Security at CarbonTrail
Carbon accounting requires understanding various aspects of a business's operation, including its financial position, use of suppliers, subsidiaries and more. All of this data is incredibly sensitive, and we go beyond industry best practice to ensure that all data hosted on CarbonTrail's platform remains safe and secure.
For independently verified security documentation, certifications, and compliance reports, visit our Trust Centre →
Frequently Asked Questions
Why should I trust you with my company data?
CarbonTrail is a well-established and trusted carbon measurement organisation, having been in operation since 2022, and having gained a 4.8/5 star rating on the Xero App Store.
We have aligned our operation with the global ISO 27001 information security standard, host our services in Amazon Web Services in line with best practices, and have at least annual external audits of our environmental and security processes to ensure that we exceed the minimum requirements set by the industry.
Do you use encryption?
Yes — we use Cloudflare to ensure all data transferred between you and the service is encrypted. The encryption is the same as that used for internet banking services around the world.
While we analyse your data from your accounting tools and activities, this information is stored in our secure servers, hosted in Amazon Web Services. We encrypt your data at rest, and encrypt this again with a unique key at a database level, to ensure that only you can view your data and that, in the extremely unlikely event of a breach, the data is useless to anyone who accesses it.
Are you ISO 27001 / SOC 2 certified?
We are actively working on achieving certification in this area. We are aligned to the best practices set out by ISO 27001. Our cloud provider, Amazon Web Services, implements and adheres to ISO 27001, 27017, and 27018 — their ISO 27001 certification is available on request.
We also have an internal information security management system (ISMS), created in line with ISO 27001 best practices. If you want more information on any of our policies, internal processes, or have another question, please contact us.
Who can access my data?
No one will be able to access your data unless you invite them to, and you can remove them at any time. Our support team may be granted access to your account on your behalf to assist you with your use of the tool, but all operations are logged.
Our servers are highly secure, with multiple layers of protection and encryption.
Do you use firewalls or other security mechanisms?
Yes — our servers are well-protected by multiple layers of firewalls, intrusion protection systems, and network-level defences, configured and monitored according to industry best practices.
We use Cloudflare as a web-application firewall which provides protection against common web threats and locks down sensitive operations. Our internal office networks are isolated from customer data by design, so you can be confident that your data is safe with us.
How do I log in? Is that secure?
You can only log into CarbonTrail through Xero, MYOB, or your own corporate single sign-on (SSO) system, which means that your credentials are held securely by those trusted companies or your own company's IT department.
Are your development and production environments separate?
Yes — we never use production customer data in test systems. We have separate physical accounts that maintain segregation between environments.
How do you know your systems are secure?
Our security is reviewed and audited regularly. This includes threat modelling, penetration testing, and remediation by external specialists, as well as ongoing security and dependency scanning and updates.
If you are interested in receiving copies of our penetration test reports, please contact us.
Will my data be backed up?
We run backups of our database every night, full backups every day, and transaction log backups in real time through our managed database provider. This means that in the unlikely event of an issue, we can immediately recover your data.
Where do you host my data?
Our servers are located within Amazon Web Services in Sydney, Australia — enterprise-grade hosting facilities. AWS holds ISO 27001, 27017, and 27018 certifications. You can find out more about AWS Security here .
Can you sign an additional agreement to cover your use of our data?
Yes, absolutely. We are confident in our data protection measures and would be glad to sign an agreement. We can provide a standard Data Sharing Agreement or Non-Disclosure Agreement, or you can bring your own for us to sign. Contact us to find out more.
Trust Centre
Our Trust Centre, powered by Vanta, provides independently verified security documentation, up-to-date compliance reports, and real-time visibility into our security posture. You can review our controls, request access to audit reports, and monitor our security status at any time.