Security
Last updated: September 5, 2025
Security at Carbonhound
At Carbonhound, protecting your data is a top priority. We maintain strict security standards and follow industry best practices to safeguard information at every step. Our security program is designed to meet SOC 2, Type 2 standards and is regularly audited for effectiveness.
Compliance
Carbonhound is SOC 2, Type 2 compliant for the year 2024. Our independent audit was conducted by Insight Assurance and successfully completed on February 6, 2025.
SOC 2 certification is a rigorous process that involves a comprehensive review of our security controls, policies, and procedures by an independent third party. It demonstrates our ongoing commitment to maintaining the highest standards for data security, availability, and confidentiality.
A copy of our most recent SOC 2 report is available upon request.
Data Storage
Storage Location
Carbonhound uses Google Cloud Platform (GCP) as our hosting provider. Our primary systems are housed in Iowa, USA. All customer data within GCP is encrypted both at rest and in transit.
Access Management
Access to production systems is restricted on a need-to-know basis. Only authorized Carbonhound employees who require access to perform their role are granted permissions. We enforce role-based access controls, least-privilege principles, and secure authentication mechanisms to protect customer data.
Data Retention
Carbonhound respects your right to be forgotten. At your request, we will export and permanently remove your data from our systems. By default, customer data is retained only as long as necessary to provide our services and support analytics and product improvements. System logs are retained for up to 12 months before being securely deleted.
Data Usage
Carbonhound may use anonymized operational data to improve our product, for example, to generate industry-wide benchmarks or enhance reporting accuracy. We are committed to using client data ethically and responsibly, ensuring that no data used for product improvements is ever identifiable to a specific customer. This data is never sold to third parties.
Encryption
At Rest: All data stored in Google Cloud Platform (GCP), including files, databases, and compute instances, is encrypted at rest using industry-standard encryption algorithms (e.g. AES-256).
In Transit: We employ encryption protocols for all data transmitted between you and our systems. Secure channels using SSL/TLS ensure that sensitive data remains protected in motion.
Authorized Subprocessors (CHC Service only)
For our Carbonhound CHC Service, we engage carefully selected subprocessors to assist in secure data collection and processing. Each subprocessor is reviewed for security and compliance, and each aligns with Carbonhound’s SOC 2 Type 2 security commitment.
(Note: These subprocessors apply only to the CHC Service.)
| Company | Description | Country | Security Information |
|---|---|---|---|
| Deck | Bill retrieval for utility provider accounts | USA | Security | Deck |
| Reducto.ai | PDF processing | USA | Reducto API Policies |
Questions or Reports
If you have any questions about our security practices, or if you believe you’ve discovered a vulnerability, please contact us at hello@carbonhound.com.