Ecometrica Ltd

Ecometrica Sustainability Reporting Platform

Ecometrica’s Sustainability Reporting software is an end-to-end environmental accounting and sustainability management solution. It is used by the world’s largest companies to collect a diverse, geo-referenced data set, going beyond traditional sustainability reporting to include streams of useful information on other key corporate indicators such as water, forests and biodiversity.

Features

• In-built emissions factors and conversions database and calculation engine
• Intuitive, controls-based data entry environment
• PwC audit ready outputs and fully transparent audit trail
• Live data analytics module to monitor all emissions
• Reporting module to export pre-set reports such as CDP
• Future proofed for natural capital reporting: geospatial mapping modules
• Robust and secure SaaS platform available 24/7 worldwide
• Multilingual
• Uniquely CDP Gold Partner for Climate Change, Water and Forests
• Social Responsibility and Impact Reporting also available

Benefits

• Reducing time spent entering data and calculating emissions
• Limiting user error risk and improving data accuracy & robustness
• Reducing the time and cost of third party verification
• Improved, transparent cost performance to deliver ROI
• Simplified manual and bulk data entry
• End-to-end, integrated sustainability data management
• Efficient and secure hosted service, little IT involvement
• True global tool used and supported across time-zones
• CDP Score Optimisation and Gap Analysis
• Manage all non-financial data on a single, online platform

£20,000.00 to £65,000.00 a licence a year

Service documents

• Pricing document (pdf)
• Service definition document (pdf)
• Terms and conditions (pdf)
• Modern Slavery statement (pdf)

Framework

G-Cloud 12

Service ID

535755292184006

Contact

Paula McGregor
0131 662 4342
paula.mcgregor@ecometrica.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: Online access for users required
• System requirements: Internet access

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Email or online ticketing support. Support response times:; ; Platform users can email our analyst team at any time and we will respond as soon as possible (Monday to Friday, 9-5): users can manage status and priority of support tickets.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Customers access support by agreeing a 'number of days' or support when a license contract is negotiated. The number of days can vary depending on the expertise/skill level in the purchasing organisation or the complexity/scale of applications they wish to run. If customers access our software on a basic license package, support can be purchased at the following rates: 1 day of standard, Senior support - online or phone costs £1,200.00 per day. At times there may be Junior analyst rates available at £850.00 per day.; ; 2-3 day in person training or support in the UK costs £2,500.00. If a higher value license is purchased, support can be built into the agreement and not charged as additional to the customer. This would be agreed in days at contract negotiation stage. (please note these are guidelines and subject to contract review). All customers have a technical account manager.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: To start using the Ecometrica Sustainability platform, we provide onsite or online training (location and/or covid 19 restrictions dependent). The training takes 2-3 days. Users also have access to software guides to help the process and are able to contact our team of analysts to help get started using the platform.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Individual users can download their results as a spreadsheet (xls/xlsx) or in a report format (PDF). All files uploaded or added to the system are also available to download directly. For larger exports, a .zip archive can be provided by Ecometrica of all files that have been uploaded to the system.
• End-of-contract process: At the end of the contract, Ecometrica will consult with customer on whether a renewal is appropriate:; ; If yes a renewal contract would be negotiated. ; If not, Ecometrica will fulfill requests from customer regarding data extraction and agree a date to remove access to the platform. This process is not an additional cost to the customer.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: End users are able to fully interact with the application with either a smart phone or tablet via the web browser. There is no native application required for download.
• Service interface: Yes
• Description of service interface: Our simple to use front end application interface enables users to enter data rapidly (either manually or in bulk), as well as view results in chart, or tabular views, generate reports, and manage the configuration of the application and users (if the user has sufficient permissions). A strict workflow helps to guide the users through the process of a Greenhouse Gas Assessment.
• Accessibility standards: WCAG 2.1 AAA
• Accessibility testing: Accessibility testing; ; We routinely test our platform against WCAG standards using web accessibility validators.
• API: No
• Customisation available: Yes
• Description of customisation: Customers can customise applications, user permissions, as well as key performance indicators, and any assessment questions, and questionnaire groupings. In addition, a logo and colour scheme can also be customized to brand the application. Reports can be customized with a custom title page.

Scaling

• Independence of resources: Our platform is architected in Amazon Web Services to scale both horizontally and vertically. We use autoscaling metrics to track key indicators on our systems such as CPU or RAM usage as custom indicators such as task queue length to automatically scale automatically additional resources to cope with and respond rapid and unpredictable changes in demand within minutes. Notifications are sent and monitored internally whenever autoscaling events occur.

Analytics

• Service usage metrics: Yes
• Metrics types: Service usage metrics; ; Yes; Metrics types; ; We track and log usage metrics throughout the application including but not limited to the number of user sessions, URL requests, specific activity tracking, duration, user location, etc. Client reports of usage for their application(s) can be generated on demand or scheduled.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Individual users can export their result data in .csv or .PDF format. All files uploaded or added to the system are also available to download directly.
• Data export formats:
  • CSV
  • Other
• Other data export formats: XLS or XLSX
• Data import formats: Other
• Other data import formats: XLS or XSLX

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The Ecometrica Platform offers a base uptime SLA of 99.95% for unscheduled downtime. In the event of an outage we offer the following with a Recovery Time Objective (RTO). The RTO is our target time for restoring service after an outage, in 50% of cases services would be restored within 4 hours for example. 0-4 hours - 50% 4-8 hours - 45% 8+ hours - 5%.
• Approach to resilience: We use AWS cloud services and Multi-AZ DB Instances. Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In case of an infrastructure failure, Amazon RDS performs an automatic failover to the standby, so that you can resume database operations as soon as the failover is complete. The Platform has a regular database hourly backup schedule. Static assets are stored and encrypted on Amazon’s S3 service and replicated across two regions.
• Outage reporting: We have a maintenance page with direct contact details that displays in the event of of an unexpected outage. In the event of longer unplanned durations of more than 30 minutes, emails are sent from our analyst team to users so that they are aware of an outage and plan accordingly.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Other user authentication: SSO and SAML V2 upon request
• Access restrictions in management interfaces and support channels: The platform uses access control with different user roles granting various rights, or actions to segregate access to data or application management features. The roles can be applied on a per user basis. . Clients have full control and responsibility for access privileges on individual users. So you can grant/edit/revoke access permissions to individuals on an as needed basis. Authorization, roles and permissions can be separately set for internal and external data providers.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Description of management access authentication: A centralized authentication service securely manages and validates the authentication of all clients to the platform. The platform uses access control with different user roles granting various rights, or actions to segregate access to data or management functions. For example only an authenticated user explicitly assigned the "Application Administrator" role, can access the administrative functions of the platform.

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: EY CertifyPoint
• ISO/IEC 27001 accreditation date: 27/3/2020
• What the ISO/IEC 27001 doesn’t cover: All AWS provided hardware, software, and hosted infrastructure is covered, All proprietary software and third-party software used is not covered.
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 31/03/2020
• CSA STAR certification level: Level 2: CSA STAR Attestation
• What the CSA STAR doesn’t cover: All AWS provided hardware, software, and hosted infrastructure is covered, All proprietary software and third-party software used is not covered.
• PCI certification: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: All developer laptops are disk encrypted and password locked when not in use. Master keys for the disks are stored in a secure key pass vault. All servers are configured to only allow shell access via authorized RSA 2048bit keys. In addition, all unauthorized access attempts to the servers are logged and sent to the security response team for immediate action. Amazon AWS provided services are in compliance with ISO 9001, ISO 27001, ISO 27017, ISO 27018, and many other international security and privacy standards (see https://aws.amazon.com/compliance/).
• Information security policies and processes: The internal reporting structure is the IT team members report directly to the Development Manager who reports to the CPO who reports to the CEO and the Board of Directors. Protocols in the event of a penetration attack escalate to complete shutdown and isolation of affected systems. In the event of an attack the general protocol response is as follows: • Make an initial assessment to determine if an actual incident or a false positive is occurring • Communicate the incident internally. • Contain the damage and minimize the risk isolating the server and shutting down if necessary. • Identify the type and severity of the compromise. • Protect evidence of attack wherever possible. • Notify external agencies if appropriate. • Recover affected systems. • Compile and organize incident documentation. • Assess incident damage and cost. • Review the response and update policies.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Our entire process follows agile software development methodologies mixed with a Kanban Board to manage and track progress on issues and features. All our source code is securely stored using Git and is accessible only by authorized users. Each product has a separate repository, and all products have multiple branches for various issues and features in development at any given time. We also practice code review where developers review each other’s work. All issues and features are tracked in a central management system with strictly enforced process controls. All software design decisions follow the Open Web Application Security Project Guidelines.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: In addition to monitoring CVE alerts and the National Vulnerability Database (https://nvd.nist.gov/vuln/data-feeds) we use a third-party monitoring service to track vulnerabilities in all third-party software libraries used in our applications. We deploy updates to our system on a weekly basis, but can release as needed in the event of a critical vulnerability. In addition we conduct a third party grey box penetration test on an annual basis.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: In the event of an attack the general protocol response is as follows: 1. Make an initial assessment to determine if an actual incident or a false positive is occurring 2. Communicate the incident internally. 3. Contain the damage and minimize the risk isolating the server and shutting down if necessary. 4. Identify the type and severity of the compromise. 5. Protect evidence of attack wherever possible. 6. Notify external agencies if appropriate. 7. Recover affected systems. 8. Compile and organize incident documentation. 9. Assess incident damage and cost. 10. Review the response and update policies.
• Incident management type: Supplier-defined controls
• Incident management approach: In the event of an incident the general protocol response is as follows: • Make an initial assessment to determine if an actual incident or a false positive • Communicate the incident internally. • Contain the damage and minimize the risk isolating the server and shutting down if necessary. • Identify the type and severity of the compromise. • Protect evidence of attack wherever possible. • Notify external agencies if appropriate. • Recover affected systems. • Compile and organize incident documentation. • Assess incident damage and cost. • Review the response and update policies. • Communicate response to affected parties.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £20,000.00 to £65,000.00 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document (pdf)
• Service definition document (pdf)
• Terms and conditions (pdf)
• Modern Slavery statement (pdf)