At EcoVadis, Quality and Information Security are very important to us. We are committed to maintaining effective business processes and to support them with the most demanding Security practices. Our Trust Center is here to help you understand what we are doing to ensure quality and data security in the CSR rating services that we provide.
EcoVadis is committed to create a reliable CSR rating system that is consistent over time and offers comparability so that suppliers can be benchmarked across the wide variety of sectors and countries.
EcoVadis has developed a quality management system (QMS) that adheres to the requirements of ISO 9001 and has scheduled an audit to obtain third party certification in 2017. We actively pursue ever-improving quality through a process management system that enables each employee to do their job right the first time and every time in a safe and stimulating work environment. It is supported by our tailor made and self-developed IT platform which guides employees through the whole process. We constantly put our efforts into continuously improving the processes by being advised by specialized bodies like for example our methodology committee. Components of our Quality Management System include:
Training is an essential part of the Quality Management. Employee involvement, staff knowledge, effectiveness and reliability is key. EcoVadis has developed a complete training program for new starters, all new employees are trained according to the training plan developed by their Business Unit and function to address specific needs. In addition to this, Employees are receiving a general training program that includes a series of trainings related to Security, Ethics and CSR.
EcoVadis encourages its employees to develop their skills and receive appropriate training (internal and/or external) to develop their work potential and employability. In particular, CSR analysts are required to attend regular trainings specific to their job responsibilities for the evaluation, scoring and validation of supplier activities in relation to CSR themes and criteria.
EcoVadis has established a Corrective and Preventive Action system to identify areas of improvement for current products and processes, and also to eliminate non-conformities or prevent reoccurrence. At each stage of the evaluation process, a quality check form (QCF) is filled in by the assigned downstream analyst in charge of identifying quality issues and defining corrective actions. This process is in place to ensure that our service meets delivery requirements. In 2016, 30000 data points have been analyzed to guarantee the quality and reliability of the EcoVadis ratings and to identify training needs for our CSR analysts.
Client and suppliers complaints are handled through our Incident Management Process. All received complaints are recorded and reviewed on a regular basis.
A 3 years internal audit program has been established to ensure the integrity and continuous improvement of the Quality Management System. It is reviewed on a yearly basis during our management review.
The ISAE 3000 audit conducted by PwC Germany provides assurance about EcoVadis’ operational and security controls in alignment with the AICPA’s trust services principles. The ISAE 3000 audit provides third-party validation and testing of the design and operating effectiveness of the company’s processes, quality procedures, and security practices by examining samples of actual operational activities throughout the first six months of 2016.
This standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach and continual improvement. It helps ensure that customers get consistent, good quality products and services, which in turn brings many business benefits. Ecovadis has developed a quality management system (QMS) that adheres to the requirements of ISO 9001 and has scheduled an audit to obtain third party certification in 2017.
EcoVadis is committed to provide the highest level of Information Security and to continuously improve in order to protect all stakeholders’ data in an evolving landscape of information security threats.
For this reason, EcoVadis has established an Information Security management system (ISMS) which is certified ISO27001 and which enables us to systematically operate and maintain information security in our business processes and services and to determine and apply the necessary security measures based on our risk assessment. We have a security incident management process in place in order to detect and remediate security incidents in the future. Penetration tests are performed on a regular basis in order to evaluate our IT infrastructure and identify vulnerability and improvement areas.
The ISMS and QMS build an integrated management system allowing us to ensure the availability, integrity, confidentiality and traceability of information. All data are stored and processed in an ISO 27001 certified data center in Paris, France.
Policies and Processes include:
The terms and conditions of the EcoVadis assessment platform have been designed to guarantee your data confidentiality. The information you provide are kept confidential and cannot be shared without your approval. Learn more in our terms and conditions
One major pillar for the success of the ISMS is security awareness of all EcoVadis employees. EcoVadis Employees are regularly trained on information security to keep them updated about current issues and best practices by attending a yearly refresher training and taking a test on our practices and policies.
All new hired employees have to participate in a mandatory information security training as part of the induction training. EcoVadis employees must follow the set of information security policies that are regularly reviewed. Employees also go through a regular phishing test to raise the cyber awareness.
EcoVadis complies with the data protection directive 95/46/EC and adheres to the set of data protection principles developed by the French Data Protection Authority CNIL (Comission Nationale de l’Ínformatique et des Libertés). EcoVadis is actively analyzing the new EU regulation 2016/679 to be ready in 2018 when it comes into force. EcoVadis has designated a Data Protection Officer (DPO), registered at the CNIL, well before the appointment of a DPO becomes mandatory in 2018.
We have in place contractual clauses for entities that perform data processing outside Europe and we perform the legal declarations concerning the processing of personal data to the French Data Protection Authority.
In addition, specifically for the USA, EcoVadis was registered in the late Safe Harbour program and is now in the process of registration for the Privacy Shield which will be completed by end 2016. Learn more in our statement of data privacy.
EcoVadis employees are required to sign a code of conduct and a confidentiality clause as part of their employment contract prior to access to our platform. The clause prohibits any disclosures of confidential information concerning the business of EcoVadis and its customers. The obligations and duties remain valid even after termination.
The information security management system governing development and operations of EcoVadis online collaborative platform allowing companies to assess and monitor the environmental, social and ethical risk and performance of their suppliers is ISO/IEC 27001:2013 certified. ISO/IEC 27001:2013 is one of the most widely recognised information security standards. Our Compliance is certified by PwC Certification B.V, an independent and accredited certification body.