プライバシーとトラスト

Certifications

Quality (ISO 9001)

EcoVadisの目的は、「全ての企業を持続可能な世界に導くこと」であり、EcoVadisの4つのコア目的は以下のとおりです：

優れた評価手法を通じて、独立した、信頼できるサステナビリティ評価と洞察を提供する。
最大限の数の企業がビジネス慣行を継続的に改善し、再生可能かつ公正な経済の創造に貢献できるようにする。
従業員のために包括的な学習環境を整備し、有意義な仕事を提供し、サステイナビリティを実践する未来の世代に力を与える。
持続可能な世界への移行を加速するために、当社のエコシステム内で集団行動を促進する。

EcoVadis has developed a quality management system (QMS) which is certified ISO 9001 (please see the certificate). We actively pursue ever-improving quality through a process management system that enables each employee to do their job right the first time and every time in a safe and stimulating work environment. It is supported by our tailor made and self-developed IT platform which guides employees through the whole process.

We constantly put our efforts into continuously improving the processes by being advised by specialized bodies like our methodology committee.

従業員トレーニングプログラム

新入社員には情報セキュリティトレーニングを実施し、テストおよび合格点を設定して効果を確認します。また、全社員に対して年1回の再教育とテストが義務付けられています。

是正・予防措置

不適合をなくすため、または再発を防止するための改善点を特定し、継続的に改善します。その一例として、品質ツールを使用して不適合を検出し、評価プロセスを通じてフィードバックを提供します。

Customer Complaints

顧客やサプライヤーからの苦情や社内の問題は、インシデント管理プラットフォームを通じて報告、記録、管理しています。すべてのインシデントは、関係者によって定期的にレビューされ、所定の期間内に解決されます。

内部監査

内部監査プログラムは3年間にわたって実施し、情報セキュリティ監査は年2回、すべての内部プロセスについては品質監査を少なくとも年1回実施しています。監査結果については、マネジメントレビューにおいて確認と検討を行っています。

Information Security (ISO 27001)

EcoVadisは、最も信頼できるクラウドホスティングプロバイダーの1つであるMicrosoft AzureにホストされたグローバルクラウドベースのSaaSプラットフォームを介して、企業の包括的なサステナビリティ評価サービスを提供しています。

当社は、情報セキュリティの脅威が進化する中で、すべてのステークホルダーのデータを保護するために、最高レベルの情報セキュリティを提供し、継続的に改善することを約束します。このため、EcoVadisでは、情報セキュリティマネジメントシステム（ISMS）を確立し、 ISO/IEC 27001のコンプライアンスについて、独立した第三者の監査を定期的に受けています（認証および適合証明書を参照してください）。

当社のISMSは、当社の業務プロセスやサービスにおける情報セキュリティを組織的に運用・維持し、リスク評価に基づいて必要なセキュリティ措置を決定・適用することができるようにしています。

Information Security Governance

Our Information Security Policies are subject to regular review and updates to ensure their timeliness, accuracy, and continued alignment with applicable compliance requirements and industry best practices. We maintain a dedicated, in-house team responsible for the development, maintenance, and monitoring of information security. Priorities are established globally within our organization to provide a coherent vision for the protection of organizational assets.

Asset Management and Tenancy

We maintain a precise and current inventory of all service-related assets. Information is formally classified based on legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. Utilizing Azure as a multi-tenant service, we enforce logical separation to ensure the complete isolation of data between customers.

Third-Party Risk Management

Information security requirements are established for suppliers that may access, process, store, communicate, or provide IT infrastructure components. We conduct periodic cybersecurity and data security risk assessments of suppliers with access to our network or sensitive data, with defined follow-up actions being formally tracked and implemented.

Security Operations and Incident Response

A 24/7 Security Operations Center (SOC) provides continuous monitoring and protection of systems and data. We have implemented robust measures to ensure a consistent and effective approach to managing information security incidents. Our security incident management process includes maintaining written procedures, using all reasonable efforts to mitigate consequences, and client notification.

Business Continuity and Disaster Recovery (BCP)

We ensure that information processing facilities are implemented with sufficient redundancy to meet availability requirements. Service performance, availability, and real user experience are continuously monitored (please see our platform’s uptime report where service performance, availability and real user experience are constantly monitored). Backups are performed and tested regularly in accordance with the defined backup policy.

Awareness, Education, and Training

Personnel are subject to mandatory, ongoing information security awareness, education, and training. This program is designed to align with EcoVadis IT Security standards, educate staff on secure operating practices for IT systems, and ensure comprehension of applicable security threats. Simulated phishing campaigns are conducted frequently to enhance cybersecurity awareness and test personnel response protocols.

Prior to Employment

In accordance with legal and regulatory mandates, systematic reference checks are performed during the selection process for all candidates. Furthermore, criminal background verification is conducted for all new hires where legally authorized, such as for personnel based in the U.S.

アクセスコントロール

Access rights and privileges to EcoVadis information systems and network domains are allocated based on a Role-Based Access Control (RBAC) model, strictly adhering to the principles of need-to-know and least privilege.

Client Access Management

Clients retain control over their user environment. The client platform administrator is empowered to manage user accounts, including creation and deactivation. Platform access is primarily secured via username and password authentication, with Single Sign-On (SSO) capability offered to requesting companies (please contact your usual commercial contact for more information).

暗号化

All data is protected both at rest and in transit utilizing industry-approved encryption algorithms and methods. Secrets are securely stored and managed in accordance with established industry best practices.

事業活動セキュリティ

Change Management and Hardening

Changes impacting the organization, business processes, information processing facilities, and systems are formally controlled. We follow rigorous security hardening guidelines, including the Center for Internet Security (CIS) Benchmarks for operating systems and Microsoft Azure hardening guides for cloud services.

Monitoring and Threat Management

Monitoring and detection technologies are implemented to identify, prevent, and manage malware, vulnerabilities, and other security-relevant events across our infrastructure.

コミュニケーションセキュリティ

Network access to internal services and servers is restricted and secured. We utilize a Web Application Firewall (WAF – please see details here and leverage Azure Front Door, a cloud Content Delivery Network (CDN), to ensure high performance, scalability, and a secure user experience.

System Acquisition, Development and Maintenance.

Security is integrated into our SDLC via adherence to industry standards. New developments are subject to mandatory testing and validation processes before deployment. Development, testing, and operational environments are separated.

Our platforms are hosted in Microsoft Azure datacenters located in the EU. According to a shared responsibility model in the cloud, physical security controls fall under the obligation of Microsoft. More information about the controls can be found here.

To ensure the continuous integrity and resilience of our platform, we maintain a multi-layered security program. Our approach combines automated real-time monitoring with deep-dive manual analysis across several security domains. This defense-in-depth strategy includes:

Security tests

Application Security Testing: integrating Static Application Security Testing (SAST) for deep code analysis, Software Composition Analysis (SCA) to monitor open-source dependencies, and Dynamic Application Security Testing (DAST) to evaluate the application in a running state, on top of our specialists’ regular manual and automated reviews.
Infrastructure Reviews: relying on our Cloud Security Posture Management solutions (CSPM), and different vulnerability scanning platforms and automations.
Secure Access: On top of our perimeter controls, such as our Web Application Firewall (WAF), our SASE framework provides secure, encrypted connectivity for our global workforce, ensuring that security policies are applied consistently at the “edge,” closest to the user.
Independent Validation: In addition to internal reviews and our certifications, we engage reputable third-party security firms to conduct Annual Penetration Tests.

Remediation Targets

We prioritize the resolution of security findings based on their severity. Our structured remediation targets ensure that critical risks are addressed with urgency:

Critical – 7 days
High – 1 month
Medium – 3 months
Low – no specific due date is determined

While we strive to meet these timeframes, final remediation schedules may be adjusted based on the complexity of the fix and the specific risk context.

Independent validation

On top of this, our commitment to security is validated by independent auditors and industry-standard rating planforms:

ISO 27001: We use this standard as our main reference for information security management.
Standardized Assessments: We maintain up-to-date profiles on major security risk platforms, including Cybervadis, CyberGRX, and Whistic. Results may be shared on demand.
CSP certifications: Microsoft Azure certifications are available in the Service Trust Portal

Information Security Governance

Our Information Security Policies are subject to regular review and updates to ensure their timeliness, accuracy, and continued alignment with applicable compliance requirements and industry best practices. We maintain a dedicated, in-house team responsible for the development, maintenance, and monitoring of information security. Priorities are established globally within our organization to provide a coherent vision for the protection of organizational assets.

Asset Management and Tenancy

We maintain a precise and current inventory of all service-related assets. Information is formally classified based on legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. Utilizing Azure as a multi-tenant service, we enforce logical separation to ensure the complete isolation of data between customers.

Third-Party Risk Management

Information security requirements are established for suppliers that may access, process, store, communicate, or provide IT infrastructure components. We conduct periodic cybersecurity and data security risk assessments of suppliers with access to our network or sensitive data, with defined follow-up actions being formally tracked and implemented.

Security Operations and Incident Response

A 24/7 Security Operations Center (SOC) provides continuous monitoring and protection of systems and data. We have implemented robust measures to ensure a consistent and effective approach to managing information security incidents. Our security incident management process includes maintaining written procedures, using all reasonable efforts to mitigate consequences, and client notification.

Business Continuity and Disaster Recovery (BCP)

We ensure that information processing facilities are implemented with sufficient redundancy to meet availability requirements. Service performance, availability, and real user experience are continuously monitored (please see our platform’s uptime report where service performance, availability and real user experience are constantly monitored). Backups are performed and tested regularly in accordance with the defined backup policy.

Awareness, Education, and Training

Personnel are subject to mandatory, ongoing information security awareness, education, and training. This program is designed to align with EcoVadis IT Security standards, educate staff on secure operating practices for IT systems, and ensure comprehension of applicable security threats. Simulated phishing campaigns are conducted frequently to enhance cybersecurity awareness and test personnel response protocols.

Prior to Employment

In accordance with legal and regulatory mandates, systematic reference checks are performed during the selection process for all candidates. Furthermore, criminal background verification is conducted for all new hires where legally authorized, such as for personnel based in the U.S.

アクセスコントロール

Access rights and privileges to EcoVadis information systems and network domains are allocated based on a Role-Based Access Control (RBAC) model, strictly adhering to the principles of need-to-know and least privilege.

Client Access Management

Clients retain control over their user environment. The client platform administrator is empowered to manage user accounts, including creation and deactivation. Platform access is primarily secured via username and password authentication, with Single Sign-On (SSO) capability offered to requesting companies (please contact your usual commercial contact for more information).

暗号化

All data is protected both at rest and in transit utilizing industry-approved encryption algorithms and methods. Secrets are securely stored and managed in accordance with established industry best practices.

事業活動セキュリティ

Change Management and Hardening

Changes impacting the organization, business processes, information processing facilities, and systems are formally controlled. We follow rigorous security hardening guidelines, including the Center for Internet Security (CIS) Benchmarks for operating systems and Microsoft Azure hardening guides for cloud services.

Monitoring and Threat Management

Monitoring and detection technologies are implemented to identify, prevent, and manage malware, vulnerabilities, and other security-relevant events across our infrastructure.

コミュニケーションセキュリティ

Network access to internal services and servers is restricted and secured. We utilize a Web Application Firewall (WAF – please see details here and leverage Azure Front Door, a cloud Content Delivery Network (CDN), to ensure high performance, scalability, and a secure user experience.

System Acquisition, Development and Maintenance.

Security is integrated into our SDLC via adherence to industry standards. New developments are subject to mandatory testing and validation processes before deployment. Development, testing, and operational environments are separated.

Our platforms are hosted in Microsoft Azure datacenters located in the EU. According to a shared responsibility model in the cloud, physical security controls fall under the obligation of Microsoft. More information about the controls can be found here.

To ensure the continuous integrity and resilience of our platform, we maintain a multi-layered security program. Our approach combines automated real-time monitoring with deep-dive manual analysis across several security domains. This defense-in-depth strategy includes:

Security tests

Application Security Testing: integrating Static Application Security Testing (SAST) for deep code analysis, Software Composition Analysis (SCA) to monitor open-source dependencies, and Dynamic Application Security Testing (DAST) to evaluate the application in a running state, on top of our specialists’ regular manual and automated reviews.
Infrastructure Reviews: relying on our Cloud Security Posture Management solutions (CSPM), and different vulnerability scanning platforms and automations.
Secure Access: On top of our perimeter controls, such as our Web Application Firewall (WAF), our SASE framework provides secure, encrypted connectivity for our global workforce, ensuring that security policies are applied consistently at the “edge,” closest to the user.
Independent Validation: In addition to internal reviews and our certifications, we engage reputable third-party security firms to conduct Annual Penetration Tests.

Remediation Targets

We prioritize the resolution of security findings based on their severity. Our structured remediation targets ensure that critical risks are addressed with urgency:

Critical – 7 days
High – 1 month
Medium – 3 months
Low – no specific due date is determined

While we strive to meet these timeframes, final remediation schedules may be adjusted based on the complexity of the fix and the specific risk context.

Independent validation

On top of this, our commitment to security is validated by independent auditors and industry-standard rating planforms:

ISO 27001: We use this standard as our main reference for information security management.
Standardized Assessments: We maintain up-to-date profiles on major security risk platforms, including Cybervadis, CyberGRX, and Whistic. Results may be shared on demand.
CSP certifications: Microsoft Azure certifications are available in the Service Trust Portal

EU一般データ保護規則

EcoVadis believes that the GDPR is an important step to strengthen and harmonize data protection of EU citizens’ personal data. As a data controller for the provided Sustainability services Ecovadis is committed to comply with GDPR and as far as they are applicable to international data protection regulations and to put in place the best practices.

Ecovadis uses the ISO 27001 standard, for which we are certified, as a framework and integrates personal data protection aspects in its management system. We use the complementary ISO 27701 framework to meet GDPR and data protection requirements. Our data protection practices and compliance are confirmed by a third party audit.

For the data processing performed outside of the EEA, we have in place Standard Contractual Clauses (SCCs) with our subsidiaries.

EcoVadisは常にプロバイダー（処理業者）を慎重に選び、EcoVadisのために業務を行う前に、処理業者とのデータ保護契約の締結、EEA地域外での処理の場合には標準契約条項（SCC）または拘束力のある企業規則（BCR）の締結を求めています。当社は、ヨーロッパに拠点を置くサーバーでデータをホスティングするプロバイダーとの契約を選択することを常に目指しています。以下のプロセッサを使用してサービスを提供しています：

法人	住所	目的	データ処理とデータ転送	セキュリティに関する追加情報
ZenDesk Inc	1019 Market Street, San Francisco, CA 94103 USA	ヘルプセンター	link	link
SFDC SAS	SFDC France 3 Avenue Octave Gréard 75007 Paris France	CRMとカスタマーサポート	link	link
Microsoft France SAS	Microsoft France SAS 37 Quai du Président Roosevelt, 92130 Issy-les-Moulineaux, FRANCE	サステナビリティ評価プラットフォームのホスティング	link	link
Google Cloud France	Google Cloud France 8 Rue de Londres, 75009 Paris, France	お客様とのコミュニケーション	link	link
Docebo S.p.A.Limited	Limited 6th floor, 48 Gracechurch Street, London – UK	Eラーニングプラットフォーム	link	link
Pendo.io Inc.	150 Fayetteville St #140027601 Raleigh NC, USA	プラットフォーム分析とクライアント調査	link	link
Productboard Inc.	612 Howard streetCA 94105 San Francisco CA, USA	製品管理とクライアント調査	link	link
SurveyMonkey Inc.	910 Park Pl, Suite 300, San Mateo, CA 94403, USA	クライアント調査	link	link
Aircall SAS	11 Rue Saint Georges, 75009 Paris, FRANCE	通話録音	link	link
HubSpot France SAS	24 Rue Cambacérès 75008 Paris France	Marketing & Customer communication	link	link

Hubspot Inc	2 Canal Park, Cambridge, Massachusetts, 02141, US	Marketing & Customer communication	link	link

Amazon Web Services Canada, Inc.	120 Bremner Blvd, 26th Floor, Toronto, Ontario, M5J 0A8, Canada	Hosting of ULULA service (Human rights due diligence platform) integrated with the Sustainability assessment platform	link	link

We rely on the recommendations on additional measures issued by the French Data protection authority CNIL and the European Data Protection Board concerning the possibilities of transferring data to countries outside the EEA based on SCCs (or BCR).

Learn more in our statement of data privacy

輸出管理・制裁措置コンプライアンス

EcoVadisは、サービスの運営場所に関して、フランスおよび米国の法律を含むがこれらに限定されない、汎用オンラインサービスの運営者に適用されるすべての適用法および規制を遵守することを約束します。

製品およびサービス提供先の制限

総合的な事業リスクを考慮し、EcoVadis製品およびサービスは、以下の国/地域（予告なく変更される場合があります）への輸出、再輸出、移転またはそれらの国での使用を禁じています。

クリミア地域、ドネツク地域、ルハンシク地域
キューバ
イラン
北朝鮮
シリア

さらに、輸出管理・制裁措置に関するリスクの高い特定の相手先との取引やそれに関連する取引については、強化されたデューデリジェンスを実施します。

End-user Restrictions

適用される制裁対象者リスト（例：欧州連合制裁リスト、米国特別指定国（SDN）リスト、OFAC、国連安全保障理事会制裁、EcoVadisが存在する地域のリスト）に記載されている者を含む、適用される輸出管理法および制裁法で取引が禁止されている団体および個人は、EcoVadis製品およびサービスを利用できません。

最終用途の制限

EcoVadisのサービスは、核兵器、化学兵器または生物兵器の大量破壊兵器の開発、設計、製造または生産を含むがこれらに限定されない、適用輸出法で禁止されるいかなる目的にも使用してはなりません。

Documents and Resources

General Terms and conditions

アクセシビリティ適合性レポート WCAG版

Statement of Applicability

倫理規定

Suplier Code of conduct

EcoVadis現代奴隷制声明

*Open source libraries or components related to any of the applicable services. EcoVadis solution sometimes includes, or depends upon, open source libraries. To comply with the license requirements of open source libraries and licensee’s attribution moral right, below there is a list of open-source software used to build our products – please be informed that all information here is provided “as is” and might be subject to a change by the lecensee:
License
AFL-2.1, Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC-BY-4.0, ISC, JSON, LGPL-2.1*, LGPL-3.0*, Microsoft .NET, ASP NET MVC3 EULA, BlueOak-1.0.0, Bouncy Castle License, 0BSD, Aduna BSD License, BSD-4-Clause, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-2.0 CC-BY-SA-3.0, CC-PDD, CCC0-1.0, JQuery, MPL-1.1, MulanPSL-2.0, OpenSSL, Python-2.0
Library License
MIT, MPL-2.0, MS-PL, PostgreSQL, WTFPL, Zlib

* アプリケーションは、LGPLライセンスに動的にリンクされているため、プロプライエタリコードを専有できます。

Conflict of Interest Policy

Third-Party Professional Conduct Policy

人工知能（AI）の使用

EcoVadis designs, implements, and deploys AI solutions in the responsible way paying close attention to model explainability, monitoring, and main principles of trustworthy AI.

With the rise of generative AI, we invest in AI safety and AI governance and ensure that generative AI solutions have appropriate guardrails in place.