Information security protocol
Hedgehog Carbon Platform
This ISP on the use of the Hedgehog Carbon Platform is part of the Information Security Protocol of Hedgehog Company.
Organisation: Hedgehog Company B.V.
Version: D1.1
Document owner: Joost Walterbos
Website: https://dashboard.hhc.earth/
First release: 12-03-2024
Last modified: 08-04-2024
Last modified by: Joost Walterbos
Company overview
Hedgehog Company is a team full of pragmatic and ambitious sustainability experts. We guide organisations through the sustainable transition with three simple steps: calculate your impact, build your action plan, and start implementing.
Impact calculations form the core business of our consultancy service for our clients. These provide insight into the status quo of the environmental performance of an organisation and enable efficient strategic planning combined with continuous monitoring of environmental KPIs. Life cycle assessments and carbon footprinting are the foundation for our impact calculations. Specific methodologies adopted by our team are mainly, but not limited to, the ISO 14040 / 14044, the EU PEF, ISO 14064, ISO 14072, the EU OEF, and the GHG protocol.
The Hedgehog Carbon Platform allows our team to build a client-specific GHG emission database. The GHG-emission references in a client-specific database are an aggregation of emission references from applicable public databases and emissions and embedded emission references from our experts’ work on the clients’ organisational and product LCAs and carbon footprints. These client-specific databases are only accessible by our experts and IT team.
When the client-specific emission reference database is finished, the client, or one of our experts, can fill in the data inputs in the data management tab in the client’s account. The client’s account is accessible by the client and by our experts.
Purpose
The purpose of this policy is to define information security policies applicable to the Hedgehog Carbon Platform that protect the confidentiality, integrity, and availability of all information and data stored on the Hedgehog Carbon Platform.
Scope
The scope of this protocol are all the third-party users of the Hedgehog Carbon Platform and all the experts from Hedgehog Company working with the Hedgehog Carbon Platform.
Information Security Policy
Principle
Information security is managed based on risk, legal and regulatory requirements, and business needs.
Chief Executive Statement of Commitment
Information processing is essential to our success of the Hedgehog Carbon Platform, and the protection and security of that information is our utmost priority. We have provided the resources to develop, implement, and continually improve an information security management system (ISMS) that is appropriate for our business and compliant with ISO 27001 standards.
Joost Walterbos
23-2-2024
Saro Campisano
23-2-2024
Philip Kuipers
23-2-2024
Introduction
Information security protects the information that is entrusted to Hedgehog Carbon Platform. Neglecting our responsibilities pertaining to information security can have significant adverse effects on our customers, employees, reputation, and finances.
An effective information security management system enables Hedgehog Carbon Platform to:
- Provide assurances for our legal, regulatory, and contractual obligations
- Ensure the right people have the right access to the right data at the right time
- Protect all third-party company data and information
Information Security Defined
Information security preserves:
- Confidentiality: Access to information is restricted to those with the appropriate authority
- Integrity: Information is complete and accurate at all times
- Availability: Information is available when needed
Information Security objectives
- To ensure the confidentiality, integrity, and availability of company information based on good risk management, legal, regulatory, and contractual obligations, and business needs.
- To provide the resources required to develop, implement, and continually improve the information security management system (ISMS).
- To create a culture of information security and data protection through effective employee training and risk awareness.
- To effectively manage third-party clients who process, store, and/or transmit information and data to assess, monitor, and manage their carbon footprints for their sustainability reporting, internal and external communication, and sustainability management.
Third-party IT solutions
- Google Cloud Services issues SOC 1 Type 2 reports semi-annually around June and December. Audit reports are requested via the compliance report manager. For the purpose of checking Google’s control of information handling of the Hedgehog Carbon Platform, the C5:2020 report is reviewed on a semi-annual basis.
Information Security Policy Framework
The information security management system (ISMS) is built on an information security policy framework, which is made up of the following policies.
Data protection policy
For the protection of your data from malicious or accidental damage, we have the following measures and policies in place:
- Regular automatic backups of stored data.
- Separation of test data and (production) customer data to protect tempering or accidental corruption of data.
- SQL cluster is not reachable from outside, only from within the cluster and only by whitelisted services.
- We’re continuously aiming compliance with OWASP guidelines. (E.g. preventing SQL injections).
- We use OAuth2 standard to authenticate and authorize the access of data.
- All traffic is routed through https.
Data retention policy
- We are GDPR-compliant.
- Regular automatic backups of stored data.
- All our data is stored in secure cloud SQL instances.
- Where appropriate, we implement soft-delete to be able to restore data when necessary.
Access control policy
- We integrate the OAuth2 standard for authentication when accessing data.
- We use role based access control (RBAC) to allow the right person access to the right data.
- We also use RBAC on an admin level, to apply the principle of least privilege (PoLP).
- Company is only accessible to users with authorized access to this data. The authorisation is managed by company admins and admins within Hedgehog Impact Software B.V.
Information classification and handling policy
- We classify all stored information in the Hedgehog Carbon Platform as competitive sensitive information and shall treat it as such.
- Therefore, this company information is only accessible by persons working for this company, and by your Hedgehog expert.
- All company information is handled with utmost care and confidentiality by Hedgehog employees.
Information security awareness and training policy
- All our employees have signed in their labour contract a duty of confidentiality.
- In addition, all employees are aware of this duty, which is communicated during their introduction and written in our company’s guidelines “Hitchhiker’s guide through HHC”.
- All employees are aware about the Information Security Officer and the fact that they can contact the ISO with their questions or remarks.
Backup policy
- Purpose of making backups is to provide data security and our customer’s guarantee of data availability. Also, in a case of disaster recovery, the backups are used.
- All data collected in the Hedgehog Carbon Platform is under the scope of this backup policy. This entails all data stored in our cloud SQL clusters.
- We view all data collected in the Hedgehog Carbon Platform as critical data, therefore, all this data is back up.
- All the data is backed up on a daily basis.
- We perform a full database backup.
- Backups are stored by a trusted cloud provider, Google Cloud Services.
- We comply with GDPR retention policies. Backups are deleted after a month.
- With our tech team, we have a detailed disaster recovery plan which is tested and reviewed on a regular basis, so we can ensure our customers’ data is available after any type of incident.
- We use continuous monitoring on all our services to ensure we are up-to-date with the status of the services and the platform.
Network security management policy
- All services run in a secured, closed network and can only be reached within this network.
- Access to the outside world is only available through HTTPS and requires authentication using the OAuth protocol.
Information transfer policy
- All information in the Hedgehog Carbon Platform is entered manually into the Platform by company employees or by a Hedgehog expert.
Cryptographic key management and encryption policy
- All cryptographic key management is provided by our trusted cloud partner, Google Cloud Services.
- For all cryptographic operations used within our services, we use trusted suppliers (e.g. Auth0). All software dependencies are regularly scanned for known vulnerabilities and if necessary updated or replaced.
- We purposefully do not make use of passwords to reduce the risk of sensitive data leaks. This way, we provide an extra layer of security for our customers.
Information Security Management Team, and other Roles and Responsibilities
Everyone at Hedgehog Company who is working with the Hedgehog Carbon Platform is responsible for understanding and adhering to the established policies and processes in the use of the Platform, as well as for reporting any suspected or confirmed breaches.
Specific roles and responsibilities regarding the information security management system (ISMS) are defined below.
These two persons make up the Information Security Management team:
- Joost Walterbos
- Information Security Officer. Owner of this Information Security Protocol for the Hedgehog Carbon Platform and the Information Security Protocol for Hedgehog Company BV.
- Responsible for the updatedness of the policies and the education of the protocol with the team of Hedgehog Carbon Platform.
- Marko Malis
- Lead developer of the Hedgehog Carbon Platform.
- Responsible for the execution of protocols in the programming and developing of the Hedgehog Carbon Platform, and responsible for the education and transfer of the consequences of these policies to other developers in the team.
Monitoring
Compliance with the policies and procedures of the information security management system are monitored by the Information Security Officer, and the Lead Developer. Periodic independent reviews are performed by other members of the management team every year on the 23rd of February, or on the working day closest to this date.
Legal and Regulatory Obligations
Hedgehog Carbon Platform takes its legal and regulatory obligations seriously. We comply with GDPR regulation where necessary. You can find more information on personal data we collect in our privacy statement, available on our website.
Training and awareness
Policies are made readily and easily available to all employees and third-party users. A training and communication plan is in place to communicate the policies, process, and concepts of information security to all the employees. Training needs are identified during team meetings on week’s start and during bi-weekly knowledge sharing sessions with the whole Hedgehog team. Relevant training requirement are captured in the document 'ISP - Training needs for the team'.
Policy Compliance
Compliance measurement
The information security management team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved and recorded by the Information Security Management team in advance and reported to the Management Team.
Non-compliance
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Continual Improvement
The policy is updated and reviewed by the Management Team and the Information Security Management Team on an annual basis on the 23rd of February each year, or the closest working day, as part of the process for continual improvement.