Ecometrica Ltd

Ecometrica Sustainability Reporting Platform

Ecometrica’s Sustainability Reporting software is an end-to-end environmental accounting and sustainability management solution. It is used by the world’s largest companies to collect a diverse, geo-referenced data set, going beyond traditional sustainability reporting to include streams of useful information on other key corporate indicators such as water, forests and biodiversity.

Features

  • In-built emissions factors and conversions database and calculation engine
  • Intuitive, controls-based data entry environment
  • PwC audit ready outputs and fully transparent audit trail
  • Live data analytics module to monitor all emissions
  • Reporting module to export pre-set reports such as CDP
  • Future proofed for natural capital reporting: geospatial mapping modules
  • Robust and secure SaaS platform available 24/7 worldwide
  • Multilingual
  • Uniquely CDP Gold Partner for Climate Change, Water and Forests
  • Social Responsibility and Impact Reporting also available

Benefits

  • Reducing time spent entering data and calculating emissions
  • Limiting user error risk and improving data accuracy & robustness
  • Reducing the time and cost of third party verification
  • Improved, transparent cost performance to deliver ROI
  • Simplified manual and bulk data entry
  • End-to-end, integrated sustainability data management
  • Efficient and secure hosted service, little IT involvement
  • True global tool used and supported across time-zones
  • CDP Score Optimisation and Gap Analysis
  • Manage all non-financial data on a single, online platform

Pricing

£20,000.00 to £65,000.00 a licence a year

Service documents

Framework

G-Cloud 12

Service ID

5 3 5 7 5 5 2 9 2 1 8 4 0 0 6

Contact

Ecometrica Ltd Paula McGregor
Telephone: 0131 662 4342
Email: paula.mcgregor@ecometrica.com

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
Online access for users required
System requirements
Internet access

User support

Email or online ticketing support
Email or online ticketing
Support response times
Email or online ticketing support. Support response times:

Platform users can email our analyst team at any time and we will respond as soon as possible (Monday to Friday, 9-5): users can manage status and priority of support tickets.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Customers access support by agreeing a 'number of days' or support when a license contract is negotiated. The number of days can vary depending on the expertise/skill level in the purchasing organisation or the complexity/scale of applications they wish to run. If customers access our software on a basic license package, support can be purchased at the following rates: 1 day of standard, Senior support - online or phone costs £1,200.00 per day. At times there may be Junior analyst rates available at £850.00 per day.

2-3 day in person training or support in the UK costs £2,500.00. If a higher value license is purchased, support can be built into the agreement and not charged as additional to the customer. This would be agreed in days at contract negotiation stage. (please note these are guidelines and subject to contract review). All customers have a technical account manager.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
To start using the Ecometrica Sustainability platform, we provide onsite or online training (location and/or covid 19 restrictions dependent). The training takes 2-3 days. Users also have access to software guides to help the process and are able to contact our team of analysts to help get started using the platform.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
Individual users can download their results as a spreadsheet (xls/xlsx) or in a report format (PDF). All files uploaded or added to the system are also available to download directly. For larger exports, a .zip archive can be provided by Ecometrica of all files that have been uploaded to the system.
End-of-contract process
At the end of the contract, Ecometrica will consult with customer on whether a renewal is appropriate:

If yes a renewal contract would be negotiated.
If not, Ecometrica will fulfill requests from customer regarding data extraction and agree a date to remove access to the platform. This process is not an additional cost to the customer.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
End users are able to fully interact with the application with either a smart phone or tablet via the web browser. There is no native application required for download.
Service interface
Yes
Description of service interface
Our simple to use front end application interface enables users to enter data rapidly (either manually or in bulk), as well as view results in chart, or tabular views, generate reports, and manage the configuration of the application and users (if the user has sufficient permissions). A strict workflow helps to guide the users through the process of a Greenhouse Gas Assessment.
Accessibility standards
WCAG 2.1 AAA
Accessibility testing
Accessibility testing

We routinely test our platform against WCAG standards using web accessibility validators.
API
No
Customisation available
Yes
Description of customisation
Customers can customise applications, user permissions, as well as key performance indicators, and any assessment questions, and questionnaire groupings. In addition, a logo and colour scheme can also be customized to brand the application. Reports can be customized with a custom title page.

Scaling

Independence of resources
Our platform is architected in Amazon Web Services to scale both horizontally and vertically. We use autoscaling metrics to track key indicators on our systems such as CPU or RAM usage as custom indicators such as task queue length to automatically scale automatically additional resources to cope with and respond rapid and unpredictable changes in demand within minutes. Notifications are sent and monitored internally whenever autoscaling events occur.

Analytics

Service usage metrics
Yes
Metrics types
Service usage metrics

Yes
Metrics types

We track and log usage metrics throughout the application including but not limited to the number of user sessions, URL requests, specific activity tracking, duration, user location, etc. Client reports of usage for their application(s) can be generated on demand or scheduled.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Individual users can export their result data in .csv or .PDF format. All files uploaded or added to the system are also available to download directly.
Data export formats
  • CSV
  • Other
Other data export formats
XLS or XLSX
Data import formats
Other
Other data import formats
XLS or XSLX

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
The Ecometrica Platform offers a base uptime SLA of 99.95% for unscheduled downtime. In the event of an outage we offer the following with a Recovery Time Objective (RTO). The RTO is our target time for restoring service after an outage, in 50% of cases services would be restored within 4 hours for example. 0-4 hours - 50% 4-8 hours - 45% 8+ hours - 5%.
Approach to resilience
We use AWS cloud services and Multi-AZ DB Instances. Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In case of an infrastructure failure, Amazon RDS performs an automatic failover to the standby, so that you can resume database operations as soon as the failover is complete. The Platform has a regular database hourly backup schedule. Static assets are stored and encrypted on Amazon’s S3 service and replicated across two regions.
Outage reporting
We have a maintenance page with direct contact details that displays in the event of of an unexpected outage. In the event of longer unplanned durations of more than 30 minutes, emails are sent from our analyst team to users so that they are aware of an outage and plan accordingly.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication
SSO and SAML V2 upon request
Access restrictions in management interfaces and support channels
The platform uses access control with different user roles granting various rights, or actions to segregate access to data or application management features. The roles can be applied on a per user basis. . Clients have full control and responsibility for access privileges on individual users. So you can grant/edit/revoke access permissions to individuals on an as needed basis. Authorization, roles and permissions can be separately set for internal and external data providers.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Description of management access authentication
A centralized authentication service securely manages and validates the authentication of all clients to the platform. The platform uses access control with different user roles granting various rights, or actions to segregate access to data or management functions. For example only an authenticated user explicitly assigned the "Application Administrator" role, can access the administrative functions of the platform.

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
EY CertifyPoint
ISO/IEC 27001 accreditation date
27/3/2020
What the ISO/IEC 27001 doesn’t cover
All AWS provided hardware, software, and hosted infrastructure is covered, All proprietary software and third-party software used is not covered.
ISO 28000:2007 certification
No
CSA STAR certification
Yes
CSA STAR accreditation date
31/03/2020
CSA STAR certification level
Level 2: CSA STAR Attestation
What the CSA STAR doesn’t cover
All AWS provided hardware, software, and hosted infrastructure is covered, All proprietary software and third-party software used is not covered.
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
All developer laptops are disk encrypted and password locked when not in use. Master keys for the disks are stored in a secure key pass vault. All servers are configured to only allow shell access via authorized RSA 2048bit keys. In addition, all unauthorized access attempts to the servers are logged and sent to the security response team for immediate action. Amazon AWS provided services are in compliance with ISO 9001, ISO 27001, ISO 27017, ISO 27018, and many other international security and privacy standards (see https://aws.amazon.com/compliance/).
Information security policies and processes
The internal reporting structure is the IT team members report directly to the Development Manager who reports to the CPO who reports to the CEO and the Board of Directors. Protocols in the event of a penetration attack escalate to complete shutdown and isolation of affected systems. In the event of an attack the general protocol response is as follows: • Make an initial assessment to determine if an actual incident or a false positive is occurring • Communicate the incident internally. • Contain the damage and minimize the risk isolating the server and shutting down if necessary. • Identify the type and severity of the compromise. • Protect evidence of attack wherever possible. • Notify external agencies if appropriate. • Recover affected systems. • Compile and organize incident documentation. • Assess incident damage and cost. • Review the response and update policies.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Our entire process follows agile software development methodologies mixed with a Kanban Board to manage and track progress on issues and features. All our source code is securely stored using Git and is accessible only by authorized users. Each product has a separate repository, and all products have multiple branches for various issues and features in development at any given time. We also practice code review where developers review each other’s work. All issues and features are tracked in a central management system with strictly enforced process controls. All software design decisions follow the Open Web Application Security Project Guidelines.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
In addition to monitoring CVE alerts and the National Vulnerability Database (https://nvd.nist.gov/vuln/data-feeds) we use a third-party monitoring service to track vulnerabilities in all third-party software libraries used in our applications. We deploy updates to our system on a weekly basis, but can release as needed in the event of a critical vulnerability. In addition we conduct a third party grey box penetration test on an annual basis.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
In the event of an attack the general protocol response is as follows: 1. Make an initial assessment to determine if an actual incident or a false positive is occurring 2. Communicate the incident internally. 3. Contain the damage and minimize the risk isolating the server and shutting down if necessary. 4. Identify the type and severity of the compromise. 5. Protect evidence of attack wherever possible. 6. Notify external agencies if appropriate. 7. Recover affected systems. 8. Compile and organize incident documentation. 9. Assess incident damage and cost. 10. Review the response and update policies.
Incident management type
Supplier-defined controls
Incident management approach
In the event of an incident the general protocol response is as follows: • Make an initial assessment to determine if an actual incident or a false positive • Communicate the incident internally. • Contain the damage and minimize the risk isolating the server and shutting down if necessary. • Identify the type and severity of the compromise. • Protect evidence of attack wherever possible. • Notify external agencies if appropriate. • Recover affected systems. • Compile and organize incident documentation. • Assess incident damage and cost. • Review the response and update policies. • Communicate response to affected parties.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£20,000.00 to £65,000.00 a licence a year
Discount for educational organisations
No
Free trial available
No

Service documents