Carbon establishes policies and controls, monitors compliance with those controls, and proves the security and compliance to third-party auditors.

Our policies are based on the following foundational principles:

Compliance Standards

Data Protection

Data at Rest

All datastores are encrypted at rest. Sensitive collections and tables also use row-level encryption.

Data in Transit

Carbon uses TLS 1.3 or higher everywhere data is transmitted over potentially insecure networks

Data Backup

Carbon backs-up all production data using a point-in-time approach. Backups are persisted for 30 days, and are globally replicated for resiliency against regional disasters.

Product Security

Penetration testing

Carbon engages with third-party firms to conduct penetration testing at least annually.

All areas of the Carbon product and cloud infrastructure are in-scope for these assessments, and source code is fully available to the testers in order to maximize the effectiveness and coverage.

Vulnerability scanning

Carbon uses multiple vulnerability monitoring techniques including code-level scanning, dependency scanning, and security reviews to identify and remediate vulnerabilities.

Vulnerabilities are prioritized based on severity and risk, and are remediated according to the following schedule:

  • Critical: 15 Days
  • High: 30 Days
  • Medium: 90 Day
  • Low: 180 Days
  • Informational: As needed

Enterprise Security

Security Education

Carbon provides comprehensive security training to all employees upon onboarding and annually. Carbon’s conducts threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.

Identity and access management

Carbon employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.

Multi-factor authentication is required for all employees to access company applications.

Endpoint Protection

All company devices are equipped with anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to monitor secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.

Responsible Disclosure

To report a security concern, please email