Carbon Footprint Inventory. Deep dive

Security and compliance.

Bardo is enterprise-grade. Here is what that actually means.

This is a simplified overview of our security and compliance posture. For a detailed walkthrough including controls documentation, audit reports, and architecture diagrams, book a session with one of our quality assurance specialists.

Security

How is our data protected?

Bardo is SOC 2 Type II certified and built to enterprise standards. Protecting customer data is a core responsibility we take seriously in how we build, operate, and improve the platform.

Certifications and compliance

Frame 999 nedladdning 1 Frame 1001
  • SOC 2 Type II. Independently verified security controls.
  • GDPR compliant. DPA with SCCs where applicable.
  • ISO 27001 in progress, certification work planned to complete this year. Hosting practices already follow ISO 27001 standards.
  • Data deletion within 90 days of termination, in line with GDPR and DPA requirements.

Live status and policy details: trust.bardo.se.

Encryption

All of our databases are:

  • In transit: TLS 1.2+ for all uploads and API calls.
  • At rest: AES-256 encryption for all stored data.

Network architecture

  • IP allowlisting
  • Cloud-native firewalls
  • Zero-trust architecture
  • Immutable audit logs with user, time, and before/after snapshots

Access controls

  • RBAC and MFA are standard for every team. SSO is available with Enterprise contracts or as an add-on.
  • Least-privilege principles, with quarterly access reviews.
fi_565199

Where is our data hosted?

Sweden, on Azure. All hosting and processing happens in Swedish-hosted Azure infrastructure. Nothing leaves the EU. Customer-specific data residency arrangements are available on request.

fi_9361008

Monitoring and incident response

Centralised logging and monitoring with anomaly alerts. Documented disaster recovery plans and a formal incident response process with timely customer notifications.

Secure SDLC with code reviews, dependency scanning, environment separation, and regular third-party penetration testing.

Group (1)

How do you handle our data in your AI models?

Reasoning models run in controlled environments. No third-party provider receives customer data with training rights. Human review labels are stored as training data, but raw documents are not. Models are evaluated offline before promotion, with version documentation.

fi_4492250

Who owns the data?

You do. Bardo processes and stores data on your behalf, but ownership stays with you. You can export every activity and every calculation as Excel or CSV at any time.

Generated emission factors and methodology improvements become part of the platform, so your inventory gets more accurate over time. Emission factors tailored to your specific business or needs can be securely and exclusively controlled by you.

fi_1584808

Subprocessors and retention

Transparent subprocessor list at http://bardo-technology.com/subprocessors, with change notifications.

Data is retained only during your active subscription. Upon termination, data is securely deleted or returned within 90 days.

Talk to security

If your security team has specific questions, we have specific answers. Send us your DPA and we will work through it together.

Talk to us
GHG Protocol aligned
SOC 2 Type II
Hosted in the EU
CSRD-ready reporting
End-to-end encryption
Try for yourself

See what we'd find in your data.

We'll analyze a sample of your invoices and show you what real carbon data looks like for your organization.
See it in action
MessagesSquare Talk to our team
Ellipse 2 (1)