Investment Grade Protection ESG Reporting

We’ve put in place the systems, people and processes to keep your data secure. We use state-of-the-art techniques and cutting-edge security to protect your data. We offer you 100% investment grade protection.


To ensure your data is safe, We comply with the leading, most demanding requirements, such as SOC 2 type II.. Though SOC 2 type II is not a requirement for being considered ‘safe’, we consider each record in our data as classified and important. We make the utmost effort to ensure your data is secured, private, available and being tested for integrity.

SOC II Certification

ESG Playbook is SOC 2 Certified

We know that data and Information systems security are a pivotal focus of our regulatory industry. To give you peace of mind, ESG Playbook received SOC 2 certification, which ensures that users have a fully secure experience while using our software solutions.

SOC 2 is a report that evaluates an organization’s compliance with information system security, confidentiality, privacy, availability and processing integrity. It’s based on the Trust Services Criteria (TSC) by the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA).

ISO 27001 Certification

ISO 27001, SOC 1, SOC 2 & SOC 3 Certified

ESG Playbook uses the Firebase Google Cloud Platform (GCP), and Firebase is certified under major privacy and security standards. All Firebase services (aside from App Distribution and Firebase App Indexing) have successfully completed the ISO 27001 and SOC 1, SOC 2, and SOC 3 evaluation process, and some have also completed the ISO 27017 and ISO 27018 certification process.

Compliance reports and certificates for Firebase services governed by the GCP Terms of Service may be requested via the Compliance Reports Manager.

Supported Security Compliance Protocols

ESG Playbook actively reviews privacy standards like the protocols listed below to ensure we are compliant in the jurisdictions our customers operate in.

  • California Consumer Privacy Act (CCPA)
  • Federal Information Security Management Act of 2002 (FISMA)
  • General Data Protection Regulation (GDPR)
  • Gramm–Leach–Bliley Act (GLBA)
  • Payment Card Industry Data Security Standard (PCI DSS)

US & European data regions

Where we store data

Our platform is hosted on the US-Central multi-region a secure Google Cloud data center located in the United States. We can also deploy your data to regions in the US and Europe.

Local and private data services

Optional client local or private data services

We can do a custom installation and adaptation of the platform to run locally if your company prefers to run services locally and/or outside of Google Cloud services.

Secure data infrastructure

The ESG Playbook platform is hosted on Google Cloud, which is known in the industry for its’ local data centers (faster access to data), secure facilities with strong security practices and servers that adhere to strong sustainability standards.

How Google Cloud tackles security

Google Cloud has put in place a host of security measures to keep its data centers safe, including:

  • Custom servers with built-in redundancy and automatic backups
  • Robust disaster recovery and prevention measures in the event of a fire, power failure or other disruption
  • Secure physical locations with perimeter defense systems and a 24/7 security team
  • An enterprise risk management program for risk assessment and mitigation
  • Local and regional security operations centers for monitoring and year-round testing

Why Google Cloud is a sustainable choice

Google Cloud follows sustainability practices, which aligns naturally with ESG Playbook’s goal of building a sustainable advantage.

Google Cloud has two significant advantages, namely, a reduction in security risks and an increase in our platform’s performance,

Google Cloud’s hyper-efficient data centers use half as much energy as other infrastructure and reports:

  • 0 net carbon emissions
  • 1.1 power usage effectiveness score
  • 11% overhead energy

Strict data management policies and practices

In compliance with SOC 2, ESG Playbook adheres to best practices including data encryption, authentication with granular roles and permissions, confidentiality, privacy, availability and processing integrity. We have the processes in place to make sure only the right people can access your data.

Issue tracking

We track customer issues via an internal JIRA-like work item manager. Issues can be submitted via the feedback form on the ESG Playbook web app or via email to Issues are responded to promptly and generally resolved within 24 hours. Relevant users will be updated on the issue progress.

Data back-up

We have created a function and scheduler in Google Cloud Platform (GCP). The schedule runs daily at midnight and the back-up is stored in the back-up storage. Retrieving a back-up is administered starting with a formal request from the company management.


We require our team members to document every authentication and permission rule change within our application. We capture authentication level logs to be able to fully audit access. In addition, authentication rule changes are captured via Google Cloud Platform’s logging as another tier of protection.

Data encryption

Google Cloud encrypts all data at rest, by default. This means all communications between your web browser and our software and between our application’s front end, back end and database are encrypted using a transport layer security (TLS) protocol.

Production Safe Zone

We limit production level access and multi-factor authentication anywhere that it is enabled. In addition, anyone with production level access cannot access back-ups. This ensures if a potential malicious user gains access to production, they are restricted. This ensures backups and redundancy will not be compromised.

Continuous monitoring and testing

ESG Playbook enforces a number of security measures and protocols to ensure user and company data is safe and secure.

Build and release management

Our application passes a series of automated unit tests and QA testers before reaching production. We are able to roll back changes within an hour in the case of an issue being pushed to production.

Users are notified of new features via the home page sidebar panel under “What’s New on ESG Playbook?”. Kindly note that users must be logged in to view this information.

Vulnerability detection and management

  • We hold monthly reviews of security risks and compliance
  • We facilitate traffic/activity monitoring in order to detect unusual user activity
  • At a development level, we use security analysis tools to help us exclude third-party dependency vulnerabilities
  • Our services are resilient against application level attacks like Cross Site Scripting (CSS) and Distributed Denial of Service (DDoS)

Want to know more?

We’d be happy to show you how our platform works. Reserve a quick call with a specialist.

Learn more about our ESG reporting and management platform and how it helps companies with disclosure, strategy, operations and engaging stakeholders.