Building a Carbon & ESG management SaaS - Episode 1: Security

At a time when data on the climate impact of companies is increasingly public, why is data security crucial when offering an online carbon management solution, and how do we address this issue at Tennaxia?

Patrick Nollet
CTO
Update : 
19.05.2025
Publication: 
15.06.2023
Contents
Example H2
Request a demo

The importance of securing corporate carbon data and climate strategy.

Tennaxia ESG is a SaaS software platform enabling companies to measure their carbon footprint and implement action plans to reduce it. While an increasing number of companies, whether under regulatory constraints or not, are tending to share their CSR initiatives and the overall results of their Bilan Carbone, the fact remains that carbon footprint measurement is generally based on operational data that can be highly sensitive: purchases, energy expenditure, employee travel, industrial processes, etc.

This is all the more true when we carry out a carbon footprint according to the most rigorous carbon methodology standards, as is the case at Tennaxia, since these standards require us to go into precise detail about a company's value chain: production methods, suppliers and service providers, investments, logistics, and so on.

Since drawing up a Carbon Footprint is only the prerequisite for taking action to reduce emissions, Tennaxia customers also use the platform to manage their reduction trajectories and, above all, the associated decarbonization action plans. As Tennaxia ESG enables us to model both the carbon impact and the financial impact of reduction actions, this requires the processing of strategic and therefore critical business data for our customers.

So it's natural for Tennaxia customers to want to ensure that the data they entrust to us is properly secured.

Tennaxia complies with SOC 2 security standards.

Since the creation of Tennaxia ESG, we have applied a number of key principles to the design of our ESG software, to ensure the implementation of a safe and reliable system. But more than just the product itself, it's the entire company organization that must be aligned to ensure that our product meets a high level of security and operational quality.

While there are now regulations to comply with such as the RGPD (to which Tennaxia is of course compliant) framing the processing of personal data and guaranteeing their proper management, it nevertheless remains essential for our customers that the proper application of the best security principles by their suppliers is recognized by an independent body.

Standards have thus been developed to audit and evaluate companies like Tennaxia on their ability to comply with best practices in terms of security. Some of these standards are sector-specific, such as PCI-DSS for companies handling payments, while others are more general.

Tennaxia began by carrying out a SOC 2 Type 1 audit tocertify the ability of the organization and its product to meet the most stringent security requirements.

We then carried out another audit, in a more ambitious version: SOC 2 Type 2. The difference between Type 2 and Type 1 is that, this time, compliance with our security commitments and procedures has been tested over a period of several months, rather than at a given point in time. This is an even greater guarantee of safety. And in our case, no failure to comply with our procedures has been identified.

SOC 2 audit categories

Generally speaking, a SOC 2 audit can assess criteria grouped into five main categories:

  • Security: The technical infrastructure must be protected from the risks it may face.
  • Availability: The technical infrastructure must remain available so that our tool remains accessible to customers.
  • Processing integrity: The information provided by the system must be reliable at all times.
  • Confidentiality: information must only be available to authorized personnel.
  • Personal data: personal data must be managed and stored appropriately.

As part of our audit, we focused on safety.

How is data processed in Tennaxia?

What does this mean in practice for Tennaxia customer data?

Here are a few examples:

  • Our customers' data is encrypted at rest and in transit, i.e. as it travels from one computer to another.
  • We have strict rules for managing access to our internal tools.
  • Our workstations are regularly updated, protected by antivirus, antimalware and firewall solutions, and our disks are encrypted.
  • We carry out regular penetration tests and vulnerability scans on our technical infrastructure.
  • All Tennaxia employees are made aware of security issues, and phishing simulation campaigns are carried out on a regular basis.
  • We have procedures in place to manage any incidents that may occur, and we test them regularly.
  • We have a strict policy for managing our subcontractors.

These are just a few examples, but it's clear that setting up a secure and reliable platform takes time and investment on the part of everyone at Tennaxia.

Nevertheless, this remains essential if we are to retain the trust of our customers, meet the expectations of key accounts by default, and be able to support all our customers in their climate strategies in the most precise and ambitious way possible.

Detailed results of Tennaxia's SOC 2 Type 2 audit are available on request by email to: contact@tennaxia.com