Vie privée et confiance

Certifications

Quality (ISO 9001)

EcoVadis souhaite « guider toutes les entreprises vers un monde durable » et s’appuie pour cela sur quatre objectifs principaux :

Fournir des informations et notations RSE à la fois indépendantes, fiables et exploitables grâce à une méthodologie d’excellence ;
Permettre au plus grand nombre possible d’entreprises d’améliorer en continu leurs pratiques commerciales tout en contribuant à créer une économie régénérative et équitable ;
Cultiver un environnement d’apprentissage inclusif pour notre personnel, en fournissant du travail porteur de sens et en habilitant les générations futures de professionnels de la RSE ;
Favoriser l’action collective au sein de notre écosystème pour accélérer la transition vers un monde durable.

EcoVadis has developed a quality management system (QMS) which is certified ISO 9001 (please see the certificate). We actively pursue ever-improving quality through a process management system that enables each employee to do their job right the first time and every time in a safe and stimulating work environment. It is supported by our tailor made and self-developed IT platform which guides employees through the whole process.

We constantly put our efforts into continuously improving the processes by being advised by specialized bodies like our methodology committee.

Programme de formation des employés

Tous les nouveaux arrivants bénéficient de programmes de formation à la sécurité de l’information et à la qualité pendant leur période d’embarquement, avec des quiz et des notes de passage pour vérifier l’efficacité de la formation. Une remise à niveau annuelle suivie de quiz est obligatoire pour tous les employés.

Action corrective et préventive

Nous visons l’amélioration continue par l’identification des domaines d'amélioration pour éliminer les non-conformités ou empêcher qu'elles ne se reproduisent. Un exemple étant l’utilisation de l’outil de qualité pour la détection des non-conformités et l’obtention de retours sur information via le processus d’évaluation.

Customer Complaints

Les plaintes des clients et des fournisseurs ainsi que les problèmes internes sont signalés, enregistrés et gérés par une plateforme de gestion des incidents. Tous les incidents sont examinés régulièrement par les parties concernées et résolus dans un délai donné.

Audit interne

Le programme d'audit interne est établi sur une période de trois ans. Les audits de sécurité de l'information sont réalisés deux fois par an et tous les processus internes sont soumis à un audit de qualité au moins une fois par an. Les résultats des audits sont examinés et abordés lors de nos revues de direction.

Information Security (ISO 27001)

EcoVadis propose un service de notation RSE complet, via une plateforme Saas globale basée sur le cloud et hébergée dans Microsoft Azure ; l’un des fournisseurs de services d’hébergement cloud les plus fiables.

Nous nous engageons à fournir le plus haut niveau de sécurité de l'information et à nous améliorer continuellement afin de protéger les données de toutes les parties prenantes contre les menaces envers la sécurité de l'information dans un paysage en évolution. C’est pour cette raison qu’EcoVadis a développé un système de gestion de la sécurité de l’information (SGSI) régulièrement soumis à des audits assurés par des tiers pour vérifier la conformité avec la norme ISO/IEC 27001 (veuillez consulter le certificat et la déclaration d’applicabilité).

Notre SGSI nous permet d'exploiter et de maintenir systématiquement la sécurité de l'information dans nos processus et services commerciaux et de déterminer et d'appliquer les mesures de sécurité nécessaires sur la base de notre évaluation des risques.

Information Security Governance

Our Information Security Policies are subject to regular review and updates to ensure their timeliness, accuracy, and continued alignment with applicable compliance requirements and industry best practices. We maintain a dedicated, in-house team responsible for the development, maintenance, and monitoring of information security. Priorities are established globally within our organization to provide a coherent vision for the protection of organizational assets.

Asset Management and Tenancy

We maintain a precise and current inventory of all service-related assets. Information is formally classified based on legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. Utilizing Azure as a multi-tenant service, we enforce logical separation to ensure the complete isolation of data between customers.

Third-Party Risk Management

Information security requirements are established for suppliers that may access, process, store, communicate, or provide IT infrastructure components. We conduct periodic cybersecurity and data security risk assessments of suppliers with access to our network or sensitive data, with defined follow-up actions being formally tracked and implemented.

Security Operations and Incident Response

A 24/7 Security Operations Center (SOC) provides continuous monitoring and protection of systems and data. We have implemented robust measures to ensure a consistent and effective approach to managing information security incidents. Our security incident management process includes maintaining written procedures, using all reasonable efforts to mitigate consequences, and client notification.

Business Continuity and Disaster Recovery (BCP)

We ensure that information processing facilities are implemented with sufficient redundancy to meet availability requirements. Service performance, availability, and real user experience are continuously monitored (please see our platform’s uptime report where service performance, availability and real user experience are constantly monitored). Backups are performed and tested regularly in accordance with the defined backup policy.

Awareness, Education, and Training

Personnel are subject to mandatory, ongoing information security awareness, education, and training. This program is designed to align with EcoVadis IT Security standards, educate staff on secure operating practices for IT systems, and ensure comprehension of applicable security threats. Simulated phishing campaigns are conducted frequently to enhance cybersecurity awareness and test personnel response protocols.

Prior to Employment

In accordance with legal and regulatory mandates, systematic reference checks are performed during the selection process for all candidates. Furthermore, criminal background verification is conducted for all new hires where legally authorized, such as for personnel based in the U.S.

Contrôle des accès

Access rights and privileges to EcoVadis information systems and network domains are allocated based on a Role-Based Access Control (RBAC) model, strictly adhering to the principles of need-to-know and least privilege.

Client Access Management

Clients retain control over their user environment. The client platform administrator is empowered to manage user accounts, including creation and deactivation. Platform access is primarily secured via username and password authentication, with Single Sign-On (SSO) capability offered to requesting companies (please contact your usual commercial contact for more information).

Cryptographie

All data is protected both at rest and in transit utilizing industry-approved encryption algorithms and methods. Secrets are securely stored and managed in accordance with established industry best practices.

Sécurité des opérations

Change Management and Hardening

Changes impacting the organization, business processes, information processing facilities, and systems are formally controlled. We follow rigorous security hardening guidelines, including the Center for Internet Security (CIS) Benchmarks for operating systems and Microsoft Azure hardening guides for cloud services.

Monitoring and Threat Management

Monitoring and detection technologies are implemented to identify, prevent, and manage malware, vulnerabilities, and other security-relevant events across our infrastructure.

Sécurité des communications

Network access to internal services and servers is restricted and secured. We utilize a Web Application Firewall (WAF – please see details here and leverage Azure Front Door, a cloud Content Delivery Network (CDN), to ensure high performance, scalability, and a secure user experience.

System Acquisition, Development and Maintenance.

Security is integrated into our SDLC via adherence to industry standards. New developments are subject to mandatory testing and validation processes before deployment. Development, testing, and operational environments are separated.

Our platforms are hosted in Microsoft Azure datacenters located in the EU. According to a shared responsibility model in the cloud, physical security controls fall under the obligation of Microsoft. More information about the controls can be found here.

To ensure the continuous integrity and resilience of our platform, we maintain a multi-layered security program. Our approach combines automated real-time monitoring with deep-dive manual analysis across several security domains. This defense-in-depth strategy includes:

Security tests

Application Security Testing: integrating Static Application Security Testing (SAST) for deep code analysis, Software Composition Analysis (SCA) to monitor open-source dependencies, and Dynamic Application Security Testing (DAST) to evaluate the application in a running state, on top of our specialists’ regular manual and automated reviews.
Infrastructure Reviews: relying on our Cloud Security Posture Management solutions (CSPM), and different vulnerability scanning platforms and automations.
Secure Access: On top of our perimeter controls, such as our Web Application Firewall (WAF), our SASE framework provides secure, encrypted connectivity for our global workforce, ensuring that security policies are applied consistently at the “edge,” closest to the user.
Independent Validation: In addition to internal reviews and our certifications, we engage reputable third-party security firms to conduct Annual Penetration Tests.

Remediation Targets

We prioritize the resolution of security findings based on their severity. Our structured remediation targets ensure that critical risks are addressed with urgency:

Critical – 7 days
High – 1 month
Medium – 3 months
Low – no specific due date is determined

While we strive to meet these timeframes, final remediation schedules may be adjusted based on the complexity of the fix and the specific risk context.

Independent validation

On top of this, our commitment to security is validated by independent auditors and industry-standard rating planforms:

ISO 27001: We use this standard as our main reference for information security management.
Standardized Assessments: We maintain up-to-date profiles on major security risk platforms, including Cybervadis, CyberGRX, and Whistic. Results may be shared on demand.
CSP certifications: Microsoft Azure certifications are available in the Service Trust Portal

Information Security Governance

Our Information Security Policies are subject to regular review and updates to ensure their timeliness, accuracy, and continued alignment with applicable compliance requirements and industry best practices. We maintain a dedicated, in-house team responsible for the development, maintenance, and monitoring of information security. Priorities are established globally within our organization to provide a coherent vision for the protection of organizational assets.

Asset Management and Tenancy

We maintain a precise and current inventory of all service-related assets. Information is formally classified based on legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. Utilizing Azure as a multi-tenant service, we enforce logical separation to ensure the complete isolation of data between customers.

Third-Party Risk Management

Information security requirements are established for suppliers that may access, process, store, communicate, or provide IT infrastructure components. We conduct periodic cybersecurity and data security risk assessments of suppliers with access to our network or sensitive data, with defined follow-up actions being formally tracked and implemented.

Security Operations and Incident Response

A 24/7 Security Operations Center (SOC) provides continuous monitoring and protection of systems and data. We have implemented robust measures to ensure a consistent and effective approach to managing information security incidents. Our security incident management process includes maintaining written procedures, using all reasonable efforts to mitigate consequences, and client notification.

Business Continuity and Disaster Recovery (BCP)

We ensure that information processing facilities are implemented with sufficient redundancy to meet availability requirements. Service performance, availability, and real user experience are continuously monitored (please see our platform’s uptime report where service performance, availability and real user experience are constantly monitored). Backups are performed and tested regularly in accordance with the defined backup policy.

Awareness, Education, and Training

Personnel are subject to mandatory, ongoing information security awareness, education, and training. This program is designed to align with EcoVadis IT Security standards, educate staff on secure operating practices for IT systems, and ensure comprehension of applicable security threats. Simulated phishing campaigns are conducted frequently to enhance cybersecurity awareness and test personnel response protocols.

Prior to Employment

In accordance with legal and regulatory mandates, systematic reference checks are performed during the selection process for all candidates. Furthermore, criminal background verification is conducted for all new hires where legally authorized, such as for personnel based in the U.S.

Contrôle des accès

Access rights and privileges to EcoVadis information systems and network domains are allocated based on a Role-Based Access Control (RBAC) model, strictly adhering to the principles of need-to-know and least privilege.

Client Access Management

Clients retain control over their user environment. The client platform administrator is empowered to manage user accounts, including creation and deactivation. Platform access is primarily secured via username and password authentication, with Single Sign-On (SSO) capability offered to requesting companies (please contact your usual commercial contact for more information).

Cryptographie

All data is protected both at rest and in transit utilizing industry-approved encryption algorithms and methods. Secrets are securely stored and managed in accordance with established industry best practices.

Sécurité des opérations

Change Management and Hardening

Changes impacting the organization, business processes, information processing facilities, and systems are formally controlled. We follow rigorous security hardening guidelines, including the Center for Internet Security (CIS) Benchmarks for operating systems and Microsoft Azure hardening guides for cloud services.

Monitoring and Threat Management

Monitoring and detection technologies are implemented to identify, prevent, and manage malware, vulnerabilities, and other security-relevant events across our infrastructure.

Sécurité des communications

Network access to internal services and servers is restricted and secured. We utilize a Web Application Firewall (WAF – please see details here and leverage Azure Front Door, a cloud Content Delivery Network (CDN), to ensure high performance, scalability, and a secure user experience.

System Acquisition, Development and Maintenance.

Security is integrated into our SDLC via adherence to industry standards. New developments are subject to mandatory testing and validation processes before deployment. Development, testing, and operational environments are separated.

Our platforms are hosted in Microsoft Azure datacenters located in the EU. According to a shared responsibility model in the cloud, physical security controls fall under the obligation of Microsoft. More information about the controls can be found here.

To ensure the continuous integrity and resilience of our platform, we maintain a multi-layered security program. Our approach combines automated real-time monitoring with deep-dive manual analysis across several security domains. This defense-in-depth strategy includes:

Security tests

Application Security Testing: integrating Static Application Security Testing (SAST) for deep code analysis, Software Composition Analysis (SCA) to monitor open-source dependencies, and Dynamic Application Security Testing (DAST) to evaluate the application in a running state, on top of our specialists’ regular manual and automated reviews.
Infrastructure Reviews: relying on our Cloud Security Posture Management solutions (CSPM), and different vulnerability scanning platforms and automations.
Secure Access: On top of our perimeter controls, such as our Web Application Firewall (WAF), our SASE framework provides secure, encrypted connectivity for our global workforce, ensuring that security policies are applied consistently at the “edge,” closest to the user.
Independent Validation: In addition to internal reviews and our certifications, we engage reputable third-party security firms to conduct Annual Penetration Tests.

Remediation Targets

We prioritize the resolution of security findings based on their severity. Our structured remediation targets ensure that critical risks are addressed with urgency:

Critical – 7 days
High – 1 month
Medium – 3 months
Low – no specific due date is determined

While we strive to meet these timeframes, final remediation schedules may be adjusted based on the complexity of the fix and the specific risk context.

Independent validation

On top of this, our commitment to security is validated by independent auditors and industry-standard rating planforms:

ISO 27001: We use this standard as our main reference for information security management.
Standardized Assessments: We maintain up-to-date profiles on major security risk platforms, including Cybervadis, CyberGRX, and Whistic. Results may be shared on demand.
CSP certifications: Microsoft Azure certifications are available in the Service Trust Portal

Règlement général sur la protection des données de l'UE

EcoVadis believes that the GDPR is an important step to strengthen and harmonize data protection of EU citizens’ personal data. As a data controller for the provided Sustainability services Ecovadis is committed to comply with GDPR and as far as they are applicable to international data protection regulations and to put in place the best practices.

Ecovadis uses the ISO 27001 standard, for which we are certified, as a framework and integrates personal data protection aspects in its management system. We use the complementary ISO 27701 framework to meet GDPR and data protection requirements. Our data protection practices and compliance are confirmed by a third party audit.

For the data processing performed outside of the EEA, we have in place Standard Contractual Clauses (SCCs) with our subsidiaries.

Nous sélectionnons toujours avec soin nos fournisseurs (sous-traitants) et nous exigeons la conclusion d'accords de protection des données avec les sous-traitants et des clauses contractuelles types (CC) ou des règles d'entreprise contraignantes (RAC) en cas de traitement en dehors de la région de l'EEE pour pouvoir travailler pour nous. Nous nous attachons à choisir des abonnements auprès de fournisseurs pour que les données soient hébergées sur des serveurs basés en Europe. Nous avons recours aux fournisseurs suivants pour proposer notre service :

Entité juridique	Adresse	But	Traitement et transfert de données	Informations supplémentaires sur la sécurité
ZenDesk Inc	1019 Market Street, San Francisco, CA 94103 USA	Centre d'aide	Lien	Lien
SFDC SAS	SFDC France 3 Avenue Octave Gréard 75007 Paris France	CRM et support client	Lien	Lien
Microsoft France SAS	Microsoft France SAS 37 Quai du Président Roosevelt, 92130 Issy-les-Moulineaux, FRANCE	Hébergement de la plateforme d'évaluation de la durabilité	Lien	Lien
Google Cloud France	Google Cloud France 8 Rue de Londres, 75009 Paris, France	Communication avec les clients	Lien	Lien
Docebo S.p.A. Limited	Limited 6th floor, 48 Gracechurch Street, London – UK	Plateforme d'e-learning	Lien	Lien
Pendo.io Inc.	150 Fayetteville St #140027601 Raleigh NC, USA	Analyse de la plateforme et sondage auprès de la clientèle	Lien	Lien
Productboard Inc.	612 Howard streetCA 94105 San Francisco CA, USA	Gestion des produits et sondage auprès de la clientèle	Lien	Lien
SurveyMonkey Inc.	910 Park Pl, Suite 300, San Mateo, CA 94403, ÉTATS-UNIS	Sondage auprès de la clientèle	Lien	Lien
Aircall SAS	11 Rue Saint Georges, 75009 Paris, FRANCE	Enregistrement des appels	Lien	Lien
HubSpot France SAS	24 Rue Cambacérès 75008 Paris France	Marketing & Customer communication	Lien	Lien

Hubspot Inc	2 Canal Park, Cambridge, Massachusetts, 02141, US	Marketing & Customer communication	Lien	Lien

Amazon Web Services Canada, Inc.	120 Bremner Blvd, 26th Floor, Toronto, Ontario, M5J 0A8, Canada	Hosting of ULULA service (Human rights due diligence platform) integrated with the Sustainability assessment platform	Lien	Lien

We rely on the recommendations on additional measures issued by the French Data protection authority CNIL and the European Data Protection Board concerning the possibilities of transferring data to countries outside the EEA based on SCCs (or BCR).

Learn more in our statement of data privacy

Contrôle des exportations et conformité aux sanctions

EcoVadis s'engage à respecter l'ensemble des lois et réglementations applicables à un opérateur de services en ligne à vocation générale, y compris, mais sans s'y limiter, la législation de la France et des États-Unis d'Amérique, en ce qui concerne ses propres lieux d'exploitation des services.

Restrictions de destination

Compte tenu des risques commerciaux globaux, les produits et services EcoVadis ne sont pas disponibles pour l'exportation, la réexportation, le transfert et/ou l'utilisation dans les pays/régions suivants (sous réserve de modifications sans préavis) :

les régions de Crimée, Donetsk et Luhansk
Cuba
Iran
Corée du Nord
Syrie

En outre, les transactions avec ou liées à certaines destinations qui présentent des risques élevés sont soumises à des exigences de diligence raisonnable renforcées.

End-user Restrictions

Les produits et services d'EcoVadis ne sont pas accessibles aux entités et aux personnes avec lesquelles les transactions sont interdites en vertu des lois applicables en matière de contrôle des exportations et de sanctions, y compris celles figurant sur toute liste de parties sanctionnées (par exemple, la liste des sanctions de l'Union européenne, les listes de ressortissants américains spécialement désignés (SDN), l'OFAC, les sanctions du Conseil de sécurité des Nations unies, les listes locales où EcoVadis est présent).

Restrictions relatives à l'utilisation finale

Les Services EcoVadis ne doivent pas être utilisés à des fins interdites par les lois d'exportation applicables, y compris, sans limitation, pour le développement, la conception, la fabrication ou la production d'armes nucléaires, chimiques ou biologiques de destruction massive.

Documents and Resources

General Terms and conditions

Conditions générales d'utilisation - Droit américain

Déclaration relative à la vie privée

Rapport sur le temps de fonctionnement de la plate-forme

Clauses contractuelles types pour les entreprises à l'origine de la demande

Rapport de conformité d'accessibilité WCAG Edition

Clauses contractuelles types pour les entreprises évaluées

Clauses contractuelles types pour les partenaires

ISO 27001:2022

ISO 9001:2015

Statement of Applicability

Code d'éthique

Suplier Code of conduct

Déclaration d’EcoVadis sur l’esclavage moderne

*Open source libraries or components related to any of the applicable services. EcoVadis solution sometimes includes, or depends upon, open source libraries. To comply with the license requirements of open source libraries and licensee’s attribution moral right, below there is a list of open-source software used to build our products – please be informed that all information here is provided “as is” and might be subject to a change by the lecensee:
License
AFL-2.1, Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC-BY-4.0, ISC, JSON, LGPL-2.1*, LGPL-3.0*, Microsoft .NET, ASP NET MVC3 EULA, BlueOak-1.0.0, Bouncy Castle License, 0BSD, Aduna BSD License, BSD-4-Clause, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-2.0 CC-BY-SA-3.0, CC-PDD, CCC0-1.0, JQuery, MPL-1.1, MulanPSL-2.0, OpenSSL, Python-2.0
Library License
MIT, MPL-2.0, MS-PL, PostgreSQL, WTFPL, Zlib

* L'application est liée dynamiquement à la licence LGPL, ce qui permet de conserver le code propriétaire.

Conflict of Interest Policy

Third-Party Professional Conduct Policy

Utilisation de l’intelligence artificielle

EcoVadis designs, implements, and deploys AI solutions in the responsible way paying close attention to model explainability, monitoring, and main principles of trustworthy AI.

With the rise of generative AI, we invest in AI safety and AI governance and ensure that generative AI solutions have appropriate guardrails in place.