Information Security
Overview
Geofund is the leading platform to empower businesses with automated product traceability. Our solution empower businesses to automate transaction-level traceability to streamline certifications, and deliver audit-ready chain-of-custody for industrial inputs and sustainable materials globally.
At Geofund, we understand the importance of keeping our customer's information secure. We value security as a top priority and implemented a comprehensive security program. We understand that trust is earned and we are dedicated to earning and maintaining customer trust.
If there is something we can do to earn your trust, let us know at security@geofund.io.
Compliance
Documents
2025 Security Packet
Download
2025 Internal Audit Report
Download
Please submit your email to request for access.
Organizational Controls
CONTROL
STATUS
Policies for information security
Geofund maintains robust security and topical policies that are communicated to key personnel and reviewed at least annually. |
Information security roles and responsibilities
Geofund maintains defined security roles and responsibilities that are documented and updated based on organizational needs.
Segregation of duties |
Conflicting duties are separated among roles and personnel to mitigate conflicts of interest or bad actors.
Management responsibilities
Geofund requires all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.
Contact with authorities
Geofund maintains contact with relevant authorities.
Contact with special interest groups
Geofund maintains contact with special interest groups, specialist security forums, and professional associations.
Threat intelligence
Geofund collects information relating to information security to produce threat intelligence.
Information security in project management
Geofund integrates information security into project management.
Acceptable use of information and other associated assets
Geofund documents and implements rules for the acceptable use and procedures for handling information and other associated assets.
Return of assets
Personnel and other interested parties return all of Geofund's assets in their possession upon change or termination of their employment, contract or agreement.
Classification of information |
Geofund classifies information according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. |
Labelling of information |
Geofund maintains an appropriate set of procedures for information labeling.
Information transfer
Geofund maintains information transfer rules between the organization and other parties.
Access control
Geofund maintains rules to control physical and logical access to information.
Authentication information
Geofund controls allocation and management of authentication information such as passwords, including advising personnel on the appropriate handling of authentication information.
Access rights
Geofund provisions and reviews access rights to information and other associated assets regularly in line with relevant policies.
Information security in supplier relationships
Geofund maintains and enforces a policy on supplier security.
Addressing information security within supplier agreements
Geofund establishes and enforces relevant information security requirements with each supplier based on the type of supplier relationship.
Managing information security in the ICT supply chain
Geofund maintains ICT suppy chain security standards.
Monitoring, review and change management of supplier services
Geofund monitors and responds to changes in supplier security practices.
Information security for use of cloud services
Geofund maintains a policy governing the use of cloud services and relevant security practices.
Information security incident management planning and preparation
Geofund defines and maintains information security incident management roles and responsibilities.
Assessment and decision on information security events
Geofund assesses all information security events and to determine if they are to be categorized as information security incidents.
Response to information security incidents
Geofund responds to information security incidents in accordance with governing procedures.
Learning from information security incidents
Geofund documents lessons learned from all information security incidents to strengthen and improve information security controls.
Collection of evidence
Geofund establishes and implements procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
Information security during disruption
Geofund maintains and reviews contigency plans to maintain information security at appropriate levels during disruptions.
ICT readiness for business continuity
Geofund maintains ICT readiness requirements, including recovery time objectives for key vendors and processes.
Legal, statutory, regulatory and contractual requirements
Geofund documents and complies with legal, statutory, regulatory and contractual requirements relevant to information security.
Intellectual property rights
Geofund stringently protects the intellectual property rights of its customers, partners, and stakeholders.
Protection of records
Geofund maintains record management practices including storage, maintenance, destruction, and access.
Privacy and protection of PII
Geofund stringently protects personally identifiable information in all systems.
Independent review of information security
Geofund's information security policies, procedures and practices are regularly reviewed by third parties including external experts and auditors.
Compliance with policies, rules and standards for information security
Geofund regularly reviews compliance levels with the organization's information security policy, topic-specific policies, rules and standards
Documented operating procedures
Geofund documents key procedures for information security and makes them available when relevant.
Employee Termination Checklist and Asset Return Control
Geofund uses a termination checklist to ensure that an employee's system access, including physical access, is removed within a specified timeframe and all organization assets (physical or electronic) are properly returned.
Vendor Compliance Review
Geofund maintains a directory of its key vendors, including their compliance reports. Critical vendor compliance reports are reviewed annually.
Information Security Roles and Competencies
Geofund has an established list of applicable information security roles and specified skill and competence level required for each role.
Vendor Management Policy
Geofund has a defined vendor management policy that establishes requirements of ensuring third-party entities meet the organization's data preservation and protection requirements.
Business Associate Agreement Policy
Geofund has a defined policy that establishes the requirements related to Business Associate Agreements.
External Communication of Security Commitments
Geofund's security commitments are communicated to external users, as appropriate.
Data Privacy Controls
CONTROL
STATUS
Consent for PII Collection
Geofund has established a process to obtain consent from a data subject prior to collecting PII. |
Consent Withdrawal Process
Geofund has an established process for acknowledging, logging, and documenting withdrawal of consent.
Geofund Privacy Policy Requirements
Geofund's Privacy Policy includes: Purpose for collecting personal information; Choice and consent; Types of personal information collected; Methods of collection (for example, use of cookies or other tracking techniques); Use, retention, and disposal; Access; Disclosure to third parties; Security for privacy; Quality, including data subjects' responsibilities for quality; Monitoring and enforcement.
Lawful Processing and ROPA
Geofund has an established and documented record of processing activity (ROPA), which includes evidence of lawful collection and use, including defined purpose of processing.
Privacy Program Scope
Geofund has a well-defined documented scope that reflects the boundaries and applicability of its Privacy Program.
Data Subject Rights Management
Geofund has an established process to properly manage data subject rights.
PII Disclosure Reporting and Retention
Geofund properly reports and retains records of PII disclosures to include PII disclosed to third parties, requests for legally-binding PII disclosures, subcontractors or sub-processors used for PII processing in accordance with contractual requirements, and changes in subcontractors.
Data Subject Request Management
Geofund tracks and manages requests from data subjects, and provides a response to valid requests within 30 days.
DPA Management and Compliance
Company has an established process to collect, review, and maintain Data Processing Agreements (DPAs) with all vendors and partners that process personal data, ensuring compliance with applicable data protection laws and contractual requirements.
Privacy Policy Control
Geofund maintains a Privacy Policy that is available to all external users and internal employees, and it details the Geofund's confidentiality and privacy commitments.
Annual Privacy Policy Review
Geofund's management reviews privacy policies and procedures annually to ensure that personal information is used in conformity with the purposes identified in the privacy notice.
Special Category Data Collection Controls
Geofund's record of processing activity (ROPA) includes conditions for allowable collection of special categories of personal data.
PII Processing Impact Assessment
Geofund conducts a data protection impact assessment when required or when planning for the processing of new, or changing the processing of existing, PII.
PII Management Assignment
Geofund has formally assigned an independent and capable member to manage PII-related matters.
PII Transfer Policy
Geofund has established policies and procedures (e.g. Privacy Policy) for the transfer and transmission of PII to a non-EU country or international organization.
Joint PII Controller Roles and Responsibilities
Geofund has determined roles and responsibilities for the processing of PII with joint PII controllers.
Sensitive Information Handling and Disposal
Geofund maintains policies and procedures to properly identify, label and store sensitive information (e.g., PII, PHI, Cardholder Data, etc.), and to manage and document the use, transfer, storage, and disposal of physical media containing sensitive information. Personnel are trained and made aware of how to handle sensitive information and report related incidents.
Data Minimization
Geofund's collection of personal information is limited to that necessary to meet the entity's objectives.
Personal Information Usage Control
Geofund only uses personal information for the purposes identified in the entity's privacy policy.
Clear and Transparent Data Subject Communication
Geofund communicates its obligations to data subjects in a clear and transparent manner.
EU Representative Designation
Geofund, which is a controller/processor not established in the EU, has designated in writing a representative in an EU member state to manage all data processing issues concerning Geofund.
Data Processing Agreement and Technical/Organizational Measures
Geofund has data processing agreements in place with data processing ecosystem parties which include minimum technical and organizational measures designed to meet the objectives of Geofundâs privacy program.
Vulnerability Scanning and Remediation
Geofund engages with third-party to conduct vulnerability scans of the production environment at least quarterly. Results are reviewed by management and high priority findings are tracked to resolution.
Third-Party Personal Information Recipient Listing
Geofund's privacy practices posted on their website include the list of third parties authorized to receive personal information.
Authorized Third-Party PII Access Control
Geofund maintains a documented list of third parties and vendors that are authorized to receive or access PII.