Security at CarbonOS

CarbonOS is engineered for multi-tenant isolation first. Controls are designed to be explainable to enterprise security teams and mapped to common questionnaire frameworks.

Encryption in transit (TLS 1.3), encryption at rest for stored objects, and strict separation between environments. Emissions are calculated deterministically from published conversion factors with a versioned, auditable engine—not by AI or machine learning.

Database row-level security (RLS) policies enforce organization boundaries. Application code paths require an explicit tenant context for data access.

Session-based authentication with hardened cookie attributes. Sign-in is email and password only—managed through Supabase Auth with secure cookies.

Security-relevant events are recorded for accountability: authentication, administrative actions, exports, and configuration changes. Retention scales by plan.

Hosted on ISO 27001 and SOC 2 Type II certified infrastructure within the EEA. Operational access is limited, logged, and reviewed.

Defined severity levels, customer notification timelines aligned to GDPR Article 33 where applicable, and post-incident review with corrective actions.

We maintain documentation suitable for GDPR-aligned procurement: DPA, subprocessor disclosures, and architecture summaries under NDA.