At EcoVadis, Quality and Information Security are very important to us. We are committed to maintaining effective business processes and to support them with the most demanding Security practices. Our Trust Center is here to help you understand what we are doing to ensure quality and data security in the CSR rating services that we provide.
EcoVadis is committed to create a reliable CSR rating system that is consistent over time and offers comparability so that suppliers can be benchmarked across the wide variety of sectors and countries.
EcoVadis has developed a quality management system (QMS) which is certified ISO 9001. We actively pursue ever-improving quality through a process management system that enables each employee to do their job right the first time and every time in a safe and stimulating work environment. It is supported by our tailor made and self-developed IT platform which guides employees through the whole process. We constantly put our efforts into continuously improving the processes by being advised by specialized bodies like our methodology committee. Components of our Quality Management System include:
Training is an essential part of the Quality Management. Employee involvement, staff knowledge, effectiveness and reliability is key. EcoVadis has developed a complete training program for new starters, all new employees are trained according to the training plan developed by their Business Unit and function to address specific needs. In addition to this, Employees are receiving a general training program that includes a series of trainings related to Quality, Security, Ethics and CSR.
EcoVadis encourages its employees to develop their skills and receive appropriate training (internal and/or external) to develop their work potential and employability. In particular, CSR analysts are required to attend regular trainings specific to their job responsibilities for the evaluation, scoring and validation of supplier activities in relation to CSR themes and criteria.
EcoVadis has established a Corrective and Preventive Action system to identify areas of improvement for current products and processes, and also to eliminate non-conformities or prevent reoccurrence. At each stage of the evaluation process, a quality check form (QCF) is filled in by the assigned downstream analyst in charge of identifying quality issues and defining corrective actions. This process is in place to ensure that our service meets delivery requirements. The analysis of the QCF allows us to guarantee the quality and reliability of the EcoVadis ratings and to identify training needs for our CSR analysts.
Client and Suppliers complaints are handled through our Incident Management Process. All received complaints are recorded and reviewed on a regular basis.
A 3 years internal audit program has been established to ensure the integrity and continuous improvement of the Quality Management System. It is reviewed on a yearly basis during our management review.
The ISAE 3000 audit conducted by PwC Germany provides assurance about EcoVadis’ operational and security controls in alignment with the AICPA’s trust services principles. The ISAE 3000 audit provides third-party validation and testing of the design and operating effectiveness of the company’s processes, quality procedures, and security practices by examining samples of actual operational activities throughout the first six months of 2016.
The Quality management system governing development, operation and all of the supporting processes of EcoVadis online collaborative platform allowing companies to assess and monitor corporate and social responsibility performance of their suppliers is ISO 9001:2015 certified. This standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach and continual improvement. It helps ensure that customers get consistent, good quality products and services, which in turn brings many business benefits. Our Compliance is certified by PwC Certification B.V, an independent and accredited certification body.
EcoVadis is committed to provide the highest level of Information Security and to continuously improve in order to protect all stakeholders’ data in an evolving landscape of information security threats.
For this reason, EcoVadis has established an Information Security management system (ISMS) which is certified ISO27001 and which enables us to systematically operate and maintain information security in our business processes and services and to determine and apply the necessary security measures based on our risk assessment. We have a security incident management process in place in order to detect and remediate security incidents in the future. Penetration tests are performed on a regular basis in order to assess our IT infrastructure and identify vulnerability and improvement areas.
The ISMS and QMS build an integrated management system allowing us to ensure the availability, integrity, confidentiality and traceability of information. All data are stored and processed in ISO 27001 certified data centers located in the EU and geographically apart. Policies and Processes include:
The terms and conditions of the EcoVadis assessment platform have been designed to guarantee your data confidentiality. The information you provide are kept confidential and cannot be shared without your approval. Learn more in our terms and conditions
One major pillar for the success of the ISMS is security awareness of all EcoVadis employees. EcoVadis Employees are regularly trained on information security to keep them updated about current issues and best practices by attending a yearly refresher training and taking a test on our practices and policies.
All new hired employees have to participate in a mandatory information security training as part of the induction training. EcoVadis employees must follow the set of information security policies that are regularly reviewed. Employees also go through a regular phishing test to raise the cyber awareness.
EcoVadis believes that the GDPR is an important step to strengthen and harmonize data protection of EU citizens’ personal data. As a data controller Ecovadis is committed to comply with regulations and to put in place the best practices.
Ecovadis uses the ISO 27001 standard, for which we are certified, as a framework and integrates personal data protection aspects in its management system.
There is no certification available yet to demonstrate GDPR compliance, but we have implemented our data protection practices and confirmed our good practices by a third party audit.
For the data processing performed outside of the EU, we have in place contractual clauses with our entities and Ecovadis is currently registered for the EU-U.S. Privacy Shield.
We always carefully select our providers and we require their acceptance of data protection clauses to be able to work for us. We use the following major processors:
|Legal Entity||Address||Transfer to Non-EEA: Transfer Safeguard||Additional Security Information|
|ZenDesk||1019 Market Street,
San Francisco, CA 94103 USA
|Privacy Shield if transfer to U.S.||https://www.zendesk.com/
|SFDC||2 Henry Adams St,
San Francisco, CA 94103 USA
|Privacy Shield if transfer to U.S.||https://trust.salesforce.com/|
|Microsoft Azure||Microsoft Campus,
Redmond, WA 98052 USA
|Privacy Shield if transfer to U.S.||https://azure.microsoft.com/
|1600 Amphitheatre Parkway
Mountain View, CA 94043 USA
|Privacy Shield if transfer to U.S.
Data Processing Amendment to G Suite
Learn more in our statement of data privacy
EcoVadis employees are required to sign a code of conduct and a confidentiality clause as part of their employment contract prior to access to our platform. The clause prohibits any disclosures of confidential information concerning the business of EcoVadis and its customers. The obligations and duties remain valid even after termination.
The information security management system governing development and operations of EcoVadis online collaborative platform allowing companies to assess and monitor the environmental, social and ethical risk and performance of their suppliers is ISO/IEC 27001:2013 certified. ISO/IEC 27001:2013 is one of the most widely recognised information security standards.
Our Compliance is certified by PwC Certification B.V, an independent and accredited certification body.