Our Commitment

Security is foundational to everything we do. ESG data — including Scope 1, 2, and 3 emissions records, energy consumption data, and supply chain information — is commercially sensitive and in many jurisdictions subject to regulatory disclosure obligations. We treat the security of your data with the same rigour as any regulated financial institution.

TerraLedger operates a formal Information Security Management System (ISMS) with controls mapped to ISO/IEC 27001. Internal security reviews run quarterly, with mandatory security training for all staff on joining and annually thereafter.

Certifications

Continuous control monitoring — TerraLedger runs a continuous-monitoring programme with controls mapped to the SOC 2 Trust Services Criteria. Enterprise customers can request the current report under NDA.
Evidence collection — Security controls are aligned with ISO/IEC 27001:2022, with evidence collected continuously for annual review.
GDPR Compliance — We operate in accordance with EU GDPR and UK GDPR. See our GDPR & Data Protection page for full details.

Infrastructure Security

The application runs on AWS, with production in eu-west-1 (Ireland) and disaster recovery in eu-central-1 (Frankfurt).

Primary region: AWS eu-west-1 (Ireland)
Disaster recovery region: AWS eu-central-1 (Frankfurt)
Data sovereignty: Customer emissions data is stored and processed within the EU by default.

All production infrastructure is managed as code. Changes go through peer-reviewed pull requests and automated CI/CD pipelines, with no direct manual access to production systems.

Network access is restricted via security groups and access control lists. All administrative access to infrastructure requires MFA with full audit logging.

Data Encryption

All customer data is encrypted in transit and at rest.

At rest: AES-256, with keys managed in AWS KMS.
In transit: TLS 1.2+ enforced, with HSTS and legacy protocol versions disabled.
Field-level encryption: Sensitive values such as API keys and access tokens are encrypted at the field level.
Key management: Keys are rotated annually; access to key material is restricted to a small set of audited operators.

Access Control

TerraLedger enforces a least-privilege access model across all internal systems and customer-facing features:

Role-Based Access Control (RBAC): Workspace, project, and organisation-level roles scope every user to only the data and actions their role requires.
Single Sign-On (SSO): SAML 2.0 and OIDC single sign-on is available on Scale and Enterprise plans.
Multi-Factor Authentication (MFA): Required for all staff accounts and admin-level customer accounts, available to all users. Supported methods: TOTP authenticator apps and FIDO2 hardware security keys.
Internal access: Staff cannot access customer data without an approved support request. All access is logged, time-limited, and reviewed.

Vulnerability Management

TerraLedger runs a layered vulnerability-management programme covering testing, scanning, and triage.

Penetration testing: Commissioned annually from an independent firm; results available to enterprise customers under NDA.
Dependency scanning: Automated on every build, with a 7-day patching SLA for critical vulnerabilities.
Static analysis: SAST runs in CI on every pull request.
Coordinated disclosure: Researchers can report vulnerabilities via the responsible-disclosure process below.

Incident Response

TerraLedger maintains a documented Incident Response Plan, tested twice yearly via tabletop exercises.

Critical incidents (data breach, service outage): 1-hour response, 24-hour resolution target.
High severity: 4-hour response, 3-business-day resolution target.
Customer notification: Affected customers are notified within 72 hours of confirming a personal data breach, in line with GDPR Article 33.

In the event of a breach, we will provide affected customers with: a description of the nature of the incident, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the incident.

Employee Security

Background checks: Identity and employment-history verification before joining; criminal-record checks where legally permitted.
Security training: Mandatory on joining and annually — phishing, data handling, incident reporting, social engineering.
Access de-provisioning: Account and system access revoked within 24 hours of termination.
NDAs: All staff and contractors sign confidentiality agreements covering customer data.
Device management: Company devices are MDM-enrolled with full-disk encryption, remote wipe, and enforced screen-lock policies.

Business Continuity

TerraLedger maintains a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) designed to ensure service availability even in the event of a major infrastructure failure:

Daily backups: Encrypted daily backups with 30-day point-in-time recovery.
Recovery Time Objective (RTO): 4 hours.
Recovery Point Objective (RPO): 1 hour.
DR testing: Tested twice yearly.
Status page: Live service status is published at status.terraledger.io.

Responsible Disclosure

TerraLedger welcomes reports from security researchers who discover vulnerabilities in our platform. We commit to:

Acknowledge receipt of your report within 2 business days
Provide an initial assessment within 5 business days
Work with you to understand and remediate the issue before public disclosure
We will not pursue legal action against researchers who act in good faith and within the scope of this policy, provided they do not access, modify, or delete customer data.

To report a vulnerability, email security@terraledger.io.

Out of scope: Social engineering attacks targeting TerraLedger staff, physical security, denial-of-service attacks, and issues in third-party services thatTerraLedger has no control over.

Contact

For security-related enquiries, incident reports, or to request our SOC 2 report, contact our security team at security@terraledger.io.

REPLACE WITH YOUR LEGAL COMPANY NAME — REPLACE WITH PLACE OF REGISTRATION.

Security Practices