Security & Trust

Enterprise-grade security,
built in.

CBAMCalc is built on EU-hosted infrastructure with industry-standard security controls at every layer.

EU DATA RESIDENCYFrankfurt, Germany
TLS 1.3 + AES-256End-to-end
GDPRReg. (EU) 2016/679
MFATOTP — All users
SOC 2Via AWS eu-central-1
Contents
01Data Hosting02Encryption03Access Control04Audit Logging05Incident Response06GDPR Compliance07Sub-processors08Contact & Disclosure

Data Hosting

EU Region
  • All customer data is hosted exclusively on infrastructure located within the European Union (Frankfurt, Germany — AWS eu-central-1).
  • No data is transferred to or processed in third-country servers outside the EEA without an adequacy decision or appropriate safeguards under GDPR Art. 46.
  • Database servers run on isolated VPC subnets with no public internet exposure. Access is only possible via private endpoints.
  • Nightly encrypted backups are retained for 30 days with point-in-time recovery enabled. Backups are stored in a separate availability zone.

Encryption

AES-256 · TLS 1.3
  • All data at rest is encrypted using AES-256. This includes database volumes, backup files, and object storage.
  • All data in transit is protected with TLS 1.3. Plain HTTP is not accepted — all requests are redirected to HTTPS.
  • Database passwords, API keys, and third-party credentials are encrypted at the application layer using envelope encryption (KMS-managed keys) before storage.
  • User passwords are hashed with bcrypt (cost factor 12) and are never stored in plaintext or reversible form.

Access Control

RBAC · MFA
  • Role-based access control (RBAC) enforces least-privilege principles. Users are assigned Admin, Analyst, or Viewer roles scoped to their organisation.
  • Multi-factor authentication (TOTP) is available to all users and is enforced by policy for Admin accounts.
  • Session tokens are short-lived (8-hour expiry) with automatic invalidation on password change or explicit sign-out.
  • Internal engineering access to production systems requires SSO, MFA, and is logged. No engineer has standing access — access is granted on-demand and reviewed quarterly.
  • Organisation data is strictly isolated at the database query layer. Cross-tenant data access is architecturally impossible.

Audit Logging

90-day retention
  • All authentication events (login, logout, failed attempts, MFA changes) are logged with timestamp, IP address, and user agent.
  • All data mutations (create, update, delete) on CBAM records, scenarios, and reports are captured in an immutable audit trail.
  • Audit logs are tamper-resistant: they are written to append-only storage and cannot be modified or deleted by application-layer operations.
  • Logs are retained for 90 days online. Archived logs are kept for 24 months in cold storage for compliance purposes.
  • Organisation Admins can download their own organisation's audit trail from the Security & Audit page at any time.

Incident Response

72-hr notification
  • We maintain a documented Incident Response Plan (IRP) with defined severity levels, escalation paths, and communication templates.
  • In the event of a confirmed personal data breach, affected organisations and the relevant supervisory authority are notified within 72 hours as required by GDPR Art. 33–34.
  • A dedicated security@cbamcalc.com alias is monitored 24/7. Reports are triaged within 4 hours. Critical vulnerabilities are patched within 24 hours.
  • Post-incident reviews are conducted for all P1/P2 events and summaries are shared with affected customers upon request.
  • System status and incident history are published publicly at our status page.

GDPR Compliance

Reg. (EU) 2016/679
  • CBAMCalc acts as a Data Processor for customer-uploaded emissions and import data. We process personal data only on documented instructions from the Controller (the customer organisation).
  • A Data Processing Agreement (DPA) is available for all paid plan subscribers. Enterprise customers may execute a custom DPA.
  • We support all GDPR data subject rights: access, rectification, erasure, portability, restriction, and objection. Requests are fulfilled within 30 days via the in-app Privacy centre or by email.
  • Personal data is used solely for providing the CBAMCalc service. It is never sold, shared with advertisers, or used for profiling unrelated to CBAM compliance.
  • We maintain a Records of Processing Activities (RoPA) register as required by GDPR Art. 30.

Sub-processors

Current list
  • Amazon Web Services (AWS) — Infrastructure hosting, object storage, and managed database. Region: eu-central-1 (Frankfurt, Germany).
  • Vercel Inc. — Edge network and server-side rendering for the web application. Data processed: request metadata only; no personal data stored.
  • Anthropic PBC — AI inference for Executive Insight analysis. Only aggregated numerical emissions data is sent; no personal identifiers.
  • Resend Inc. — Transactional email delivery (account verification, password reset, report notifications). Data processed: email address and message content.
  • We review and approve all sub-processors before onboarding. Customers are notified of material sub-processor changes at least 14 days in advance.

Contact & Disclosure

security@cbamcalc.com
  • Security vulnerabilities: security@cbamcalc.com — PGP key available on request. We operate a responsible disclosure policy with a 90-day remediation window.
  • GDPR / data subject requests: privacy@cbamcalc.com — responses within 30 days.
  • General security enquiries and DPA requests: support@cbamcalc.com
  • Data Protection Officer (DPO): dpo@cbamcalc.com
Data Processing Agreement

Need a DPA for your organisation?

A standard Data Processing Agreement is available to all paid plan subscribers. Enterprise customers may request a custom DPA.

Last reviewed: May 2026 · Next review: August 2026Questions? security@cbamcalc.com