Technology

Built for institutional use, with clear boundaries and verifiable behaviour.

The platform is designed as a controlled reporting operating layer rather than a black-box ESG questionnaire tool. The architecture favours transparency, composability, and operational control so teams can understand where data lives, how it is secured, and how disclosures, assumptions, and evidence are linked.

Data locality and transparency

Explicit region selection

Tenants choose their hosting region at onboarding. Data residency is deterministic and inspectable at the tenant level.

No silent data movement

Tenant data is not replicated across regions or environments without deliberate configuration and operational intent.

Clear data ownership

Clients retain ownership of their data, working papers, and supporting evidence. The platform does not repurpose or monetise tenant data.

Identity, access and review control

Enterprise authentication

OIDC and SAML 2.0 support enterprise federation and controlled onboarding.

Tenant-scoped identity model

Users remain represented in the platform database so authorisation can remain consistent even if the identity provider is unavailable.

Reviewable permissions

Access control is applied at project and object level so reporting owners, reviewers, and approvers can be separated cleanly.

Reporting evidence architecture

Evidence-linked disclosures

Calculations, assumptions, policy references, and supporting files can remain attached to disclosure decisions and review history.

Versioned change history

Changes to data, narrative disclosures, and reporting structure are preserved so teams can reconstruct how a reported position was reached.

Cross-framework reuse

The same underlying evidence can support AASB S1 and AASB S2 workflows, NGER-aligned emissions processes, and broader ESG governance reporting.

Availability, resilience and security

Stateless application layer

Application services are horizontally scalable and replaceable without data loss.

Encryption and least privilege

Data is encrypted at rest and in transit, and internal services operate with scoped credentials and minimal permissions.

Assurance-ready operating model

The system is designed to support internal review, external challenge, and audit or assurance preparation rather than only final report assembly.

Client-hosted data and key ownership

For regulated clients with heightened custody requirements, Enverium supports an external data plane model in which data and cryptographic material remain under client control while Enverium operates a constrained application layer.

Customer owns the database and defines the hosting security perimeter.

Customer owns encryption keys through client-managed key management controls.

Private connectivity and no public database exposure are supported.

Logging and auditability can remain anchored in the client environment.

This profile reflects the institutional implementation of the product and its enterprise control model.

Security Stance Summary

Review the control environment, governance, and security posture used for enterprise evaluation.

Security Stance Summary