Trust & security

Audit-grade security, defensible by design.

The discipline we apply to every emissions number — evidence, immutability, least privilege — is how we run the platform itself. Encrypted end to end, isolated per tenant, and built to the SOC 2 and ISO 27001 controls your assurance team expects.

  • TLS 1.2+ in transit
  • AES-256 at rest
  • Postgres row-level isolation
  • Region-pinned data
Layered translucent security shields, one forest-green, guarding data behind a brass padlock
How we protect your data

Seven layers between your data and everyone else.

Security a manufacturer's auditor can inspect — not a badge on a footer. Each layer maps to a control your assurance team already knows how to check.

Data protection

Every connection uses TLS 1.2 or higher; every byte at rest is encrypted with AES-256. Encryption keys are managed and rotated by your region's key service — never stored beside the data they protect.

Tenant isolation

Your data is separated from every other customer's at the database layer. PostgreSQL row-level security enforces a per-tenant boundary on every query, so one organisation can never read another's rows — even by mistake.

Immutable evidence

Calculations are append-only with full bitemporal history — nothing is ever overwritten. Source documents live in WORM object storage, retained five years, so you can reproduce any past report exactly, line by line.

Access control

Role-based, least-privilege access across Admin, Sustainability Manager, Data Contributor and Auditor roles. Enterprise adds SSO/SAML and SCIM provisioning, and every sign-in and edit is written to a tamper-evident audit log.

Data residency

Choose where your data lives — an EU, Gulf or US region — and it stays there. Pin residency to the jurisdiction you report into, from EU CSRD to UAE Federal Climate Law.

Reliability

Encrypted, regularly tested backups with a documented disaster-recovery plan, plus continuous monitoring and alerting. Your evidence survives a bad day as intact as it does a good one.

Privacy

Built for GDPR and regional data-protection law, with a data-processing agreement and a transparent, published sub-processor list. We process your data to run the service — never to train models, never to sell.

The controls, in detail

What “audit-grade” actually means.

The specifics your security reviewer will ask for, grouped the way they think about them.

Sealed, append-only evidence records stacked into an immutable audit trail

Encryption & network

  • TLS 1.2+ on every connection, including internal service-to-service traffic
  • AES-256 encryption for all data at rest, across databases and object storage
  • Managed encryption keys, rotated in your chosen region
  • HSTS and modern cipher suites; no legacy protocol fallbacks

Isolation & identity

  • PostgreSQL row-level security enforcing a per-tenant boundary on every query
  • Least-privilege RBAC across four defined roles
  • SSO/SAML and SCIM user provisioning on Enterprise
  • Scoped auditor access that can comment on a figure but never edit it

Evidence & retention

  • Append-only, bitemporal calculation history — numbers are versioned, never overwritten
  • WORM object storage for uploaded evidence like utility bills and invoices
  • Five-year record retention, matching the strictest of the four jurisdictions
  • Reproduce any historical report exactly, with the factors used at the time

Operations & resilience

  • Encrypted backups with a defined, regularly tested recovery process
  • Documented disaster-recovery plan with target recovery objectives
  • Continuous monitoring, alerting and access logging
  • Change management with peer review before production deploys
Certifications & roadmap

Built to the standard. Honest about the certificate.

We hold ourselves to recognised security frameworks, and we'd rather tell you exactly where we are than imply a badge we don't yet have.

Working toward

The architecture already implements these controls. The formal attestations are underway.

  • SOC 2 Type IIIn progress
  • ISO 27001On the roadmap

ESG Matrics does not yet hold SOC 2 Type II or ISO 27001 certification. Our platform is built to those controls today, and both are on our active roadmap.

In place today

  • TLS 1.2+ and AES-256 encryption
  • Per-tenant Postgres row-level security
  • Immutable, bitemporal evidence trail
  • Least-privilege RBAC and audit logs
  • Data-processing agreement (DPA)
  • Published sub-processor list
  • Data residency by region
Questions

Security questions, answered plainly.

The five your reviewer asks first.

Where is my data stored?+

In the region you choose — EU, Gulf or US — and it stays there. Pinning residency to the jurisdiction you report into keeps data close to where it's regulated and simplifies your own compliance review.

Who at ESG Matrics can see my data?+

Access is least-privilege and role-based. No one on our team reads your emissions data as a matter of course; access to production is restricted, logged and granted only for support you request or incident response. We never use your data to train models or sell it.

Can I export or delete my data?+

Yes. You can export your data and evidence at any time. On request or account closure we delete your data within a defined window, subject to any retention you are legally required to keep — records under the UAE Federal Climate Law, for example, must be held for five years.

Do you run penetration tests?+

Yes. We run internal security reviews and commission independent penetration testing, and we remediate findings on a risk-based schedule. Summaries can be shared with prospective customers under NDA as part of a security review.

How do you handle security incidents and disclosure?+

We monitor continuously and have an incident-response process with defined severities and owners. If an incident affects your data, we notify you promptly with what we know and what we're doing. Researchers can report suspected vulnerabilities through our contact page.

Found a vulnerability?

We welcome responsible disclosure. Reach our security team through the contact page and we'll acknowledge your report and keep you updated through remediation.

Bring our security review to your next audit.

Get the detail your assurance team needs — architecture, controls and residency — from the people who built it.