Climate Zero Data Security & Privacy Policy

Identity and authentication controls

We use an industry-standard approach to handle user authentication to prevent personal data being accessed by unauthorised individuals. This includes secure password handling through hashing and salting. All user passwords are encrypted and no employees are able to access this information. We never provide temporary employee generated passwords. Only users can create and manage their own password. For user authentication, we utilise Firebase Authentication so all authentication data, including login credentials and tokens, are securely stored in data centres located in the United States. These facilities are equipped with state-of-the-art security measures. All other user data, such as personal information and usage data, are stored on secure servers located in Australia. These servers are protected with both physical and electronic safeguards to prevent unauthorised access.

Encryption and data storage

We understand the sensitivity of the data we handle. We use industry-standard encryption methods to safeguard your information at rest and in transit. 
Encryption In Transit:

• All data transmitted between our clients and our servers is secured using Transport Layer Security (TLS) 1.2 or higher. This protocol ensures that data is encrypted during its journey over the internet, protecting it from interception or tampering.
• Firebase Authentication employs secure token-based mechanisms. This ensures that user credentials are handled and transmitted securely, without exposure.

Encryption At Rest:

• All personal data stored in our systems, including databases and backups, is encrypted using Advanced Encryption Standard (AES-256). We do not store customer data on personal devices or devices used by company employees.
• All personal data is stored in a Google Cloud Provider through services such as Firebase Authentication and CloudSQL, all adhering to strict security standards and compliance certifications, namely SOC-1, SOC-2, SOC-3, and ISO 27001.

Access controls

Access to customer data is limited to authorised personnel who require it for providing our carbon accounting services. Access to our systems is strictly based on predefined user roles (Role Based Access Controls). Each role is assigned specific access rights and privileges, depending on the individual’s job function and data access requirements. We provide the option of external access roles for third parties, such as consultants or auditors, who require access to the software. We adhere to the principle of least privilege, meaning users are granted only the access necessary to perform their job duties. This minimises the risk of unauthorised access, modification or disclosure of sensitive data.

Secure servers

Your data is stored on servers located in Sydney, Australia. These servers are protected with both physical and electronic safeguards to prevent unauthorised access. The servers are hosted by Google Cloud adhering to strict security standards and certifications namely SOC-2, SOC-3, and ISO 27001. The application is run on servers provisioned by Vercel, which maintains strict security standards and holds ISO 27001, SOC-2, HIPAA, GDPR and DPF certifications.

Data minimisation

We only collect and retain the data necessary for conducting carbon footprint analysis and providing our services. For example, when collecting company information, we only request location, address, and utility meter IDs that are essential for carbon footprint calculations. Similarly, financial accounting data is processed only to the extent necessary for emissions analysis. We do not store personal data beyond the required retention period, as outlined in our Data retention policy.

Data backup

Customer data is automatically backed up on a daily basis and backups are retained for 30 days before being destroyed automatically. In addition to the daily backups, we are also backed by a Point in Time data restoration service, covering the seven most recent days.

Cyber incident response plan

We have a Cyber incident response plan (CIRP) which provides a checklist of steps required when responding to a security incident. All potential cyber security incidents are required to be reported immediately and then investigated using different data sources and event logs to determine if there has been a breach.

Third-party vendors

In cases where we engage third-party vendors (including Firebase & Google Cloud) to support our services, we conduct due diligence to ensure their security practices align with our high standards.

User responsibility

As a user of our platform, you are responsible for maintaining the security of your account credentials. Please ensure that you keep your login information confidential and refrain from sharing it with unauthorised individuals.

Auditing

We work with a third party cyber security company to perform penetration testing on our software. We regularly audit and update all third party packages ensuring we are protected from latest updates.

Data destruction

When you store data on Climate Zero, you retain full ownership of that data. We believe that your information is yours, and we have policies in place to ensure that you can access, manage, and export your data at any time. We do not store personal data beyond the required retention period. If you cancel your agreement or switch providers your data can easily be exported from Climate Zero in a reusable format. Following a contractual termination, we will delete, and ensure that all of our applicable third party providers delete, all copies of your customer data.