ISO 27001 is the highest international standard of information security. An organisation is awarded certification for establishing, implementing, maintaining and continually improving an information security management system that makes the information assets of the organisation more secure.
Following an extensive audit process, we are proud to confirm that we meet the highest standards for security, reliability, quality and trust. This certification also proves our commitment to continuously improving our information security position.
Please contact our Security Team for a copy of KaarbonTech’s ISO27001:2013 certificate.
Our customer data is hosted by Hetzner and Amazon Web Services (AWS), both of which are certified to ISO27001 and SOC2 Type 2. Both hosting companies maintain an impressive list of reports, certifications and third-party assessments to ensure ongoing state-of-the-art data centre security.
Areas audited during certification include data control, physical security, environmental controls, fire suppression, UPS and generator backup, physical access control, human resources and personnel controls.
All of our customer data is stored within the UK or Europe.
All our web application communications are encrypted over TLS 1.2 or above. This is the same level of encryption used by banks and financial institutions.
We actively monitor ongoing security, performance and availability. Automated security testing is undertaken at scheduled intervals.
We adopt industry best practices throughout our software development cycle, from design to implementation, testing & deployment. All code changes are subject to peer review and are completed in a distinct version-controlled repository. We follow the leading Open Web Application Security Project (OWASP) testing methodology for all security testing efforts.
Our infrastructure is hosted in fully redundant, secured environments. Production servers are twinned with a standby server hosted in a different physical location.
Real-time monitoring is used on each production server, with issues alerted via our alert pipeline. All data is synchronised to standby servers continually throughout the day, with failover tests undertaken regularly.
All customer instances and the data in them are logically separated to prevent data contamination. We maintain separate production, testing and development environments which are all backed up and maintained in multiple sites for business continuity.
The information security team maintains a risk management and treatment process, with regular reviews of potential threats. This is supported by a vulnerability management model for dealing with identified vulnerabilities.
The risk assessment and treatment process incorporates; Identification of relevant, potential threats; A process for assessing and evaluating current risks; A process to determine the response to identified risks.