EcoVadis Purpose is to “Guide all companies toward a sustainable world”, and EcoVadis four core purpose objectives:
- Deliver independent, trusted, and actionable sustainability ratings and insights through methodology excellence.
- Enable the greatest number of companies to continuously improve their business practices and contribute to creating a regenerative and equitable economy.
- Cultivate an inclusive learning environment for our people, providing meaningful work and empowering future generations of sustainability practitioners.
- Foster collective action within our ecosystem to accelerate the transition to a sustainable world.
EcoVadis has developed a quality management system (QMS) which is certified ISO 9001. We actively pursue ever-improving quality through a process management system that enables each employee to do their job right the first time and every time in a safe and stimulating work environment. It is supported by our tailor made and self-developed IT platform which guides employees through the whole process. We constantly put our efforts into continuously improving the processes by being advised by specialized bodies like our methodology committee.
- Employee training program
- Q&IS training programs for all newcomers during the onboarding period with quizzes and set pass marks to verify effectiveness plus mandatory annual refresher training for all employees followed by quizzes.
- Corrective and preventive action
- Continuous improvement with the identification of improvement areas to eliminate non-conformities or prevent reoccurence. One example being the use of the Quality tool for non conformities detection and feedback provision through the evaluation process.
- Incident management Process
- Customer and supplier complaints as well as internal issues are reported, recorded and managed through an Incident Management Platform. All incidents are reviewed regularly by concerned parties and resolved within a given timeframe.
- Internal audit
- The Internal Audit Program is set over a period of 3 years where Information Security audits are conducted twice per year and all internal processes undergo a Quality audit at least once per year. Audit results are reviewed and discussed during our biannual Management Review.
EcoVadis provides holistic sustainability ratings service of companies, delivered via a global cloud-based SaaS platform hosted in Microsoft Azure – one of the most trusted cloud hosting providers.
We are committed to provide the highest level of Information Security and to continuously improve in order to protect all stakeholders’ data in an evolving landscape of information security threats. For this reason, EcoVadis has established an Information Security management system (ISMS) which undergoes regular independent third-party audits for ISO/IEC 27001 compliance (please see the certificate and statement of applicability).
Our ISMS enables us to systematically operate and maintain information security in our business processes and services and to determine and apply the necessary security measures based on our risk evaluation.
Our Information Security Policies are regularly reviewed and updated to confirm that the content remains timely and accurate and it still correlates to compliance requirements industry best practices applicable to us.
We have a dedicated, in-house team responsible for developing, maintaining and monitoring of information security. Priorities are established worldwide within our organization to provide a single, coherent vision around the protection of our assets.
At EcoVadis, we realize that raising awareness about threats to information security is an ongoing process. Our employees are regularly trained in IT and Information Security best practices and alignment with EcoVadis IT Security standards, and the way to operate IT systems in a secure manner.
We maintain an accurate and current inventory of assets associated with the service provided and classify information in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.
Azure is a multi tenant service, there is a logical separation in place which isolates data between customers.
Access rights and privileges to EcoVadis information systems and network domains must be allocated based on the specific requirement of a user’s job function (RBAC), we follow need-to-know and least privilege principles.
Our clients manage their access independently: the client platform administrator can create and deactivate users as needed. The platform can be accessed using username & password. We also provide a Single sign-on (SSO) authentication capability for requesting companies and you can contact your usual commercial contact for more information.
Data is encrypted (at rest and in transit) using industry-approved encryption algorithms and methods. We follow industry best practices to securely store and manage secrets within our environment.
Our platforms are hosted in Microsoft Azure datacenters located in the EU. According to a shared responsibility model in the cloud, physical security controls fall under the obligation of Microsoft. More information about the controls can be found here.
We make sure that changes to the organization, business processes, information processing facilities and systems that affect information security are controlled. We have implemented monitoring and detection technology and processes to identify, prevent, and manage malware vulnerabilities, or other security-relevant events within our infrastructure. Best security hardening practices are followed, such as CIS (Center for Internet Security) for operating systems and Microsoft Azure hardening guides for cloud services.
Network access to internal services and servers is restricted and secured. We have a Web Application Firewall in place (please see details here) and use Azure Front Door – a modern cloud content delivery network (CDN) service that delivers high performance, scalability, and secure user experiences.
We use industry standards to build in security for our Systems/Software Development Lifecycle (SDLC). It is ensured that new developments undergo proper testing and validation processes prior to going live. Development, testing, and operational environments are separated.
We have established information security requirements for suppliers that may access, process, store, communicate, or provide IT infrastructure components for the organization’s information. We also conduct cybersecurity and data security risk assessments of suppliers with access to our network, data or other sensitive information.
We continuously work on providing highly secure services to our clients, but incidents are an inevitable reality that has to be carefully managed. At EcoVadis, appropriate measures are implemented to ensure a consistent and effective approach to the management of information security incidents. Our security incident management process covers, but it is not limited to: client notification, maintaining written procedures to be followed in the event of a security incident and using all reasonable efforts to mitigate its consequences.
We are committed to make sure that information processing facilities are implemented with redundancy sufficient to meet availability requirements (please see our platform’s uptime report where service performance, availability and real user experience are constantly monitored).
Backups are performed and tested regularly in accordance with the defined backup policy.
To provide us with a more complete view of our information security compliance, we conduct several types of audit and technical reviews:
– Infrastructure Reviews
– Code Reviews (SAST: Static Application Security Testing, SCA: Software Composition Analysis)
– Web application penetration testing (this is performed at least once a year by an external company)
– External Posture Management
– Internal Risk Assessments
– ISO 27001 certification audits
We have filled in several standard questionnaires. The result can be shared on demand
- Cybervadis
- CyberGRX
- SecurityScorecard:
- Whistic
Microsoft Azure certifications are available in the Service Trust Portal.
Notice required by licensors of any open source libraries or components related to any of the applicable services. EcoVadis solution sometimes includes, or depends upon, open source libraries. To comply with the license requirements of open source libraries and licensee’s attribution moral right, below there is a list of open-source software used to build our products – please be informed that all information here is provided “as is” and might be subject to a change by the licensee:
| Component/project name | License |
| ActiveUp.Net | LGPL 2.1 * |
| AjaxControlToolkit | BSD 3 |
| Bootstrap | MIT |
| ClosedXML | MIT |
| DocumentFormat.OpenXml | MIT |
| Editor_plugin | LGPL 2.0 * |
| EPPlus | LGPL 2.1 * |
| Highcharts | CC BY NC 3.0 |
| ICSharpCode | MIT |
| Ionic | Zlib |
| jQuery.dataTables | MIT |
| jQuery.easing | MIT |
| jQuery.easy | MIT |
| jQuery.form | MIT |
| jQuery.linq | MIT |
| jQuery.multiselect | MIT |
| jQuery.perfect-scrollbar-with-mousewheel | MIT |
| jQuery.scrollTo | MIT |
| jQuery.slim | MIT |
| jQuery.tipTip | MIT |
| jQuery.validate.unobtrusive | Apache 2.0 |
| jQuery.validate | MIT |
| jQuery | MIT |
| Knockout | MIT |
| LINQ | Microsoft Public |
| Modernizr | MIT |
| Newtonsoft | MIT |
| PayPal .NET SDK | SDK LICENSE |
| Ninject | Apache 2.0 |
| NLog | BSD 3 |
| NPOI | Apache 2.0 |
| Prototype | MIT |
| wkhtmltoimage | LGPL 3.0 * |
| wkhtmltopdf | LGPL 3.0 * |
| wkhtmltox | LGPL 3.0 * |
* The application is linked dynamically to LGPL license, consequently, the proprietary code can be kept proprietary.
EcoVadis believes that the GDPR is an important step to strengthen and harmonize data protection of EU citizens’ personal data. As a data controller for the provided Rating services Ecovadis is committed to comply with GDPR and as far as they are applicable to international data protection regulations and to put in place the best practices.
Ecovadis uses the ISO 27001 standard, for which we are certified, as a framework and integrates personal data protection aspects in its management system. We use the complementary ISO 27701 framework to meet GDPR requirements. Our data protection practices and compliance are confirmed by a third party audit.
For the data processing performed outside of the EU, we have in place Standard Contractual Clauses (SCCs) with our subsidiaries.
We always carefully select our providers (processors) and we require the conclusion of Data Protection Agreements with processors and Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCR) in case of processing outside of the EEA region to be able to work for us. We always aim to choose subscriptions with providers to have data hosted on servers based in Europe. We use the following processors to provide our service:
We rely on the recommendations on additional measures issued by the French Data protection authority CNIL and the European Data Protection Board concerning the possibilities of transferring data to the United States based on SCCs (or BCR).
Learn more in our statement of data privacy
EcoVadis is committed to be in compliance with all applicable laws and regulations applicable to an operator of general purpose online services, including without limitation, the laws of France and the United States of America, in terms of its own operating locations for the services.
Destination Restrictions
Taking into account overall business risks, Ecovadis products and services are not available for export, reexport, transfer and/or use in the following countries/regions (subject to change without notice):
- the regions of Crimea, Donetsk, and Luhansk
- Cuba
- Iran
- North Korea
- Syria
Additionally, transactions with or related to certain destinations that pose an elevated export control or sanctions risk are subject to enhanced due diligence requirements.
End-User Restrictions
EcoVadis products and services are not available to entities and individuals with whom transactions are prohibited under applicable export control and sanctions laws, including those listed on any applicable sanctioned party lists (e.g., European Union Sanctions List, U.S. Specially Designated National (SDN) lists, OFAC, United Nations Security Council Sanctions, local lists where EcoVadis has its presence).
End-use Restrictions
EcoVadis Services must not be used for any purposes prohibited by Applicable Export Laws, including, without limitation, for the development, design, manufacture or production of nuclear, chemical or biological weapons of mass destruction.
This web page is for general informational purposes only and does not constitute legal advice.