Privacy and Trust

Certifications

Quality (ISO 9001)

EcoVadis Purpose is to “Guide all companies toward a sustainable world”, and EcoVadis four core purpose objectives are:

Deliver independent, trusted, and actionable sustainability ratings and insights through methodology excellence.
Enable the greatest number of companies to continuously improve their business practices and contribute to creating a regenerative and equitable economy.
Cultivate an inclusive learning environment for our people, providing meaningful work and empowering future generations of sustainability practitioners.
Foster collective action within our ecosystem to accelerate the transition to a sustainable world.

EcoVadis has developed a quality management system (QMS) which is certified ISO 9001 (please see the certificate). We actively pursue ever-improving quality through a process management system that enables each employee to do their job right the first time and every time in a safe and stimulating work environment. It is supported by our tailor made and self-developed IT platform which guides employees through the whole process.

We constantly put our efforts into continuously improving the processes by being advised by specialized bodies like our methodology committee.

Employee training program

Quality & Information Security training programs for all newcomers during the onboarding period with quizzes and set pass marks to verify effectiveness plus mandatory annual refresher training for all employees followed by quizzes.

Corrective and preventive action

Continuous improvement with the identification of improvement areas to eliminate non-conformities or prevent reoccurence. One example being the use of the Quality tool for non conformities detection and feedback provision through the evaluation process.

Customer Complaints

Customer and supplier complaints as well as internal issues are reported, recorded and managed through an Incident Management Platform. All incidents are reviewed regularly by concerned parties and resolved within a given timeframe.

Internal audit

The Internal Audit Program is set over a period of 3 years where Information Security audits are conducted twice per year and all internal processes undergo a Quality audit at least once per year. Audit results are reviewed and discussed during our Management Review meetings.

Information Security (ISO 27001)

EcoVadis provides holistic sustainability ratings service of companies, delivered via a global cloud-based SaaS platform hosted in Microsoft Azure – one of the most trusted cloud hosting providers.

We are committed to provide the highest level of Information Security and to continuously improve in order to protect all stakeholders’ data in an evolving landscape of information security threats. For this reason, EcoVadis has established an Information Security management system (ISMS) which undergoes regular independent third-party audits for ISO/IEC 27001 compliance (please see the certificate and statement of applicability).

Our ISMS enables us to systematically operate and maintain information security in our business processes and services and to determine and apply the necessary security measures based on our risk evaluation.

Information Security Governance

Our Information Security Policies are subject to regular review and updates to ensure their timeliness, accuracy, and continued alignment with applicable compliance requirements and industry best practices. We maintain a dedicated, in-house team responsible for the development, maintenance, and monitoring of information security. Priorities are established globally within our organization to provide a coherent vision for the protection of organizational assets.

Asset Management and Tenancy

We maintain a precise and current inventory of all service-related assets. Information is formally classified based on legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. Utilizing Azure as a multi-tenant service, we enforce logical separation to ensure the complete isolation of data between customers.

Third-Party Risk Management

Information security requirements are established for suppliers that may access, process, store, communicate, or provide IT infrastructure components. We conduct periodic cybersecurity and data security risk assessments of suppliers with access to our network or sensitive data, with defined follow-up actions being formally tracked and implemented.

Security Operations and Incident Response

A 24/7 Security Operations Center (SOC) provides continuous monitoring and protection of systems and data. We have implemented robust measures to ensure a consistent and effective approach to managing information security incidents. Our security incident management process includes maintaining written procedures, using all reasonable efforts to mitigate consequences, and client notification.

Business Continuity and Disaster Recovery (BCP)

We ensure that information processing facilities are implemented with sufficient redundancy to meet availability requirements. Service performance, availability, and real user experience are continuously monitored (please see our platform’s uptime report where service performance, availability and real user experience are constantly monitored). Backups are performed and tested regularly in accordance with the defined backup policy.

Awareness, Education, and Training

Personnel are subject to mandatory, ongoing information security awareness, education, and training. This program is designed to align with EcoVadis IT Security standards, educate staff on secure operating practices for IT systems, and ensure comprehension of applicable security threats. Simulated phishing campaigns are conducted frequently to enhance cybersecurity awareness and test personnel response protocols.

Prior to Employment

In accordance with legal and regulatory mandates, systematic reference checks are performed during the selection process for all candidates. Furthermore, criminal background verification is conducted for all new hires where legally authorized, such as for personnel based in the U.S.

Access Control

Access rights and privileges to EcoVadis information systems and network domains are allocated based on a Role-Based Access Control (RBAC) model, strictly adhering to the principles of need-to-know and least privilege.

Client Access Management

Clients retain control over their user environment. The client platform administrator is empowered to manage user accounts, including creation and deactivation. Platform access is primarily secured via username and password authentication, with Single Sign-On (SSO) capability offered to requesting companies (please contact your usual commercial contact for more information).

Cryptography

All data is protected both at rest and in transit utilizing industry-approved encryption algorithms and methods. Secrets are securely stored and managed in accordance with established industry best practices.

Operations Security

Change Management and Hardening

Changes impacting the organization, business processes, information processing facilities, and systems are formally controlled. We follow rigorous security hardening guidelines, including the Center for Internet Security (CIS) Benchmarks for operating systems and Microsoft Azure hardening guides for cloud services.

Monitoring and Threat Management

Monitoring and detection technologies are implemented to identify, prevent, and manage malware, vulnerabilities, and other security-relevant events across our infrastructure.

Communications Security

Network access to internal services and servers is restricted and secured. We utilize a Web Application Firewall (WAF – please see details here and leverage Azure Front Door, a cloud Content Delivery Network (CDN), to ensure high performance, scalability, and a secure user experience.

System Acquisition, Development and Maintenance.

Security is integrated into our SDLC via adherence to industry standards. New developments are subject to mandatory testing and validation processes before deployment. Development, testing, and operational environments are separated.

Our platforms are hosted in Microsoft Azure datacenters located in the EU. According to a shared responsibility model in the cloud, physical security controls fall under the obligation of Microsoft. More information about the controls can be found here.

To ensure the continuous integrity and resilience of our platform, we maintain a multi-layered security program. Our approach combines automated real-time monitoring with deep-dive manual analysis across several security domains. This defense-in-depth strategy includes:

Security tests

Application Security Testing: integrating Static Application Security Testing (SAST) for deep code analysis, Software Composition Analysis (SCA) to monitor open-source dependencies, and Dynamic Application Security Testing (DAST) to evaluate the application in a running state, on top of our specialists’ regular manual and automated reviews.
Infrastructure Reviews: relying on our Cloud Security Posture Management solutions (CSPM), and different vulnerability scanning platforms and automations.
Secure Access: On top of our perimeter controls, such as our Web Application Firewall (WAF), our SASE framework provides secure, encrypted connectivity for our global workforce, ensuring that security policies are applied consistently at the “edge,” closest to the user.
Independent Validation: In addition to internal reviews and our certifications, we engage reputable third-party security firms to conduct Annual Penetration Tests.

Remediation Targets

We prioritize the resolution of security findings based on their severity. Our structured remediation targets ensure that critical risks are addressed with urgency:

Critical – 7 days
High – 1 month
Medium – 3 months
Low – no specific due date is determined

While we strive to meet these timeframes, final remediation schedules may be adjusted based on the complexity of the fix and the specific risk context.

Independent validation

On top of this, our commitment to security is validated by independent auditors and industry-standard rating planforms:

ISO 27001: We use this standard as our main reference for information security management.
Standardized Assessments: We maintain up-to-date profiles on major security risk platforms, including Cybervadis, CyberGRX, and Whistic. Results may be shared on demand.
CSP certifications: Microsoft Azure certifications are available in the Service Trust Portal

Information Security Governance

Our Information Security Policies are subject to regular review and updates to ensure their timeliness, accuracy, and continued alignment with applicable compliance requirements and industry best practices. We maintain a dedicated, in-house team responsible for the development, maintenance, and monitoring of information security. Priorities are established globally within our organization to provide a coherent vision for the protection of organizational assets.

Asset Management and Tenancy

We maintain a precise and current inventory of all service-related assets. Information is formally classified based on legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. Utilizing Azure as a multi-tenant service, we enforce logical separation to ensure the complete isolation of data between customers.

Third-Party Risk Management

Information security requirements are established for suppliers that may access, process, store, communicate, or provide IT infrastructure components. We conduct periodic cybersecurity and data security risk assessments of suppliers with access to our network or sensitive data, with defined follow-up actions being formally tracked and implemented.

Security Operations and Incident Response

A 24/7 Security Operations Center (SOC) provides continuous monitoring and protection of systems and data. We have implemented robust measures to ensure a consistent and effective approach to managing information security incidents. Our security incident management process includes maintaining written procedures, using all reasonable efforts to mitigate consequences, and client notification.

Business Continuity and Disaster Recovery (BCP)

We ensure that information processing facilities are implemented with sufficient redundancy to meet availability requirements. Service performance, availability, and real user experience are continuously monitored (please see our platform’s uptime report where service performance, availability and real user experience are constantly monitored). Backups are performed and tested regularly in accordance with the defined backup policy.

Awareness, Education, and Training

Personnel are subject to mandatory, ongoing information security awareness, education, and training. This program is designed to align with EcoVadis IT Security standards, educate staff on secure operating practices for IT systems, and ensure comprehension of applicable security threats. Simulated phishing campaigns are conducted frequently to enhance cybersecurity awareness and test personnel response protocols.

Prior to Employment

In accordance with legal and regulatory mandates, systematic reference checks are performed during the selection process for all candidates. Furthermore, criminal background verification is conducted for all new hires where legally authorized, such as for personnel based in the U.S.

Access Control

Access rights and privileges to EcoVadis information systems and network domains are allocated based on a Role-Based Access Control (RBAC) model, strictly adhering to the principles of need-to-know and least privilege.

Client Access Management

Clients retain control over their user environment. The client platform administrator is empowered to manage user accounts, including creation and deactivation. Platform access is primarily secured via username and password authentication, with Single Sign-On (SSO) capability offered to requesting companies (please contact your usual commercial contact for more information).

Cryptography

All data is protected both at rest and in transit utilizing industry-approved encryption algorithms and methods. Secrets are securely stored and managed in accordance with established industry best practices.

Operations Security

Change Management and Hardening

Changes impacting the organization, business processes, information processing facilities, and systems are formally controlled. We follow rigorous security hardening guidelines, including the Center for Internet Security (CIS) Benchmarks for operating systems and Microsoft Azure hardening guides for cloud services.

Monitoring and Threat Management

Monitoring and detection technologies are implemented to identify, prevent, and manage malware, vulnerabilities, and other security-relevant events across our infrastructure.

Communications Security

Network access to internal services and servers is restricted and secured. We utilize a Web Application Firewall (WAF – please see details here and leverage Azure Front Door, a cloud Content Delivery Network (CDN), to ensure high performance, scalability, and a secure user experience.

System Acquisition, Development and Maintenance.

Security is integrated into our SDLC via adherence to industry standards. New developments are subject to mandatory testing and validation processes before deployment. Development, testing, and operational environments are separated.

Our platforms are hosted in Microsoft Azure datacenters located in the EU. According to a shared responsibility model in the cloud, physical security controls fall under the obligation of Microsoft. More information about the controls can be found here.

To ensure the continuous integrity and resilience of our platform, we maintain a multi-layered security program. Our approach combines automated real-time monitoring with deep-dive manual analysis across several security domains. This defense-in-depth strategy includes:

Security tests

Application Security Testing: integrating Static Application Security Testing (SAST) for deep code analysis, Software Composition Analysis (SCA) to monitor open-source dependencies, and Dynamic Application Security Testing (DAST) to evaluate the application in a running state, on top of our specialists’ regular manual and automated reviews.
Infrastructure Reviews: relying on our Cloud Security Posture Management solutions (CSPM), and different vulnerability scanning platforms and automations.
Secure Access: On top of our perimeter controls, such as our Web Application Firewall (WAF), our SASE framework provides secure, encrypted connectivity for our global workforce, ensuring that security policies are applied consistently at the “edge,” closest to the user.
Independent Validation: In addition to internal reviews and our certifications, we engage reputable third-party security firms to conduct Annual Penetration Tests.

Remediation Targets

We prioritize the resolution of security findings based on their severity. Our structured remediation targets ensure that critical risks are addressed with urgency:

Critical – 7 days
High – 1 month
Medium – 3 months
Low – no specific due date is determined

While we strive to meet these timeframes, final remediation schedules may be adjusted based on the complexity of the fix and the specific risk context.

Independent validation

On top of this, our commitment to security is validated by independent auditors and industry-standard rating planforms:

ISO 27001: We use this standard as our main reference for information security management.
Standardized Assessments: We maintain up-to-date profiles on major security risk platforms, including Cybervadis, CyberGRX, and Whistic. Results may be shared on demand.
CSP certifications: Microsoft Azure certifications are available in the Service Trust Portal

EU General Data Protection Regulation

EcoVadis believes that the GDPR is an important step to strengthen and harmonize data protection of EU citizens’ personal data. As a data controller for the provided Sustainability services Ecovadis is committed to comply with GDPR and as far as they are applicable to international data protection regulations and to put in place the best practices.

Ecovadis uses the ISO 27001 standard, for which we are certified, as a framework and integrates personal data protection aspects in its management system. We use the complementary ISO 27701 framework to meet GDPR and data protection requirements. Our data protection practices and compliance are confirmed by a third party audit.

For the data processing performed outside of the EEA, we have in place Standard Contractual Clauses (SCCs) with our subsidiaries.

We always carefully select our providers (processors) and we require the conclusion of Data Protection Agreements with processors and Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCR) in case of processing outside of the EEA region to be able to work for us. We always aim to choose subscriptions with providers to have data hosted on servers based in Europe. We use the following processors to provide our service:

Legal Entity	Address	Purpose	Data processing and data transfer	Additional Security Information
ZenDesk Inc	1019 Market Street, San Francisco, CA 94103 USA	Help center	link	link
SFDC SAS	SFDC France 3 Avenue Octave Gréard 75007 Paris France	CRM and customer support	link	link
Microsoft France SAS	Microsoft France SAS 37 Quai du Président Roosevelt, 92130 Issy-les-Moulineaux, FRANCE	Hosting of the Sustainability assessment platform	link	link
Google Cloud France	Google Cloud France 8 Rue de Londres, 75009 Paris, France	Customer communication	link	link
Docebo S.p.A. Limited	Limited 6th floor, 48 Gracechurch Street, London – UK	E-Learning platform	link	link
Pendo.io Inc.	150 Fayetteville St #140027601 Raleigh NC, USA	Platform analytics and customer survey	link	link
Productboard Inc.	612 Howard streetCA 94105 San Francisco CA, USA	Product management and customer survey	link	link
Surveymonkey Inc	910 Park Pl, Suite 300, San Mateo, CA 94403, USA	Customer Survey	link	link
Aircall SAS	11 Rue Saint Georges, 75009 Paris, FRANCE	Call recording	link	link
HubSpot France SAS	24 Rue Cambacérès 75008 Paris France	Marketing & Customer communication	link	link

Hubspot Inc	2 Canal Park, Cambridge, Massachusetts, 02141, US	Marketing & Customer communication	link	link

Amazon Web Services Canada, Inc.	120 Bremner Blvd, 26th Floor, Toronto, Ontario, M5J 0A8, Canada	Hosting of ULULA service (Human rights due diligence platform) integrated with the Sustainability assessment platform	link	link

We rely on the recommendations on additional measures issued by the French Data protection authority CNIL and the European Data Protection Board concerning the possibilities of transferring data to countries outside the EEA based on SCCs (or BCR).

Learn more in our statement of data privacy

Export Control and Sanctions Compliance

EcoVadis is committed to be in compliance with all applicable laws and regulations applicable to an operator of general purpose online services, including without limitation, the laws of France and the United States of America, in terms of its own operating locations for the services.

Destination Restrictions

Taking into account overall business risks, Ecovadis products and services are not available for export, reexport, transfer and/or use in the following countries/regions (subject to change without notice):

the regions of Crimea, Donetsk, and Luhansk
Cuba
Iran
North Korea
Syria

Additionally, transactions with or related to certain destinations that pose an elevated export control or sanctions risk are subject to enhanced due diligence requirements.

End-user Restrictions

EcoVadis products and services are not available to entities and individuals with whom transactions are prohibited under applicable export control and sanctions laws, including those listed on any applicable sanctioned party lists (e.g., European Union Sanctions List, U.S. Specially Designated National (SDN) lists, OFAC, United Nations Security Council Sanctions, local lists where EcoVadis has its presence).

End-use Restrictions

EcoVadis Services must not be used for any purposes prohibited by Applicable Export Laws, including, without limitation, for the development, design, manufacture or production of nuclear, chemical or biological weapons of mass destruction.

Documents and Resources

General Terms and conditions

General Terms and Conditions - US Law

Statement of Data Privacy

Platform Uptime Report

Standard Contractual Clauses for Requesting Companies

Accessibility Conformance Report WCAG Edition

Standard Contractual Clauses for Rated Companies

Standard Contractual Clauses for Partners

ISO 27001:2022

ISO 9001:2015

Statement of Applicability

Code of Ethics

Suplier Code of conduct

EcoVadis Modern Slavery Statement

*Open source libraries or components related to any of the applicable services. EcoVadis solution sometimes includes, or depends upon, open source libraries. To comply with the license requirements of open source libraries and licensee’s attribution moral right, below there is a list of open-source software used to build our products – please be informed that all information here is provided “as is” and might be subject to a change by the lecensee:
License
AFL-2.1, Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC-BY-4.0, ISC, JSON, LGPL-2.1*, LGPL-3.0*, Microsoft .NET, ASP NET MVC3 EULA, BlueOak-1.0.0, Bouncy Castle License, 0BSD, Aduna BSD License, BSD-4-Clause, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-2.0 CC-BY-SA-3.0, CC-PDD, CCC0-1.0, JQuery, MPL-1.1, MulanPSL-2.0, OpenSSL, Python-2.0
Library License
MIT, MPL-2.0, MS-PL, PostgreSQL, WTFPL, Zlib

* The application is linked dynamically to LGPL license, consequently, the proprietary code can be kept proprietary.

Conflict of Interest Policy

Third-Party Professional Conduct Policy

Artificial Intelligence Usage

EcoVadis designs, implements, and deploys AI solutions in the responsible way paying close attention to model explainability, monitoring, and main principles of trustworthy AI.

With the rise of generative AI, we invest in AI safety and AI governance and ensure that generative AI solutions have appropriate guardrails in place.