Security at Carbonhound

Cloud SQL (Postgres) hosted in GCP

Only accessible externally through verified proxy connection

Entire system is encoded and backed-up daily

Users will receive an OTP (one-time password) after entering their email. Sessions last 7 days, after which they will be logged out.

Data uploads (and private file downloads) utilize signed urls to upload your import files into our private GCP storage bucket in a generated folder specifically for your company and upload

Signed URLs are a temporary, restricted access link (ex. read vs. write access) to a private resource that requires passing a specialized authentication check (see permissioning)

All GCP services are hosted in a shared private network - ie. they can talk to each other, but outsiders cannot talk to them

GCP services also regularly use Pub/Sub (messaging/queuing) for intercommunications, with the same shared private network stipulations as mentioned above

The only publicly accessible GCP service that handles private data is the web app itself (required to be able to use the app) - however all processing is done via the server, and information in transit is encrypted

All services are hosted in GCP through CloudRun in a private network

Secrets (ex. private API keys) are hosted through GCP secrets manager and rotated bi-yearly

This means sensitive information required to run the app that could be stolen to access the app inappropriately or to access a third-party providers associated to our app are not exposed in any of our services

We monitor and log user behaviour in the app, service-level errors, traffic, and incidents, and Carbonhound employee in-app actions in our GCP hosting service and 1password service

the system is consistently monitored for threats, breaches, and vulnerabilities. Vulnerabilities are promptly patched upon discovery, in accordance with CH InfoSec Policy

the system employs DDOS, malware, and breach protection on all endpoints

Every authenticated endpoint in the app goes through a permissions check based on your currently authenticated user, their role, and to which company they belong

This means you can’t access information for a company you don’t belong to, and can’t access information at all without being logged in

Only necessary Carbonhound employees have access to GCP services on a need-to-have basis, and only to services that they genuinely need access to

all IDs present in the app client (the web app you interact with and see) are encoded

At-Rest: all data stored in GCP (files, database, instances) are encrypted at rest using industry-standard encryption algorithms

In-Flight/In-Transit: we employe encryption protocols for all data in transit, over secure channels using encryption mechanisms such as SSL/TLS

We use Clerk as our authentication provider, which in turn uses JWT access tokens with a 1 week expiry period

This token is encoded and does not contain sensitive information on decoding

State data does not persist cross-site

We are password-less - authentication is performed via a combination of OTP codes and magic links

sensitive information (ex. login credentials) must all be stored using 1password. Similarly, sharing sensitive information must be done via 1password sharing, never by vulnerable medium such as slack or e-mail

Cloud Run (Container Hosting): https://cloud.google.com/run/docs/overview/what-is-cloud-run

Cloud SQL (DB - Postgres): https://cloud.google.com/sql/docs/introduction

Pub/Sub (Queuing/Messaging): https://cloud.google.com/pubsub/docs/overview?hl=en

Cloud Scheduler (Cron Triggers): https://cloud.google.com/scheduler/docs/overview?hl=en

Secrets Management: https://cloud.google.com/secret-manager/docs#docs

Google Cloud Compliance and Regulations Resources: https://cloud.google.com/security/compliance

We utilize Google Cloud Platform (GCP) for storing data. Our main systems are housed in Iowa, USA. Data is encrypted at rest and in transit

Governance

Overview of Carbonhound’s mission and objectives for privacy and security, and outline the key roles and responsibilities related to data privacy and information security.

Asset Management

Safeguarding and tracking for intellectual property (IP) and assets at Carbonhound - both for Carbonhound owned IP and those associated with Carbonhound (vendors, clients, partners, etc.)

Risk and Compliance Management

How risk is understood, managed, and who is held accountable across the company, with a focus on privacy, security, accuracy, and transparency by design.

Third Party Management

Governs third-party vendor management activities, and when and how to perform risk assessments for vendors.

Data Management

Practices to secure and manage data throughout its lifecycle. This includes data encryption, data retention, data classification, disaster recovery, data backups, key management, data flow management, and non-repudiation practices on all data stored on systems by Carbonhound, regardless of their location.

Privacy

Covers handling personal information collected by Carbonhound or its customers, including data that is stored, processed, or otherwise shared with Carbonhound, its systems, employees, and contractors. This policy also governs human resource data.

Human Resource (HR) Security

This policy outlines Carbonhound’s human resources requirements concerning information security and data privacy at each stage of employment or engagement. This applies during onboarding, throughout employment or independent contractor engagements, and upon role change or termination.

Acceptable Use

This policy describes the acceptable use of electronic and computing devices, network resources, and information pertaining to Carbonhound. It applies to all company-owned, leased, or contracted resources, and encompasses company-controlled information as well as data shared with us by customers and other stakeholders.

Remote Working

This policy outlines how Carbonhound protects information accessed, processed, or stored at remote working sites. These security measures help prevent issues such as theft, espionage, and sabotage. A remote work site is any site that is not a company-designated and controlled office space. All employees and independent contractors of who work from home or remote work sites must read and follow this policy.

Bring Your Own Device (BYOD)

Governs security requirements for using privately-owned devices used for work purposes.

Identity and Access Management

Identity management and access management are two concepts that come together to encompass Identity and Access Management (IAM). Identity management relates to information, traits, or items that are uniquely attributable to an individual; the individual is, has, or knows something that proves their identity. Access management or access control relates to determining which individuals have access to what systems, accounts, data, etc. This policy defines the requirements of Carbonhound, governing acceptable methods of determining a user’s identity and how access control is managed for these identities on networks and services.

Endpoint and Configuration Management

This policy provides guidance for all endpoints that access other systems and data, including workstations, servers, and cloud computing devices, including all endpoints owned, leased, or otherwise controlled by Carbonhound. Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity, and availability of sensitive data.

Vulnerability and Patch Management

Vulnerability and Patch Management includes the activities, tools, and strategies that are employed to identify, monitor, report, and resolve vulnerabilities in systems and software. Auditing includes the internal audit of controls on a regular cadence to ensure compliance with Carbonhound information security policies. This policy defines the requirements of Carbonhound, governing what activities, tools, and strategies are to be leveraged within the vulnerability management program and what audit activities are performed, and to what degree they are performed.

The vulnerability management for Carbonhound focuses on scanning of its web application environment and public-facing website. These environments are critical to Carbonhound from the perspective of confidentiality, integrity, and availability.

Secure System Development

This policy outlines Carbonhound’s secure software development strategies and provides an overview of the organization’s approach to developing software securely. This policy is the basis for the governance, design, implementation, verification, and operation of Carbonhound’s software development life cycle (SDLC). This policy provides direction and defines how to securely build software at Carbonhound.

This policy is intended for all Carbonhound employees and contractors who develop, design, change, or contribute to software development. Everyone who has access to Carbonhound code and code repositories, development environments, or key material, and everyone who makes changes to software intended for production must read and follow this policy. Everyone with privileges must develop, manage, and change software at Carbonhound plays a role in ensuring that software is developed securely and Carbonhound achieves and maintains the highest standards concerning software development from a security and quality perspective.

Cloud and Network Security

This policy governs the management of Carbonhound’s cloud hosting environment where it hosts its web application. This policy must be followed by the individuals assigned to managing or accessing this environment, excluding those who only access via Carbonhound’s online application interface.

Carbonhound stores substantial amounts of confidential information within the Cloud environment. Confidentiality, integrity, and availability of this information and the applications hosted within it are critical to Carbonhound, its customers, employees, and stakeholders.

Physical Security

This policy should be read and followed by all employees and independent contractors responsible for office facilities, IT equipment, print media, and all other data under the organization’s control. This policy defines the processes and guidelines for securing the utilities and managing physical access to safeguard personnel, prevent unauthorized access, ensure data integrity, and maintain the availability of systems and data.

Incident Response

This policy provides guidelines for swift resolution of security and privacy incidents within Carbonhound.

This policy, applicable to the Security Team (referred to as the Incident Response Team), outlines the management and response to security incidents, particularly those impacting critical systems or data. Any deviations from the policy require approval from the Security Officer and senior management.

Internal Incident Reporting

This policy aims to guide all employees and contractors of Carbonhound on how to identify, report, and assist in the prompt resolution of any security or privacy incidents. The policy applies to those who have access to the organization’s data and systems.

This policy must be followed in case of an actual or potential security or privacy incident. A security or privacy incident is defined as any event that could potentially impact the confidentiality, integrity, or availability of information, systems, hardware, or software. It can also refer to any other event that may negatively affect the company, its people, customers, stakeholders, or systems.

Business Continuity and Disaster Recovery (BCDR)

This policy outlines the requirements Carbonhound has set to ensure the least downtime possible to services and systems provided to customers and that support critical business functions.

This policy is for all critical system owners, delegated administrators, and individuals assigned backup responsibilities or roles.