Building a Carbon & ESG management SaaS - Episode 1: Security

At a time when data on the climate impact of companies is increasingly public, why is data security crucial when offering an online carbon management solution, and how do we address this issue at Traace?

Patrick Nollet
CTO
Update : 
April 1, 2025
Publication: 
June 15, 2023
Contents
Example H2
Request a demo

The importance of securing corporate carbon data and climate strategy.

Traace is a SaaS software platform enabling companies to measure their carbon footprint and implement action plans to reduce it. While an increasing number of companies, whether under regulatory pressure or not, are tending to share their CSR initiatives and the overall results of their Carbon Footprint, the fact remains that carbon footprint measurement is generally based on operational data that can be highly sensitive: purchases, energy expenditure, employee travel, industrial processes, etc.

This is all the more true when we carry out a carbon footprint according to the most rigorous carbon methodology standards, as is the case at Traace, since these standards require us to go into precise detail about a company's value chain: production methods, suppliers and service providers, investments, logistics, etc. This is why it is so important for us to be able to draw up a carbon footprint according to the most rigorous carbon methodology standards, as is the case at Traace.

Since drawing up a Bilan Carbone is only the prerequisite for taking action to reduce emissions, Traace customers also use the platform to manage their reduction trajectories and, above all, the associated decarbonization action plans. Traace's ability to accurately model both the carbon impact and the financial impact of reduction actions requires the processing of strategic and therefore critical business data for our customers.

So it's natural for Traace customers to want to be sure that the data they entrust to us is properly secured.

Traace complies with SOC 2 security standards.

Since the creation of Traace, we have applied a number of key principles to the design of our ESG software, to ensure the implementation of a safe and reliable system. But more than the product itself, it's the company's entire organization that must be aligned to ensure that our product meets a high level of security and operational quality.

While there are now regulations to comply with such as the RGPD (to which Traace is of course compliant) framing the processing of personal data and guaranteeing their proper management, it nevertheless remains essential for our customers that the proper application of the best security principles by their suppliers is recognized by an independent body.

Standards have thus been developed to audit and evaluate companies like Traace on their ability to comply with best practices in terms of security. Some of these standards are sector-specific, such as PCI-DSS for companies handling payments, while others are more general.

In November 2022, Traace began by carrying out a SOC 2 Type 1 audit tocertify the ability of the organization and its product to meet the most stringent security requirements.

In June 2023, we carried out another audit, in a more ambitious version: SOC 2 Type 2. The difference between Type 2 and Type 1 is that, this time, compliance with our security commitments and procedures was tested over several months, rather than at a given point in time. This is an even greater guarantee of safety. And in our case, no failure to comply with our procedures has been identified.

SOC 2 audit categories

Generally speaking, a SOC 2 audit can assess criteria grouped into five main categories:

  • Security: The technical infrastructure must be protected from the risks it may face.
  • Availability: The technical infrastructure must remain available so that our tool remains accessible to customers.
  • Processing integrity: The information provided by the system must be reliable at all times.
  • Confidentiality: information must only be available to authorized personnel.
  • Personal data: personal data must be managed and stored appropriately.

As part of our audit, we focused on safety.

How is data processed in Traace?

What does this mean in practice for Traace customer data?

Here are a few examples:

  • Our customers' data is encrypted at rest and in transit, i.e. as it travels from one computer to another.
  • We have strict rules for managing access to our internal tools.
  • Our workstations are regularly updated, protected by antivirus, antimalware and firewall solutions, and our disks are encrypted.
  • We carry out regular penetration tests and vulnerability scans on our technical infrastructure.
  • All Traace employees are made aware of security issues, and phishing simulation campaigns are carried out on a regular basis.
  • We have procedures in place to manage any incidents that may occur, and we test them regularly.
  • We have a strict policy for managing our subcontractors.

These are just a few examples, but it's clear that setting up a secure and reliable platform takes time and investment on the part of everyone at Traace.

Nevertheless, this remains essential if we are to retain the trust of our customers, meet the expectations of key accounts by default, and be able to support all our customers in their climate strategies in the most precise and ambitious way possible.

Detailed results of Traace's SOC 2 Type 2 audit are available on request by email to: contact@traace.co.

HomeAcademy
This is some text inside of a div block.