dMRV Platform Operational and Security Framework
This document describes the operational, technical and security practices of the Circonomy dMRV Platform (the "Platform").
- Status and Relationship to the Agreement
- This is a technical supporting document, provided for transparency and information only. It does not form part of the Agreement between Circonomy and the Project Developer, is not contractually binding, and creates no representation, warranty or service-level commitment on the part of Circonomy. The operational targets, security measures and procedures described below reflect Circonomy's current practices and may evolve over time as the Platform develops.
In the event of any conflict between this document and the Agreement, the Service Agreement, the General Terms of the Circonomy dMRV Platform (the "General Terms") and the Circonomy Privacy Policy shall prevail. Capitalised terms used but not otherwise defined in this document have the meaning given to them in the General Terms. - 1. Data Collection and Privacy
- To support a secure and reliable experience on the Platform, Circonomy collects certain technical data when a User accesses the mobile application.
- Data collected: upon login, the Platform automatically collects telemetry and device data, including Device ID, hardware model number, operating system (OS) version, current memory status and battery status.
- Purpose: this data is used to monitor application performance, prevent unauthorized or fraudulent access, and provide targeted technical support where the application crashes or underperforms on a specific device.
- Handling: this device-specific information is treated as Confidential Information. The categories of personal data collected, and how they are handled, are governed by the Circonomy Privacy Policy. It is not shared with, or sold to, external third-party marketing services.
- 2. Data Retention and Backup
- Active retention: all Project Developer Data remains accessible on the Platform for the duration of the Subscription Period.
- Post-termination: upon termination or expiration of the Agreement, Project Developer Data remains available to the Project Developer for export for a period of thirty (30) days, after which access is revoked. This window is consistent with the "Data export on termination" provision of the Service Agreement.
- Regulatory retention: Circonomy may retain the underlying data for longer where required by applicable registry policies or regulatory requirements.
- 3. Platform Availability
- The Platform is provided on an "as is" and "as available" basis, and Circonomy works to minimize disruption. The figures in this section are current operational targets, not contractual commitments (see Status and Relationship to the Agreement above).
- Target uptime: Circonomy targets a monthly Platform uptime of 99.5%, excluding scheduled maintenance.
- Scheduled maintenance: routine maintenance, updates and improvements are scheduled during off-peak hours where possible. Circonomy aims to provide at least forty-eight (48) hours' advance notice of planned maintenance expected to result in downtime.
- Emergency maintenance: for critical security patching or severe operational risk, Circonomy may perform emergency maintenance with immediate effect to protect Platform integrity.
- 4. Technical Support
- Technical support is available via support@circonomy.co and +91 92056 02826. Requests are prioritised by the severity of the issue affecting the Project Developer's workflows. The response and resolution times below are current targets, not contractual commitments.
Severity Description Target Initial Response Target Resolution Plan Critical Platform completely inaccessible or severe data corruption 2 business hours 12 business hours High Core functionality (e.g. data exports or third-party registry integrations) failing 4 business hours 24 business hours Normal General inquiries, minor bugs or UI issues 1 business day 3 business days - 5. Security and Data Breach Protocol
- Circonomy and the Project Developer share responsibility for maintaining the integrity of the Platform. The Project Developer is required to promptly notify Circonomy of any unauthorized access or data issue.
- Security measures: Circonomy employs industry-standard encryption, firewalls and access controls to protect Project Developer Data and Confidential Information.
- Breach notification: in the event of a verified security breach that compromises Project Developer Data or User credentials, Circonomy aims to notify the designated Project Developer Administrator without undue delay, and typically within seventy-two (72) hours of confirming the breach, consistent with the Circonomy Privacy Policy.
- Incident information: such notifications include the nature of the breach, the data compromised, the potential consequences, and the mitigation measures Circonomy is taking to secure the Platform.
- 6. Metadata and Data Processing
- Alongside the Project Developer's core project inputs, the Platform processes supplementary data to maintain data integrity and support Platform capabilities.
- Metadata collection: in addition to Project Developer Data, the Platform automatically generates and collects metadata (for example, timestamps, system logs, audit trails and data-flow metrics). This metadata supports the traceability, auditability and security of the monitoring workflows.
- Processing for improvement: Circonomy may use aggregated and anonymized data (including metadata and project data) to improve the Services, consistent with the General Terms.
- Privacy safeguard: data processed for improvement or analytical purposes is anonymized and aggregated so that it cannot be used to identify the Project Developer or any individual User.
- 7. Data Structuring and Registry Integration
- Data structuring: Circonomy processes, structures and formats Project Developer Data for compatibility with third-party systems, standards and registries, using commercially reasonable efforts to align its data structures, reporting formats and exports with the technical requirements of the applicable standard identified in the Service Agreement.
- Registry transmission: the Platform supports export and, where available, direct API transmission of processed project data to designated third-party registries to support carbon-credit registration and issuance workflows.
- Scope: Circonomy provides technical infrastructure only and does not act as a certification body, verification entity or registry. Transmission of data to a registry does not constitute acceptance or approval by any third party, and Circonomy does not guarantee registration, verification or issuance of carbon credits. These outcomes are determined by independent third parties, as set out in the General Terms.
- 8. Data Security and Redundancy Architecture
- Circonomy employs industry-standard security measures to protect the confidentiality, integrity and availability of project data throughout its lifecycle, and its infrastructure is designed to protect data from physical loss, unauthorized access and cyber threats.
- Source-level redundancy: initial data is captured and stored on hardened, tamper-evident storage media at the pyrolysis equipment site, so that a physical record exists at the point of origin.
- Processing integrity: once transmitted, data is ingested into Circonomy's database infrastructure, where it is structured, validated and persisted into the respective operational tables.
- Geographic replication: for disaster recovery, the database is continuously replicated to a separate, high-availability environment in a different geographic region, supporting data continuity in the event of regional infrastructure failures.
- Encryption: data in transit between the hardware at the pyrolysis site, the Platform and Circonomy's storage environments is protected using industry-standard encryption protocols (e.g. TLS 1.3 or higher). Data at rest is encrypted using high-strength algorithms (e.g. AES-256).
- Security monitoring: Circonomy maintains 24/7 security monitoring of the Platform infrastructure, including threat detection, automated logging of system access, and regular vulnerability assessments.
- 9. VVB Access for Audit and Verification
- During an audit or verification period, the Platform grants the Project Developer's designated Verification and Validation Body (VVB) read-only access to the production data of the Project, for the purpose of reviewing the data collection processes, methodologies and outputs relating to the Project. Such access is provided in a timely manner, by the means determined by Circonomy, limited to the data and scope reasonably necessary for the audit, and is conditional on the VVB being bound by confidentiality obligations no less protective than those in the General Terms.
- Scope of access: this access enables the VVB to review the project data relevant to the audit or verification, consistent with the audit and verification provisions of the General Terms.
- Use in credit decisions: the Project Developer acknowledges that the VVB uses this data to evaluate compliance with project methodologies and standards, and that the data accessed may inform the VVB's independent decisions on validation, verification and the acceptance or rejection of carbon credits.
- No liability for outcomes: Circonomy provides the technical infrastructure for this access and acts solely as a facilitator. Circonomy has no liability for the independent decisions, audit outcomes or credit-issuance results determined by the VVB based on the data accessed through the Platform.