CarbonEmit is a cloud platform that holds enterprise customers' sustainability data in trust. We operate an **ISO/IEC 27001:2022** certified information-security management system; our data-processing operations comply with **KVKK** and **GDPR**. This page provides a summary of CarbonEmit's security posture — supplementary documents and audit reports are shared on request.

CarbonEmit holds certifications independently audited by accredited third-party bodies.

CarbonEmit stores customer data in EU-region data centres (Microsoft Azure — EU West Netherlands and EU North Ireland). Türkiye-resident user data is processed under **KVKK Article 9** (cross-border transfer) with the required explicit consent and data-transfer commitments. For EU data-controller customers, all data stays within EU borders.

Customer data is encrypted both in transit and at rest.

We operate on the principle of least privilege.

• Mandatory multi-factor authentication (MFA) for all administrative access
• Role-based access control (RBAC) — separate privilege levels for engineering, ops and support
• Engineer access to production data only during incident response, with audit logging
• Customer SSO (SAML 2.0 / OIDC) available on Professional and Enterprise plans
• All authentication events logged for at least 1 year

On detection of a data breach or security incident, we notify affected customers within **24 hours** and the relevant authorities (KVKK Personal Data Protection Authority for Türkiye, the relevant EU authority for GDPR) within **72 hours**. Our incident response team is on-call 24/7.

If you have discovered a security vulnerability in a CarbonEmit product or our infrastructure, please contact us via the channel below. We acknowledge reports within 1 business day, remediate within 90 days and, with your consent, recognise you on our researcher hall of fame.

Up-to-date list of third-party service providers CarbonEmit uses to deliver service. When a new sub-processor is added we notify Enterprise plan customers **30 days** in advance.

Customers can formalise their data-processing relationship with CarbonEmit through Standard Contractual Clauses (SCC) and a KVKK Data Processing Agreement template. Without a signed DPA the customer panel is **not available** — a DPA template is shared on request prior to contract signature.

From your customer panel or via written request you may exercise the following rights:

• Access and download of your data (data portability — JSON / CSV)
• Correction, deletion and right to be forgotten
• Objection or restriction of processing
• Object to automated decision-making
• Right to complaint — KVKK Personal Data Protection Authority for Türkiye, the relevant EU authority for GDPR

• Annual ISO/IEC 27001:2022 external audit (accredited certification body)
• Quarterly internal security audits and management review
• Independent penetration testing at least annually (web + API + cloud infrastructure)
• Continuous vulnerability scanning and patching procedure for production environment
• Employee training: at onboarding + annual refresh; quarterly phishing simulation

• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour (PITR with minute-level backup)
• Geographically distributed backup (2 EU regions)
• Annual business continuity drill + management report on outcomes

CarbonEmit does **not** use customer data under any circumstances to train our own AI models. The in-platform AI assistant (e.g. emission category recommendation engine) operates within the customer's session boundary, and any inputs shared with third-party LLM providers are **anonymised and aggregated**.