ClimatePartner Trust Center

Governance and General

• ClimatePartner has established an Information Security program, which is aligned to common global InfoSec standards like ISO27001, CIS Critical Security Controls and OWASP.
• Senior management is dedicated to handling information security topics with the highest standards of data protection and compliance, ensuring robust security practices across our organization. Management reviews of up-to-date KPIs support an informed decision-making process.
• Our ISMS is intentionally based very closely on the requirements of ISO27001 to pave the road for the simplest possible path to a future certification. It includes a broad set of regularly reviewed general or subject matter specific policies, standards, guidelines and procedures.
• Our dedicated Information Security experts are certified according to some of the leading international certifications from ISC2 (CISSP, CCSP), ISACA (CISM) or other certification bodies.
• Outside of the Information Security team, Security Champions are established within other parts of the organisation to ensure efficient communication of security topics throughout the entire organisation. 

Cloud Only IT Strategy

• ClimatePartner uses and operates services exclusively from or in the cloud (Infrastructure-, Platform- or Software-as-a-Service). We are convinced that competent and conscious use of cloud technologies leads to a significant reduction of IT related risk.
• Our digital products are operated exclusively in data centres in Germany using state-of-the-art and predictably secure cloud infrastructure solutions from Amazon Web Services (AWS). AWS meets the highest requirements in terms of information security, IT compliance and data protection (DSGVO/GDPR).
• In the area of enterprise and corporate IT, we at ClimatePartner rely on SaaS based cloud products from Microsoft or other established vendors. Our Third-Party Risk Management approach is explained within section Supplier Risk Management.

IT Risk Management

• ClimatePartner is conducting regular and continuous IT Risk Management via different processes and in strong alignment to ISO27005.
• IT risks are documented within a central risk register. Risk review meetings are performed on a regular basis.
• Risk treatment activities are derived from risks, which, according to our risk tolerance statement, can neither be accepted in their original evaluation, nor transferred or avoided. The follow-up of these activities is ensured via our ticket system.

Asset and Threat Management

• Information and IT asset management at ClimatePartner ensures visibility and control over where data is processed and thus where it must be protected.  
• To achieve a foundation for a risk driven Information Security program we are continuously monitoring and correlating threats from publicly available sources like i.e. MS-ISAC, ENISA CTI, or the German BSI against our IT asset classes.

Data Safeguarding

• To ensure the confidentiality of data during transmission or storage, ClimatePartner applies encryption by using publicly vetted algorithms, which are meeting the requirements of strong cryptography as set forth by NIST.
• Encryption keys are managed and safeguarded by FIPS 140-2 compliant key management systems.
• We monitor compliance of our TLS endpoints to our encryption standards via different methods like i.e. SSL Labs, Upguard, SecurityScorecard, but always with the target of maintaining an A or A+ grade.

Identity and Access Management

• Customer and employee identities are stored and maintained within central Identity Providers.
• Single sign-on is applied wherever possible to consistently enforce authentication standards like multi-factor authentication (MFA) or conditional access, and to simplify identity protection and identity threat monitoring.
• We are guided by the zero-trust principle for continuously verifying every access request, ensuring robust security and protection for our data and systems.

Secure Software Development

• ClimatePartner has established a Secure Software Development Framework, which considers the relevant requirements of ISO27002:2022, SANS CISv8 and OWASP.
• All in-house developed software is kept version controlled within our Git environment.
• Within our CI/CD pipeline we are automatically checking our code for flaws or vulnerabilities (SAST, IAST, SCA) before promotion to production.
• Our software engineers are regularly trained on secure coding and threat modelling practises.

Security Monitoring and Testing

• All systems at ClimatePartner are configured to log security (and other) relevant events to central log collection services, where they are automatically analysed and, if deemed necessary, trigger an alarm.
• Additional technologies (CSPM, Attack Surface Management) continuously monitor our systems for software vulnerabilities or configuration errors.  
• In addition, we are regularly asking accredited external pentesting companies to test the security of our environments.

System Hardening

• To ensure operating only sufficiently hardened systems, the container environments of ClimatePartner are build in-line with and monitored against the applicable CIS benchmarks and AWS best practises.
• Mobile devices (laptops, phones) are centrally managed according to corporate security policies. Only devices, which are passing the security checks, can be used for accessing customer or corporate data.
• Endpoint Detection and Response (EDR) is applied to vulnerable operating system instances including central management, monitoring and reporting.

Incident Response

• ClimatePartner has established a comprehensive Incident Response Framework (IRF), consisting of a descriptive policy, a five-step incident response plan, an incident ticketing system, various incident playbooks plus further process documentation.  
• Within our Core Incident Team, we are conducting at regular intervals table-top exercises to identify gaps and to improve the overall process.
• Quarterly incident reviews are conducted to ensure that all incidents are handled in compliance to our IRF and to establish trend analysis.

Security Awareness and Acceptable Use

• ClimatePartner ensures continuous security awareness and corporate compliance trainings via automated quarterly training campaigns. Some training contents are individually assigned based on awareness measurements.
• To constantly familiarize our employees with the specific danger of falling for phishing attacks, we are carrying out continuous simulation exercises, the results of which are used to assign additional and specific training content.
• As part of our general security awareness training path, all users are automatically provided with our most important policies combined with a mandatory acknowledgement.

Supplier Risk Management

• ClimatePartner is continuously monitoring critical and important suppliers for compliance to our requirements, which are set forth by our Supplier Security Management Policy.
• Before being onboarded every new supplier is risk assessed following a standardized process. Results of this assessment are documented.
• In addition, information security responsibilities are regulated by contractual agreements.

Disaster Recovery & Business Continuity

• ClimatePartner has conducted a Business Impact Analysis to identify and assess the potential effects of disruptions on our critical business operations and for enabling us to develop strategies for maintaining continuity and minimizing impact.  
• We‘ve defined recovery time objectives (RTO) and recovery point objectives (RPO) for all our critical and important systems.
• We carry out regular recovery tests to ensure the reliability of our data backups.

Physical Security

• ClimatePartner does not operate its own data centers but relies on certified data center services from Amazon and Microsoft within central Europe, mainly Germany.
• Access to our ClimatePartner offices is only possible for authorised personnel or registered visitors.
• We have segmented our offices into different security zones (public, internal, restricted) and follow our clean-desk / clear-screen policy.
• Secure destruction of information on paper or drives is ensured via certified facilities and services.