Quality, Security, Privacy and Compliance | EcoVadis Skip to content

Quality, Security, Privacy and Compliance

Main content

EcoVadis Purpose is to “Guide all companies toward a sustainable world”, and EcoVadis four core purpose objectives:

  1. Deliver independent, trusted, and actionable sustainability ratings and insights through methodology excellence.
  2. Enable the greatest number of companies to continuously improve their business practices and contribute to creating a regenerative and equitable economy.
  3. Cultivate an inclusive learning environment for our people, providing meaningful work and empowering future generations of sustainability practitioners.
  4. Foster collective action within our ecosystem to accelerate the transition to a sustainable world.

EcoVadis has developed a quality management system (QMS) which is certified ISO 9001. We actively pursue ever-improving quality through a process management system that enables each employee to do their job right the first time and every time in a safe and stimulating work environment. It is supported by our tailor made and self-developed IT platform which guides employees through the whole process. We constantly put our efforts into continuously improving the processes by being advised by specialized bodies like our methodology committee.

  • Employee training program
    • Q&IS training programs for all newcomers during the onboarding period with quizzes and set pass marks to verify effectiveness plus mandatory annual refresher training for all employees followed by quizzes.
  • Corrective and preventive action
    • Continuous improvement with the identification of improvement areas to eliminate non-conformities or prevent reoccurence. One example being the use of the Quality tool for non conformities detection and feedback provision through the evaluation process.
  • Incident management Process
    • Customer and supplier complaints as well as internal issues are reported, recorded and managed through an Incident Management Platform. All incidents are reviewed regularly by concerned parties and resolved within a given timeframe.
  • Internal audit
    • The Internal Audit Program is set over a period of 3 years where Information Security audits are conducted twice per year and all internal processes undergo a Quality audit at least once per year. Audit results are reviewed and discussed during our biannual Management Review.

EcoVadis provides holistic sustainability ratings service of companies, delivered via a global cloud-based SaaS platform hosted in Microsoft Azure – one of the most trusted cloud hosting providers.

We are committed to provide the highest level of Information Security and to continuously improve in order to protect all stakeholders’ data in an evolving landscape of information security threats. For this reason, EcoVadis has established an Information Security management system (ISMS) which undergoes regular independent third-party audits for ISO/IEC 27001 compliance (please see the certificate and statement of applicability).

Our ISMS enables us to systematically operate and maintain information security in our business processes and services and to determine and apply the necessary security measures based on our risk evaluation.

Our Information Security Policies are regularly reviewed and updated  to confirm that the content remains timely and accurate and it still correlates to compliance requirements industry best practices applicable to us.

We have a dedicated, in-house team responsible for developing, maintaining and monitoring of information security. Priorities are established worldwide within our organization to provide a single, coherent vision around the protection of our assets.

At EcoVadis, we realize that raising awareness about threats to information security is an ongoing process. Our employees are regularly trained in IT and Information Security best practices and alignment with EcoVadis IT Security standards, and the way to operate IT systems in a secure manner.

We maintain an accurate and current inventory of assets associated with the service provided and classify information in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.

Azure is a multi tenant service, there is a logical separation in place which isolates data between customers.

Access rights and privileges to EcoVadis information systems and network domains must be allocated based on the specific requirement of a user’s job function (RBAC), we follow need-to-know and least privilege principles.

Our clients manage their access independently: the client platform administrator can create and deactivate users as needed. The platform can be accessed using username & password. We also provide a  Single sign-on (SSO) authentication capability for requesting companies and you can contact your usual commercial contact for more information.

Data is encrypted (at rest and in transit) using industry-approved encryption algorithms and methods. We follow industry best practices to securely store and manage secrets within our environment.


Our platforms are hosted in Microsoft Azure datacenters located in the EU. According to a shared responsibility model in the cloud, physical security controls fall under the obligation of Microsoft. More information about the controls can be found here.

We make sure that changes to the organization, business processes, information processing facilities and systems that affect information security are controlled. We have implemented monitoring and detection technology and processes to identify, prevent, and manage malware vulnerabilities, or other security-relevant events within our infrastructure. Best security hardening practices are followed, such as CIS (Center for Internet Security) for operating systems and Microsoft Azure hardening guides for cloud services.

Network access to internal services and servers is restricted and secured. We have a Web Application Firewall in place (please see details here) and use Azure Front Door – a modern cloud content delivery network (CDN) service that delivers high performance, scalability, and secure user experiences.

We use industry standards to build in security for our Systems/Software Development Lifecycle (SDLC). It is ensured that new developments undergo proper testing and validation processes prior to going live. Development, testing, and operational environments are separated.

We have established information security requirements for suppliers that may access, process, store, communicate, or provide IT infrastructure components for the organization’s information. We also conduct cybersecurity and data security risk assessments of suppliers with access to our network, data or other sensitive information.

We continuously work on providing highly secure services to our clients, but incidents are an inevitable reality that has to be carefully managed. At EcoVadis, appropriate measures are implemented to ensure a consistent and effective approach to the management of information security incidents. Our security incident management process covers, but it is not limited to: client notification, maintaining written procedures to be followed in the event of a security incident and using all reasonable efforts to mitigate its consequences.

We are committed to make sure that information processing facilities are implemented with redundancy sufficient to meet availability requirements (please see our platform’s uptime report where service performance, availability and real user experience are constantly monitored).

Backups are performed and tested regularly in accordance with the defined backup policy.

To provide us with a more complete view of our information security compliance, we conduct several types of audit and technical reviews:

– Infrastructure Reviews

– Code Reviews (SAST: Static Application Security Testing, SCA: Software Composition Analysis)

– Web application penetration testing (this is performed at least once a year by an external company)

– External Posture Management

– Internal Risk Assessments

– ISO 27001 certification audits


We have filled in several standard questionnaires. The result can be shared on demand

  • Cybervadis
  • CyberGRX
  • SecurityScorecard:

  • Whistic

Microsoft Azure certifications are available in the Service Trust Portal.

Notice required by licensors of any open source libraries or components related to any of the applicable services. EcoVadis solution sometimes includes, or depends upon, open source libraries. To comply with the license requirements of open source libraries and licensee’s attribution moral right, below there is a list of open-source software used to build our products – please be informed that all information here is provided “as is” and might be subject to a change by the licensee:


Component/project name License
ActiveUp.Net LGPL 2.1 *
AjaxControlToolkit BSD 3
Bootstrap MIT
DocumentFormat.OpenXml MIT
Editor_plugin LGPL 2.0 *
EPPlus LGPL 2.1 *
Highcharts CC BY NC 3.0
ICSharpCode MIT
Ionic Zlib
jQuery.dataTables MIT
jQuery.easing MIT
jQuery.easy MIT
jQuery.form MIT
jQuery.linq MIT
jQuery.multiselect MIT
jQuery.perfect-scrollbar-with-mousewheel MIT
jQuery.scrollTo MIT
jQuery.slim MIT
jQuery.tipTip MIT
jQuery.validate.unobtrusive Apache 2.0
jQuery.validate MIT
jQuery MIT
Knockout MIT
LINQ Microsoft Public
Modernizr MIT
Newtonsoft MIT
Ninject Apache 2.0
NLog BSD 3
NPOI Apache 2.0
Prototype MIT
wkhtmltoimage LGPL 3.0 *
wkhtmltopdf LGPL 3.0 *
wkhtmltox LGPL 3.0 *

* The application is linked dynamically to LGPL license, consequently, the proprietary code can be kept proprietary.

EcoVadis believes that the GDPR is an important step to strengthen and harmonize data protection of EU citizens’ personal data. As a data controller for the provided Rating services Ecovadis is committed to comply with GDPR and as far as they are applicable to international data protection regulations and to put in place the best practices.

Ecovadis uses the ISO 27001 standard, for which we are certified, as a framework and integrates personal data protection aspects in its management system. We use the complementary ISO 27701 framework to meet GDPR requirements. Our data protection practices and compliance are confirmed by a third party audit.

For the data processing performed outside of the EU, we have in place Standard Contractual Clauses (SCCs) with our subsidiaries.

We always carefully select our providers (processors) and we require the conclusion of Data Protection Agreements with processors and Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCR) in case of processing outside of the EEA region to be able to work for us. We always aim to choose subscriptions with providers  to have data hosted on servers based in Europe. We use the following processors to provide our service:


Legal Entity Address Purpose Additional Security Information
ZenDesk 1019 Market Street,
San Francisco, CA 94103 USA
Help center https://www.zendesk.com/product/zendesk-security/
SFDC 2 Henry Adams St,
San Francisco, CA 94103 USA
CRM and customer support https://trust.salesforce.com/
Microsoft Azure Microsoft Campus,
Redmond, WA 98052 USA
Hosting of the Sustainability assessment platform https://azure.microsoft.com/en-us/overview/trusted-cloud/
Google 1600 Amphitheatre Parkway
Mountain View, CA 94043 USA
Customer communication https://cloud.google.com/security/
Selligent 20 Place des Vins de France,75012 Paris FRANCE Customer communication https://www.selligent.com/general-data-protection-regulation
Docebo Limited
6th floor, 48
Street, London –
E-Learning platform https://www.docebo.com/company/compliance-security/
Pendo 150 Fayetteville St
Raleigh NC, USA
Platform analytics https://www.pendo.io/data-privacy-security/
Productboard 612 Howard
streetCA 94105
San Francisco CA,
Product management https://www.productboard.com/product/security/
Aircall 11 Rue Saint
Georges, 75009
Call recording https://aircall.io/security/


We rely on the recommendations on additional measures issued by the French Data protection authority CNIL and the European Data Protection Board concerning the possibilities of transferring data to the United States based on SCCs (or BCR).

Learn more in our statement of data privacy

EcoVadis is committed to be in compliance with all applicable laws and regulations applicable to an operator of general purpose online services, including without limitation, the laws of France and the United States of America, in terms of its own operating locations for the services.

Destination Restrictions

Taking into account overall business risks, Ecovadis products and services are not available for export, reexport, transfer and/or use in the following countries/regions (subject to change without notice):

  • the regions of Crimea, Donetsk, and Luhansk
  • Cuba
  • Iran
  • North Korea
  • Syria

Additionally, transactions with or related to certain destinations that pose an elevated export control or sanctions risk are subject to enhanced due diligence requirements.

End-User Restrictions

EcoVadis products and services are not available to entities and individuals with whom transactions are prohibited under applicable export control and sanctions laws, including those listed on any applicable sanctioned party lists (e.g., European Union Sanctions List, U.S. Specially Designated National (SDN) lists, OFAC, United Nations Security Council Sanctions, local lists where EcoVadis has its presence).

End-use Restrictions

EcoVadis Services must not be used for any purposes prohibited by Applicable Export Laws, including, without limitation, for the development, design, manufacture or production of nuclear, chemical or biological weapons of mass destruction.

This web page is for general informational purposes only and does not constitute legal advice.

Questions? Contact us!

If you have any questions related to information security at EcoVadis – please share them with your Sales representative or visit our Help Center: support.ecovadis.com.

+Ability Webinar Series: Boost your company’s ability to navigate supply chain sustainability.
Register Now
NEW: Barometer 2024: Transforming Procurement into a Strategic Sustainability & Resilience Partner
View Now