise-wide risk management framework governs the identification, analysis, evaluation, and mitigation of risks related to security, compliance, operations, and technology. Risk assessments are performed regularly and whenever significant system or environmental changes occur.

  • Policy Alignment with Global Standards — CarbonX’s policies and control framework are aligned with ISO/IEC 27001, NIST 800-53, and other relevant international standards to ensure comprehensive and consistent risk mitigation across business units and systems.

  • Continuous Security Testing — Ongoing testing and monitoring activities are conducted to proactively detect and address vulnerabilities, including:

    • Penetration testing of applications and infrastructure,

    • Bug bounty programs to engage ethical researchers in identifying security gaps, and

    • Threat modeling and proactive threat mitigation measures to stay ahead of emerging risks.

  • Vulnerability Management and Reporting — Defined processes and measurable metrics govern vulnerability tracking and remediation, ensuring timely risk prioritization and transparent reporting to senior management and key stakeholders.

  • Independent and Internal Security Evaluations — CarbonX conducts regular internal assessments and independent external audits to evaluate the effectiveness of security controls, validate compliance with applicable frameworks, and verify that corrective actions are completed promptly.

17. System and Services Acquisition

CarbonX has implemented and maintains a structured, security-centric methodology for the development, maintenance, and change management of all systems, applications, and infrastructure.
This framework ensures that all technology acquisitions and software changes are conducted in a secure, controlled, and auditable manner throughout their lifecycle.

Key components include:

  • Secure Software Development Lifecycle (SDLC) — CarbonX follows an agile and secure SDLC that promotes adaptability, efficiency, and security by design. All system and infrastructure changes are thoroughly reviewed, documented, and tested prior to release.

  • Automated and Standardized Deployment — Application deployment and configuration management are executed through secure, automated pipelines that enforce standardized configurations, reduce human error, and maintain audit traceability for every system change.

  • Code Review and Testing Requirements — A formal development process mandates peer-reviewed pull requests, automated code analysis, and unit and integration testing before any code is merged into production. This ensures code quality, security, and functional integrity.

  • Segregation of Duties — Clear segregation of responsibilities exists among developers, reviewers, and release managers to maintain independence and reduce the risk of unauthorized or unverified changes.

  • Emergency Change Procedures — Documented “break glass” procedures allow for emergency modifications during critical incidents. Such changes are logged, reviewed, and validated post-implementation to ensure compliance and traceability.

  • Source Code and Deployment Security — Robust security and compliance controls are embedded within CarbonX’s source code management systems (e.g., Bitbucket Cloud), including strict permission settings and automated mechanisms preventing unauthorized modifications.

  • Change Documentation and Monitoring — All configuration and code changes are documented and continuously monitored. Automated alerts are generated for deviations from compliance baselines or peer-review enforcement policies.

  • Vendor and Third-Party Software Controls — Any modifications to vendor-provided software are strictly controlled and logged. Third-party and open-source libraries undergo regular scanning and updates, supported by continuous codebase scanning for vulnerabilities and license compliance.

18. System and Communications Protection

CarbonX has implemented and maintains a comprehensive framework of formal policies, technical controls, and operational practices to ensure the security of systems, communications, and Customer Data throughout its lifecycle.
These measures protect data confidentiality, integrity, and availability across networks, devices, and hosted environments.

Key components include:

  • Cryptographic Safeguards — Strong cryptographic mechanisms are employed to protect sensitive information both in storage and during transmission across internal and external networks, including the public internet. All encryption technologies used adhere to current industry standards and recognized security best practices.

  • Encryption of Data at Rest and in TransitCustomer Data is encrypted at rest and in transit using robust cryptographic protocols, including TLS 1.2 or higher with Perfect Forward Secrecy (PFS). These protocols protect data integrity and confidentiality during transmission over public and private networks.

  • Network Segmentation and Environment Separation — CarbonX enforces zone restrictions and strict separation between production and non-production environments, ensuring that development, testing, and operational systems are securely isolated and independently managed.

  • Workstation and Asset Management — Workstation assets are continuously managed and secured through an enterprise-grade asset management platform, enforcing:

    • Timely security patch deployment,

    • Mandatory password protection and screen locks, and

    • Full-disk encryption on all storage devices.

  • Device Compliance and Zero Trust Access — Access to internal systems is restricted to known, compliant devices that are enrolled in CarbonX’s Mobile Device Management (MDM) solution. This enforces posture verification, encryption compliance, and access control consistent with the Zero Trust Model architecture.

  • Firewall and Perimeter SecurityFirewalls are maintained at corporate and platform edges to filter inbound and outbound traffic, protecting both hosted and non-hosted devices through layered network defense mechanisms.

  • Network and Host Defense — CarbonX employs multiple layers of protection, including operating system hardening, network segmentation, intrusion prevention and detection systems (IDS/IPS), and Data Loss Prevention (DLP) technologies to detect and mitigate malicious activities.

  • Logical Data Segregation — Customer Data is logically segregated within CarbonX’s cloud infrastructure to prevent unauthorized access or cross-tenant data exposure, ensuring each customer’s environment remains isolated and secure.

19. System and Information Integrity

CarbonX has implemented and maintains a comprehensive set of formally established policies, controls, and operational safeguards to ensure the integrity, reliability, and security of systems and information.
These measures enable the timely identification and remediation of vulnerabilities, protect against unauthorized modification or corruption of data, and maintain continuous system trustworthiness.

Key components include:

  • Vulnerability Management and Remediation — Continuous vulnerability scanning is performed across systems, infrastructure, and applications to promptly identify and remediate security weaknesses. Detected vulnerabilities are triaged and addressed based on risk severity in accordance with CarbonX’s Vulnerability Management Policy.

  • Secure Data Disposal — CarbonX adheres to stringent data disposal and sanitization protocols aligned with applicable laws and standards (e.g., NIST SP 800-88, ISO/IEC 27001). Data on storage media is rendered irrecoverable post-sanitization, ensuring secure disposal of obsolete or decommissioned assets.

  • Data Integrity and Environment Segregation — Strict policies prohibit the use of production data in non-production environments. Logical segregation and sanitization procedures protect the integrity and confidentiality of Customer Data throughout development and testing processes.

  • Centralized Logging and Monitoring — System logs are centrally managed in read-only mode, ensuring auditability and protection from tampering. Logs are continuously monitored for indicators of Security Incidents, and retention periods are defined in alignment with security and compliance best practices.

  • Endpoint Security and Compatibility — Endpoint devices are continuously monitored and maintained to ensure compatibility with enterprise systems and applications, reducing operational risk and enhancing network security.

  • Anti-Malware and Threat Detection — Comprehensive anti-malware solutions are deployed across relevant infrastructure and CarbonX-managed devices. These solutions are continuously updated to detect and neutralize malware threats. Regular reviews of malware protection policies ensure their ongoing effectiveness and relevance.

  • Logical Access and Token-Based Controls — Access to Customer Data is secured through unique user identifiers and token-based authentication mechanisms, ensuring logical isolation and enforcing least-privilege principles.

20. Supply Chain Risk Management

CarbonX has implemented and maintains a comprehensive set of formally established policies, procedures, and governance practices to manage risks arising from its supply chain and third-party relationships.
These measures ensure that all suppliers, partners, and service providers meet CarbonX’s high standards for security, confidentiality, availability, and compliance throughout the supplier lifecycle.

Key components include:

  • Formal Supplier Management Framework — CarbonX maintains a structured vendor management framework that governs the onboarding, assessment, and continuous oversight of third parties. The framework ensures alignment between supplier practices and CarbonX’s security, availability, and confidentiality standards.

  • Third-Party Risk Management (TPRM) Program — A robust TPRM process is in place, encompassing risk assessments, due diligence, contract management, and ongoing monitoring. Each third party is evaluated based on the criticality of services provided and the sensitivity of data handled.

  • Cross-Functional Oversight — Dedicated teams from Legal, Procurement, Security, and Risk Management collaborate in the review of supplier contracts, Service Level Agreements (SLAs), and security measures to identify and mitigate risks related to data protection, confidentiality, and regulatory compliance.

  • Supplier Risk Assessments — Functional and security risk assessments are conducted prior to onboarding and periodically thereafter based on supplier risk levels. Assessments are updated during policy renewals or whenever significant changes occur in the supplier relationship or service scope.

  • Supplier Inventory and Classification — A centralized supplier inventory is maintained, detailing ownership, services provided, data access levels, and corresponding risk ratings. This inventory enables traceability, accountability, and prioritized oversight.

  • Audit and Compliance Reviews — CarbonX conducts an annual review of supplier audit reports (e.g., SOC 2 Type II, ISO 27001 certifications) and performs regular governance reviews to confirm that third-party controls remain effective and compliant with industry standards.

  • Endpoint and Access Security Controls — Measures are enforced to secure third-party devices and endpoints connecting to CarbonX systems. Compliance monitoring, conditional access policies, and selective restrictions are applied in accordance with CarbonX’s Mobile and BYOD Policy.

Through these comprehensive supply chain governance practices, CarbonX ensures that all external partners uphold the organization’s security, privacy, and compliance expectations, maintaining end-to-end trust and resilience across its global operations.