Datenschutz und Vertrauen

Zertifizierungen

Quality (ISO 9001)

Die Aufgabe von EcoVadis besteht darin, „alle Unternehmen auf dem Weg in eine nachhaltige Welt zu begleiten.“ Dabei verfolgt EcoVadis vier Kernziele:

Bereitstellung unabhängiger, vertrauenswürdiger und umsetzbarer Nachhaltigkeitsbewertungen und -einblicke durch eine hervorragende Methodik.
Die größtmögliche Anzahl von Unternehmen in die Lage versetzen, ihre Geschäftspraktiken kontinuierlich zu verbessern und zur Schaffung einer regenerativen und gerechten Ökonomie beizutragen.
Schaffung eines integrativen Lernumfelds für unsere Mitarbeiter*innen, das sinnvolle Arbeit bietet und künftige Generationen von Nachhaltigkeitsexpert*innen stärkt.
Förderung des kollektiven Handelns innerhalb unseres Ökosystems, um den Übergang zu einer nachhaltigen Welt zu beschleunigen.

EcoVadis has developed a quality management system (QMS) which is certified ISO 9001 (please see the certificate). We actively pursue ever-improving quality through a process management system that enables each employee to do their job right the first time and every time in a safe and stimulating work environment. It is supported by our tailor made and self-developed IT platform which guides employees through the whole process.

We constantly put our efforts into continuously improving the processes by being advised by specialized bodies like our methodology committee.

Schulungsprogramm für Mitarbeiter*innen

Schulungsprogramme über Qualitäts- und Informationssicherheit für alle neuen Mitarbeitenden während der Einführungsphase mit Wissenstest und festgelegten Erfolgsquoten zur Überprüfung der Effektivität sowie obligatorische jährliche Auffrischungsschulungen für alle Mitarbeitenden mit anschließenden Wissenstests.

Korrektur- und Präventivmaßnahmen

Kontinuierliche Verbesserung mittels der Identifizierung von Verbesserungsbereichen, um Nichtkonformitäten oder ihr erneutes Auftreten zu verhindern. Ein Beispiel dafür ist die Verwendung des Qualitätstools zur Erkennung von Konformitätsabweichungen und zur Bereitstellung von Feedback im Rahmen des Bewertungsprozesses.

Customer Complaints

Beschwerden seitens Kunden oder Lieferanten sowie interne Probleme werden über eine Plattform zur Verwaltung von Vorfällen gemeldet, aufgezeichnet und verwaltet. Alle Vorfälle werden regelmäßig von zuständiger Seite überprüft und innerhalb eines bestimmten Zeitrahmens behoben.

Internes Audit

Das interne Auditprogramm erstreckt sich über einen Zeitraum von drei Jahren, wobei die Informationssicherheit zweimal pro Jahr und alle internen Prozesse mindestens einmal pro Jahr einem Qualitätsaudit unterzogen werden. Die Auditergebnisse werden im Rahmen unserer Management-Review-Meetings überprüft und besprochen.

Information Security (ISO 27001)

EcoVadis bietet einen ganzheitlichen Dienst zur Nachhaltigkeitsbewertung von Unternehmen. Dieser wird über eine globale cloudbasierte SaaS-Plattform bereitgestellt, die in Microsoft Azure gehostet wird – einem der vertrauenswürdigsten Cloud-Hosting-Anbieter.

Wir sind bestrebt, ein Höchstmaß an Informationssicherheit zu gewährleisten und uns ständig zu verbessern, um die Daten aller Beteiligten in einem sich ständig wandelnden Umfeld von Bedrohungen der Informationssicherheit zu schützen. Aus diesem Grund hat EcoVadis ein Managementsystem für Informationssicherheit (Information Security Management System, ISMS) eingerichtet, das regelmäßig durch externe Audits auf Einhaltung der Norm ISO/IEC 27001 geprüft wird (Siehedas Zertifikat undErklärung zur Anwendbarkeit).

Unser ISMS ermöglicht es uns, die Informationssicherheit in unseren Geschäftsprozessen und Diensten systematisch zu betreiben und aufrechtzuerhalten und die notwendigen Sicherheitsmaßnahmen auf der Grundlage unserer Risikobewertung zu bestimmen und anzuwenden.

Information Security Governance

Our Information Security Policies are subject to regular review and updates to ensure their timeliness, accuracy, and continued alignment with applicable compliance requirements and industry best practices. We maintain a dedicated, in-house team responsible for the development, maintenance, and monitoring of information security. Priorities are established globally within our organization to provide a coherent vision for the protection of organizational assets.

Asset Management and Tenancy

We maintain a precise and current inventory of all service-related assets. Information is formally classified based on legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. Utilizing Azure as a multi-tenant service, we enforce logical separation to ensure the complete isolation of data between customers.

Third-Party Risk Management

Information security requirements are established for suppliers that may access, process, store, communicate, or provide IT infrastructure components. We conduct periodic cybersecurity and data security risk assessments of suppliers with access to our network or sensitive data, with defined follow-up actions being formally tracked and implemented.

Security Operations and Incident Response

A 24/7 Security Operations Center (SOC) provides continuous monitoring and protection of systems and data. We have implemented robust measures to ensure a consistent and effective approach to managing information security incidents. Our security incident management process includes maintaining written procedures, using all reasonable efforts to mitigate consequences, and client notification.

Business Continuity and Disaster Recovery (BCP)

We ensure that information processing facilities are implemented with sufficient redundancy to meet availability requirements. Service performance, availability, and real user experience are continuously monitored (please see our platform’s uptime report where service performance, availability and real user experience are constantly monitored). Backups are performed and tested regularly in accordance with the defined backup policy.

Awareness, Education, and Training

Personnel are subject to mandatory, ongoing information security awareness, education, and training. This program is designed to align with EcoVadis IT Security standards, educate staff on secure operating practices for IT systems, and ensure comprehension of applicable security threats. Simulated phishing campaigns are conducted frequently to enhance cybersecurity awareness and test personnel response protocols.

Prior to Employment

In accordance with legal and regulatory mandates, systematic reference checks are performed during the selection process for all candidates. Furthermore, criminal background verification is conducted for all new hires where legally authorized, such as for personnel based in the U.S.

Zugriffskontrolle

Access rights and privileges to EcoVadis information systems and network domains are allocated based on a Role-Based Access Control (RBAC) model, strictly adhering to the principles of need-to-know and least privilege.

Client Access Management

Clients retain control over their user environment. The client platform administrator is empowered to manage user accounts, including creation and deactivation. Platform access is primarily secured via username and password authentication, with Single Sign-On (SSO) capability offered to requesting companies (please contact your usual commercial contact for more information).

Kryptografie

All data is protected both at rest and in transit utilizing industry-approved encryption algorithms and methods. Secrets are securely stored and managed in accordance with established industry best practices.

Betriebssicherheit

Change Management and Hardening

Changes impacting the organization, business processes, information processing facilities, and systems are formally controlled. We follow rigorous security hardening guidelines, including the Center for Internet Security (CIS) Benchmarks for operating systems and Microsoft Azure hardening guides for cloud services.

Monitoring and Threat Management

Monitoring and detection technologies are implemented to identify, prevent, and manage malware, vulnerabilities, and other security-relevant events across our infrastructure.

Kommunikationssicherheit

Network access to internal services and servers is restricted and secured. We utilize a Web Application Firewall (WAF – please see details here and leverage Azure Front Door, a cloud Content Delivery Network (CDN), to ensure high performance, scalability, and a secure user experience.

System Acquisition, Development and Maintenance.

Security is integrated into our SDLC via adherence to industry standards. New developments are subject to mandatory testing and validation processes before deployment. Development, testing, and operational environments are separated.

Our platforms are hosted in Microsoft Azure datacenters located in the EU. According to a shared responsibility model in the cloud, physical security controls fall under the obligation of Microsoft. More information about the controls can be found here.

To ensure the continuous integrity and resilience of our platform, we maintain a multi-layered security program. Our approach combines automated real-time monitoring with deep-dive manual analysis across several security domains. This defense-in-depth strategy includes:

Security tests

Application Security Testing: integrating Static Application Security Testing (SAST) for deep code analysis, Software Composition Analysis (SCA) to monitor open-source dependencies, and Dynamic Application Security Testing (DAST) to evaluate the application in a running state, on top of our specialists’ regular manual and automated reviews.
Infrastructure Reviews: relying on our Cloud Security Posture Management solutions (CSPM), and different vulnerability scanning platforms and automations.
Secure Access: On top of our perimeter controls, such as our Web Application Firewall (WAF), our SASE framework provides secure, encrypted connectivity for our global workforce, ensuring that security policies are applied consistently at the “edge,” closest to the user.
Independent Validation: In addition to internal reviews and our certifications, we engage reputable third-party security firms to conduct Annual Penetration Tests.

Remediation Targets

We prioritize the resolution of security findings based on their severity. Our structured remediation targets ensure that critical risks are addressed with urgency:

Critical – 7 days
High – 1 month
Medium – 3 months
Low – no specific due date is determined

While we strive to meet these timeframes, final remediation schedules may be adjusted based on the complexity of the fix and the specific risk context.

Independent validation

On top of this, our commitment to security is validated by independent auditors and industry-standard rating planforms:

ISO 27001: We use this standard as our main reference for information security management.
Standardized Assessments: We maintain up-to-date profiles on major security risk platforms, including Cybervadis, CyberGRX, and Whistic. Results may be shared on demand.
CSP certifications: Microsoft Azure certifications are available in the Service Trust Portal

Information Security Governance

Our Information Security Policies are subject to regular review and updates to ensure their timeliness, accuracy, and continued alignment with applicable compliance requirements and industry best practices. We maintain a dedicated, in-house team responsible for the development, maintenance, and monitoring of information security. Priorities are established globally within our organization to provide a coherent vision for the protection of organizational assets.

Asset Management and Tenancy

We maintain a precise and current inventory of all service-related assets. Information is formally classified based on legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. Utilizing Azure as a multi-tenant service, we enforce logical separation to ensure the complete isolation of data between customers.

Third-Party Risk Management

Information security requirements are established for suppliers that may access, process, store, communicate, or provide IT infrastructure components. We conduct periodic cybersecurity and data security risk assessments of suppliers with access to our network or sensitive data, with defined follow-up actions being formally tracked and implemented.

Security Operations and Incident Response

A 24/7 Security Operations Center (SOC) provides continuous monitoring and protection of systems and data. We have implemented robust measures to ensure a consistent and effective approach to managing information security incidents. Our security incident management process includes maintaining written procedures, using all reasonable efforts to mitigate consequences, and client notification.

Business Continuity and Disaster Recovery (BCP)

We ensure that information processing facilities are implemented with sufficient redundancy to meet availability requirements. Service performance, availability, and real user experience are continuously monitored (please see our platform’s uptime report where service performance, availability and real user experience are constantly monitored). Backups are performed and tested regularly in accordance with the defined backup policy.

Awareness, Education, and Training

Personnel are subject to mandatory, ongoing information security awareness, education, and training. This program is designed to align with EcoVadis IT Security standards, educate staff on secure operating practices for IT systems, and ensure comprehension of applicable security threats. Simulated phishing campaigns are conducted frequently to enhance cybersecurity awareness and test personnel response protocols.

Prior to Employment

In accordance with legal and regulatory mandates, systematic reference checks are performed during the selection process for all candidates. Furthermore, criminal background verification is conducted for all new hires where legally authorized, such as for personnel based in the U.S.

Zugriffskontrolle

Access rights and privileges to EcoVadis information systems and network domains are allocated based on a Role-Based Access Control (RBAC) model, strictly adhering to the principles of need-to-know and least privilege.

Client Access Management

Clients retain control over their user environment. The client platform administrator is empowered to manage user accounts, including creation and deactivation. Platform access is primarily secured via username and password authentication, with Single Sign-On (SSO) capability offered to requesting companies (please contact your usual commercial contact for more information).

Kryptografie

All data is protected both at rest and in transit utilizing industry-approved encryption algorithms and methods. Secrets are securely stored and managed in accordance with established industry best practices.

Betriebssicherheit

Change Management and Hardening

Changes impacting the organization, business processes, information processing facilities, and systems are formally controlled. We follow rigorous security hardening guidelines, including the Center for Internet Security (CIS) Benchmarks for operating systems and Microsoft Azure hardening guides for cloud services.

Monitoring and Threat Management

Monitoring and detection technologies are implemented to identify, prevent, and manage malware, vulnerabilities, and other security-relevant events across our infrastructure.

Kommunikationssicherheit

Network access to internal services and servers is restricted and secured. We utilize a Web Application Firewall (WAF – please see details here and leverage Azure Front Door, a cloud Content Delivery Network (CDN), to ensure high performance, scalability, and a secure user experience.

System Acquisition, Development and Maintenance.

Security is integrated into our SDLC via adherence to industry standards. New developments are subject to mandatory testing and validation processes before deployment. Development, testing, and operational environments are separated.

Our platforms are hosted in Microsoft Azure datacenters located in the EU. According to a shared responsibility model in the cloud, physical security controls fall under the obligation of Microsoft. More information about the controls can be found here.

To ensure the continuous integrity and resilience of our platform, we maintain a multi-layered security program. Our approach combines automated real-time monitoring with deep-dive manual analysis across several security domains. This defense-in-depth strategy includes:

Security tests

Application Security Testing: integrating Static Application Security Testing (SAST) for deep code analysis, Software Composition Analysis (SCA) to monitor open-source dependencies, and Dynamic Application Security Testing (DAST) to evaluate the application in a running state, on top of our specialists’ regular manual and automated reviews.
Infrastructure Reviews: relying on our Cloud Security Posture Management solutions (CSPM), and different vulnerability scanning platforms and automations.
Secure Access: On top of our perimeter controls, such as our Web Application Firewall (WAF), our SASE framework provides secure, encrypted connectivity for our global workforce, ensuring that security policies are applied consistently at the “edge,” closest to the user.
Independent Validation: In addition to internal reviews and our certifications, we engage reputable third-party security firms to conduct Annual Penetration Tests.

Remediation Targets

We prioritize the resolution of security findings based on their severity. Our structured remediation targets ensure that critical risks are addressed with urgency:

Critical – 7 days
High – 1 month
Medium – 3 months
Low – no specific due date is determined

While we strive to meet these timeframes, final remediation schedules may be adjusted based on the complexity of the fix and the specific risk context.

Independent validation

On top of this, our commitment to security is validated by independent auditors and industry-standard rating planforms:

ISO 27001: We use this standard as our main reference for information security management.
Standardized Assessments: We maintain up-to-date profiles on major security risk platforms, including Cybervadis, CyberGRX, and Whistic. Results may be shared on demand.
CSP certifications: Microsoft Azure certifications are available in the Service Trust Portal

Die Datenschutz-Grundverordnung

EcoVadis believes that the GDPR is an important step to strengthen and harmonize data protection of EU citizens’ personal data. As a data controller for the provided Sustainability services Ecovadis is committed to comply with GDPR and as far as they are applicable to international data protection regulations and to put in place the best practices.

Ecovadis uses the ISO 27001 standard, for which we are certified, as a framework and integrates personal data protection aspects in its management system. We use the complementary ISO 27701 framework to meet GDPR and data protection requirements. Our data protection practices and compliance are confirmed by a third party audit.

For the data processing performed outside of the EEA, we have in place Standard Contractual Clauses (SCCs) with our subsidiaries.

Wir wählen unsere Dienstleister (Auftragsverarbeiter) stets sorgfältig aus. Für eine Zusammenarbeit von Auftragsverarbeitern mit uns verlangen wir den Abschluss von Datenschutzvereinbarungen und Standardvertragsklauseln (SCCs) oder Binding Corporate Rules (BCR) im Falle der Verarbeitung außerhalb des EWR-Raums. Wir sind stets bestrebt, Mitgliedschaften bei Anbietern zu wählen, deren Daten auf Servern in Europa gehostet werden. Wir verwenden die folgenden Auftragsverarbeiter, um unseren Dienst anzubieten:

Juristische Person	Adresse	Zweck	Datenverarbeitung und Datenübermittlung	Zusätzliche Sicherheitsinformationen
ZenDesk Inc	1019 Market Street, San Francisco, CA 94103 USA	Hilfe-Center	Link	Link
SFDC SAS	SFDC France 3 Avenue Octave Gréard 75007 Paris France	CRM und Kundenbetreuung	Link	Link
Microsoft France SAS	Microsoft France SAS 37 Quai du Président Roosevelt, 92130 Issy-les-Moulineaux, FRANCE	Hosting der Plattform zur Nachhaltigkeitsbewertung	Link	Link
Google Cloud France	Google Cloud France 8 Rue de Londres, 75009 Paris, France	Kundenkommunikation	Link	Link
Docebo S.p.A. Limited	Limited 6th floor, 48 Gracechurch Street, London – UK	E-Learning-Plattform	Link	Link
Pendo.io Inc.	150 Fayetteville St #140027601 Raleigh NC, USA	Plattform-Analytik und Kundenumfragen	Link	Link
Productboard Inc.	612 Howard streetCA 94105 San Francisco CA, USA	Produktmanagement und Kundenumfragen	Link	Link
Surveymonkey Inc	910 Park Pl, Suite 300, San Mateo, CA 94403, USA	Kundenumfrage	Link	Link
Aircall SAS	11 Rue Saint Georges, 75009 Paris, FRANCE	Aufzeichnung von Anrufen	Link	Link
HubSpot France SAS	24 Rue Cambacérès 75008 Paris France	Marketing & Customer communication	Link	Link

Hubspot Inc	2 Canal Park, Cambridge, Massachusetts, 02141, US	Marketing & Customer communication	Link	Link

Amazon Web Services Canada, Inc.	120 Bremner Blvd, 26th Floor, Toronto, Ontario, M5J 0A8, Canada	Hosting of ULULA service (Human rights due diligence platform) integrated with the Sustainability assessment platform	Link	Link

We rely on the recommendations on additional measures issued by the French Data protection authority CNIL and the European Data Protection Board concerning the possibilities of transferring data to countries outside the EEA based on SCCs (or BCR).

Learn more in our statement of data privacy

Exportkontrolle und Einhaltung von Sanktionen

EcoVadis verpflichtet sich, alle für einen Betreiber von allgemeinen Online-Diensten geltenden Gesetze und Vorschriften (einschließlich, aber nicht Beschränkt auf die Gesetze in Frankreich und den Vereinigten Staaten) an seinen Betriebsstandorten einzuhalten.

Beschränkungen für das Reiseziel

Unter Berücksichtigung der allgemeinen Geschäftsrisiken sind Ecovadis-Produkte und -Dienstleistungen nicht für den Export, die Wiederausfuhr, den Transfer und/oder die Verwendung in den folgenden Ländern/Regionen verfügbar (Änderungen vorbehalten):

Regionen Krim, Donetsk und Luhansk
Kuba
Iran
Nordkorea
Syrien

Darüber hinaus unterliegen Transaktionen mit oder im Zusammenhang mit bestimmten Bestimmungsländern, die ein erhöhtes Exportkontroll- oder Sanktionsrisiko darstellen, besonderen Sorgfaltspflichten.

End-user Restrictions

EcoVadis-Produkte und -Dienstleistungen sind nicht für juristische und natürliche Personen verfügbar, mit denen nach den anwendbaren Exportkontroll- und Sanktionsgesetzen keine Transaktionen durchgeführt werden dürfen, einschließlich derer, die auf den entsprechenden Listen der sanktionierten Parteien aufgeführt sind (z.B. Sanktionsliste der Europäischen Union, U.S. Specially Designated National (SDN)-Listen, OFAC, Sanktionen des Sicherheitsrates der Vereinten Nationen, lokale Listen der Länder, in denen EcoVadis vertreten ist).

Einschränkungen für die Endnutzung

Die EcoVadis-Dienste dürfen nicht für Zwecke verwendet werden, die nach den geltenden Ausfuhrgesetzen verboten sind, insbesondere nicht für die Entwicklung, Konstruktion, Herstellung oder Produktion von atomaren, chemischen oder biologischen Massenvernichtungswaffen.

Documents and Resources

General Terms and conditions

Allgemeine Geschäfts-bedingungen - US-Recht

Datenschutzer-
klärung

Bericht zur Plattform-
verfügbarkeit

Standardvertrags-
klauseln für anfordernde Unternehmen

Bericht zur Zugänglichkeitskonformität WCAG Edition

Standardvertragsklauseln für bewertete Unternehmen

Standardvertragsklauseln für Partner

ISO 27001:2022

ISO 9001:2015

Statement of Applicability

Ethikkodex

Suplier Code of conduct

EcoVadis Stellungnahme zu moderner Sklaverei

*Open source libraries or components related to any of the applicable services. EcoVadis solution sometimes includes, or depends upon, open source libraries. To comply with the license requirements of open source libraries and licensee’s attribution moral right, below there is a list of open-source software used to build our products – please be informed that all information here is provided “as is” and might be subject to a change by the lecensee:
License
AFL-2.1, Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC-BY-4.0, ISC, JSON, LGPL-2.1*, LGPL-3.0*, Microsoft .NET, ASP NET MVC3 EULA, BlueOak-1.0.0, Bouncy Castle License, 0BSD, Aduna BSD License, BSD-4-Clause, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-2.0 CC-BY-SA-3.0, CC-PDD, CCC0-1.0, JQuery, MPL-1.1, MulanPSL-2.0, OpenSSL, Python-2.0
Library License
MIT, MPL-2.0, MS-PL, PostgreSQL, WTFPL, Zlib

* Die Anwendung ist dynamisch mit der LGPL-Lizenz verknüpft, so dass der proprietäre Code geschützt bleiben kann.

Conflict of Interest Policy

Third-Party Professional Conduct Policy

Nutzung künstlicher Intelligenz

EcoVadis designs, implements, and deploys AI solutions in the responsible way paying close attention to model explainability, monitoring, and main principles of trustworthy AI.

With the rise of generative AI, we invest in AI safety and AI governance and ensure that generative AI solutions have appropriate guardrails in place.