Legal and platform information

Data Processing and Security Schedule

Security, data processing, provider, logging, API, retention and operational-control terms for Carbon Trader.

Effective date: 30 May 2026. These are the current published terms for Carbon TraderĀ® website and platform use.

Part 17 - Data Processing and Security Schedule

1. Security commitments

Carbon Trader will maintain commercially reasonable administrative, technical and physical safeguards appropriate to the nature of the information processed. These may include access control, authentication, audit logging, encryption, least-privilege administration, secure hosting, vulnerability management, backups and incident response procedures.

2. Access controls

Carbon Trader may use role-based access control, Cognito groups, admin roles, MFA, API scopes, organisation permissions, audit logs and separation of duties for sensitive functions such as admin operations, KYC review, fee schedule publishing, settlement actions and document access.

3. Audit logs

Carbon Trader may log account access, API calls, admin actions, KYC actions, listing changes, mandate updates, settlement actions, fee calculations, document access, webhook events, authentication events and security events.

4. Incident handling

Carbon Trader will triage security incidents, privacy breaches, suspected account compromise, suspicious settlement activity, API key compromise and other operational incidents. Carbon Trader may suspend affected accounts, revoke tokens, rotate keys, pause settlements, notify users, notify regulators and take remedial steps.

5. Backups and recovery

Carbon Trader may maintain backups of platform data and documents. Backup retention, recovery point objectives and recovery time objectives may vary by service and environment.

6. User responsibilities

Users must:

  • keep credentials secret;
  • protect MFA devices;
  • remove access for staff who leave;
  • protect API keys;
  • monitor account activity;
  • check transaction instructions;
  • notify Carbon Trader promptly of suspected compromise.

7. Subprocessors and providers

Carbon Trader may use subprocessors and providers for hosting, authentication, identity verification, payments, communications, analytics, SMS, email, document storage, logging, monitoring, compliance screening, support and marketplace integrations. Carbon Trader may update providers as the platform evolves.

8. Data return and deletion

On account closure, Carbon Trader may provide reasonable export options for available data. Carbon Trader may retain records required for AML/CFT, tax, accounting, financial services, legal, audit, dispute, registry, insurance and operational purposes.

Contact

For questions about this policy, contact Carbon Trader at info@carbontrader.nz.