Skip to content
ImpactMatrix Platform ImpactMatrix Platform Documentation

Governance & Compliance

Governance & Compliance

Our Commitment

We handle your sustainability data with the same rigor and care that financial institutions apply to sensitive financial data. Your trust is fundamental to our mission.

Data Security Model

Encryption Standards

Data at Rest

  • AES-256 encryption for all sensitive data in database
  • Encrypted backups with separate key management
  • Encryption keys never stored with encrypted data
  • Hardware security modules (HSMs) for key protection

Data in Transit

  • TLS 1.2+ for all network communications
  • Certificate pinning to prevent man-in-the-middle attacks
  • End-to-end encryption for sensitive operations
  • VPN tunnels for integrations with external systems

Application Level

  • Encryption of personally identifiable information (PII)
  • Tokenization of sensitive values
  • Field-level encryption for highest-sensitivity data
  • Encrypted logs (we can’t read your data even in logs)

Access Controls

Authentication

  • Multi-factor authentication (MFA) required for all users
  • Support for:
    • TOTP/authenticator apps
    • SMS-based authentication
    • Hardware security keys (FIDO2)
    • Single Sign-On (SSO) via SAML/OAuth
  • Passwordless authentication options available

Authorization

  • Fine-grained role-based access control (RBAC)
  • Organization-level permissions
  • Team-level permissions
  • Data-level restrictions (can only see your own org’s data)
  • Field-level restrictions (financial officers can see cost data, others can’t)

Session Management

  • Sessions automatically timeout (configurable, default 8 hours)
  • Activity logging (who accessed what when)
  • Force re-authentication for sensitive operations
  • Concurrent session limits

API Security

API Authentication

  • OAuth 2.0 for third-party integrations
  • API keys with rotation policies
  • Scope-limited tokens (each API app gets minimum permissions needed)
  • Rate limiting to prevent abuse

Webhook Security

  • Cryptographic signatures on all webhooks
  • Webhook delivery verification
  • Replay attack prevention
  • IP whitelisting support

Rate Limiting

  • Per-user rate limits (fair use policy)
  • Per-IP rate limits (prevent DDoS)
  • Per-API-endpoint rate limits (protect expensive operations)
  • Graceful degradation if limits exceeded

Privacy & Data Protection

GDPR Compliance (EU Users)

Your Rights Under GDPR

  1. Right to Access: You can request all data we hold about you
  2. Right to Correct: You can update incorrect data
  3. Right to Delete: You can request deletion (“right to be forgotten”)
  4. Right to Data Portability: We provide your data in portable format
  5. Right to Restrict Processing: You can limit how we use your data
  6. Right to Object: You can object to certain processing

How We Support These Rights

  • Self-service access in your account settings
  • Data export in standard formats (CSV, JSON)
  • One-click deletion of your organization (30-day grace period)
  • Deletion of specific records
  • Opt-out from marketing communications
  • DPA (Data Processing Agreement) available on request

Data Processing

  • Only process data for stated purposes
  • Never share data with third parties (except service providers)
  • Service providers sign data processing agreements
  • Data retention policies (we don’t keep what we don’t need)
  • Regular audits of data usage

CCPA Compliance (California, USA)

Your Rights Under CCPA

  1. Know: What data we collect and use
  2. Delete: Request deletion of your data
  3. Opt-out: Opt out of “sale or sharing” of your data (we don’t do this)
  4. Non-Discrimination: You won’t be penalized for exercising rights

Implementation

  • Privacy notice in account settings
  • Self-service data deletion for California residents
  • No sale or sharing of personal data
  • No discriminatory pricing or service

Brazilian (LGPD) & Other Regulations

We comply with:

  • Brazil: LGPD (Lei Geral de Proteção de Dados)
  • UK: UK GDPR (similar to GDPR)
  • Canada: PIPEDA
  • Australia: Privacy Act
  • India: E-Commerce Rules & data localization
  • Regional healthcare data regulations (if applicable)

Approach: We adopt GDPR-level protections universally. If a region has stricter rules, we follow those.

Compliance Certifications

SOC 2 Type II

What It Means: Independent auditor verifies our controls for:

  • Security: Do we protect against unauthorized access?
  • Availability: Is the system up when you need it?
  • Processing Integrity: Is the data processed correctly?
  • Confidentiality: Do we keep your data private?
  • Privacy: Do we handle personal data responsibly?

Audit Process

  • Annual independent audit (external auditors, not us)
  • 6+ months of control testing
  • Detailed report issued
  • On-site inspection of facilities, processes, people

Your Benefit: You can review our SOC 2 report upon execution of NDA

ISO 27001 (Information Security)

Certification Scope: Information security management system

Coverage

  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Change management
  • Incident management
  • Business continuity
  • Supplier management

What We Audit

  • Quarterly internal audits
  • Annual management review
  • Continuous monitoring
  • Regular penetration testing

AI & Algorithmic Governance

Responsible AI Principles

  1. Transparency: You understand how AI makes recommendations
  2. Explainability: You can see the reason for each recommendation
  3. Fairness: We test for bias (especially against protected groups)
  4. Accountability: We’re responsible if our AI causes harm
  5. Human Override: You can ignore AI recommendations

Bias Testing

  • Regular audits for demographic bias
  • Testing across sectors, organization sizes, geographies
  • If bias found, models are retrained
  • Annual bias audit reports available

Model Governance

  • All models have owners and documentation
  • Model performance tracked (are predictions accurate?)
  • Automatic alerts if model performance degrades
  • Version control for all model updates

Ethical Use Policy

Prohibited Uses

You agree not to use the platform for:

  1. Greenwashing

    • Deliberately misrepresenting environmental efforts
    • Hiding negative impacts
    • Falsifying data

  2. Discrimination

    • Using assessments to unfairly treat individuals
    • Pay discrimination based on protected characteristics
    • Hiring/firing decisions that violate employment law

  3. Illegal Activity

    • Using platform for fraud
    • Violating export controls
    • Money laundering or corruption
    • Other illegal purposes

  4. Data Misuse

    • Selling others’ data
    • Unauthorized data sharing
    • Impersonation
    • Hacking attempts

  5. Harm

    • Content promoting violence or hatred
    • Defamation
    • Harassment
    • Abuse of platform users

Enforcement: Violations result in account termination + potential legal action

Audit Trail & Incident Response

What We Log

  • Who accessed the system and when
  • What data they searched or changed
  • Changes made to actions/plans
  • Configuration changes
  • Administrative actions
  • Failed login attempts

Audit Retention

  • 7 years for large organizations
  • 3 years for small organizations
  • Longer if required by law

Access Audit Log You can:

  • View complete audit trail of your organization
  • Export audit logs for compliance reviews
  • Alert if suspicious activity detected
  • Report security concerns

Incident Response Procedures

  1. Detection: We monitor 24/7 for security issues
  2. Response: Incident team mobilizes within 15 minutes
  3. Containment: Isolate the issue to prevent spread
  4. Investigation: Understand what happened and why
  5. Communication: Notify affected customers
  6. Recovery: Restore systems to normal
  7. Post-Mortem: Learn from incident, prevent recurrence

Notification Timeline

  • If data that could identify you is breached: Notify within 72 hours (GDPR requirement)
  • If only aggregate data: Post-incident notification
  • Transparency reports published annually

Organizational Policies

Anti-Corruption & Ethical Business

Commitment to Integrity

  • No bribes, kickbacks, or improper payments
  • Ethical business practices with partners
  • Transparent pricing (no hidden fees)
  • Conflict of interest policies

Sanctions Compliance

  • We screen users/organizations for sanctions lists
  • We don’t do business with sanctioned entities
  • Compliance with export controls

Labor & Human Rights

Our Commitment

  • We don’t support forced labor or child labor
  • Fair wages for all employees
  • Safe working conditions
  • Freedom of association
  • Diversity and inclusion

Supplier Requirements

  • All suppliers must comply with labor laws
  • Periodic audits of supplier practices
  • Escalation process for violations

Environmental Responsibility

Our Operations

  • Carbon-neutral data centers (renewable energy)
  • Paper-free operations
  • Responsible e-waste management
  • Supply chain sustainability

Regulatory Alignment

SDG Compliance

Which SDGs Apply to Us

  • SDG 9 (Industry, Innovation, Infrastructure): Build resilient infrastructure
  • SDG 12 (Responsible Consumption): Ethical business practices
  • SDG 16 (Peace & Justice): Transparent governance
  • SDG 17 (Partnerships): Collaborate with stakeholders

We contribute to your SDG achievements by:

  • Providing transparent data
  • Enabling measurement
  • Facilitating stakeholder engagement
  • Supporting goal-setting and monitoring

ESG Reporting Standards

Our platform aligns with:

  1. TCFD (Task Force on Climate-Related Financial Disclosures)
  2. SASB (Sustainability Accounting Standards Board)
  3. CSRD (Corporate Sustainability Reporting Directive - EU)
  4. GRI (Global Reporting Initiative)
  5. SEC Climate disclosure rules (US)
  6. Integrated Reporting framework

What This Means: Data you collect maps to multiple reporting standards automatically.

Industry-Specific Compliance

Financial Services (Banks, Insurance)

Regulations

  • BCBS 239 (Risk data governance)
  • Basel III (Capital requirements)
  • MiFID II (Investment protection)

Platform Support

  • Data quality validation
  • Stress testing
  • Risk concentration analysis
  • Regulatory reporting templates

Healthcare

Regulations

  • HIPAA (US)
  • GDPR (EU)
  • Data localization requirements

Implementation

  • Data encryption and access controls
  • Audit trails for medical data access
  • Compliance with data residency rules

Energy & Utilities

Regulations

  • CDM compliance (Clean Development Mechanism)
  • ISO 50001 (Energy management)
  • Carbon market reporting

Features

  • Energy tracking and verification
  • CDM project documentation
  • Carbon credit accounting

Public Sector & Government

Regulations

  • Government cybersecurity standards
  • Public records requirements
  • FedRAMP (US federal compliance)

Availability

  • Government-grade security
  • FedRAMP authorization in progress
  • Public records export capabilities

Technical Compliance

Infrastructure Security

Data Centers

  • Multiple geographically distributed data centers
  • Redundancy built-in (if one fails, others take over)
  • Regular disaster recovery testing
  • Automatic failover

Disaster Recovery

  • Recovery Time Objective (RTO): <1 hour
  • Recovery Point Objective (RPO): <15 minutes
  • Annual testing of recovery procedures
  • Documented procedures for all scenarios

Availability Commitment

  • 99.9% uptime SLA (less than 16 minutes/month of downtime)
  • Exceptions: Scheduled maintenance (announced in advance), DDoS attacks
  • Automatic alerts if uptime targets missed

Dependency Management

Third-Party Tools All tools we use are vetted for:

  • Security certifications (SOC 2, ISO 27001)
  • Data protection compliance (GDPR, etc.)
  • Reliability and redundancy
  • Privacy policies

Current Trusted Partners

  • Cloud infrastructure: Enterprise-grade providers with SOC 2
  • Payment processing: PCI-DSS compliant
  • Email: Enterprise-grade providers
  • Analytics: Privacy-respecting analytics platforms

Regular Testing

Penetration Testing

  • Third-party ethical hackers test our security
  • Quarterly internal testing
  • Vulnerability scanning continuous

Compliance Audits

  • Annual SOC 2 audit
  • Annual ISO 27001 audit
  • Regular GDPR assessments
  • Quarterly IT control reviews

What You Control

Your Data Responsibility

You are responsible for:

  1. Maintaining user credentials (passwords, MFA devices)
  2. Managing who has access to your organization’s data
  3. Not sharing sensitive information externally
  4. Compliance with laws in your jurisdiction
  5. Accurate and truthful data entry
  6. Training your team on data handling

Your Compliance

We provide compliance tools. You are ultimately responsible for:

  • Meeting applicable laws in your jurisdiction
  • Audit trails and proof of compliance
  • Employee training
  • Board-level oversight
  • Stakeholder communication

Contact Us

Privacy Questions: privacy@platform.com Security Report: security@platform.com (encrypted) Compliance Issues: compliance@platform.com

Response SLA: 24 hours for all inquiries

Next Steps