Security

Last updated: February 16, 2026

1. Infrastructure Security

EmitIQ is hosted on AWS with enterprise-grade security controls. Our infrastructure includes private VPCs, encrypted RDS instances, and hardened ECS Fargate containers with no public SSH access. All services run in the US-West-2 region with multi-AZ redundancy.

2. Data Encryption

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database connections require SSL. S3 buckets use server-side encryption with AWS KMS managed keys. Backup data is encrypted with separate key hierarchies.

3. Multi-Tenant Isolation

EmitIQ uses row-level security (RLS) in PostgreSQL to ensure complete tenant data isolation. Each API request is scoped to the authenticated tenant via middleware-enforced context. Cross-tenant data access is architecturally impossible.

4. Authentication & Access Control

We use JWT-based authentication with short-lived access tokens and secure refresh token rotation. Role-based access control (RBAC) enforces least-privilege access. All authentication events are logged in an immutable audit trail.

5. Compliance

EmitIQ is designed to meet SOC 2 Type II, GDPR, and CCPA requirements. We maintain comprehensive audit logs, implement data retention policies, and support data subject access requests. Our platform aligns with the GHG Protocol reporting standards.

6. Incident Response

We maintain a documented incident response plan with defined severity levels and escalation procedures. Security incidents are communicated to affected customers within 72 hours. For security concerns, contact us at [email protected].