We built Emissa for compliance buyers and their suppliers. Security isn't a feature — it's the foundation. Here's exactly how we protect your data.
Emissa runs on infrastructure that has received independent security attestations. We do not claim SOC 2 certification unless or until we have completed a formal audit and can provide the report.
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. This includes all API calls, file uploads, and dashboard sessions.
Customer data stored in our Neon PostgreSQL database is encrypted at rest using industry-standard AES-256 encryption provided by the Neon platform.
Our application is hosted on Render (cloud platform) and our database is on Neon PostgreSQL. Both providers maintain SOC 2 Type II attestations for their underlying infrastructure. The Emissa application itself is not yet SOC 2 certified.
We regularly update dependencies and monitor for known vulnerabilities. Our deployment pipeline includes automated checks for outdated packages with known security issues.
Emissa enforces role-based access control. Users have defined roles (owner, admin, viewer) with scoped permissions. Buyer portal sessions are isolated from supplier sessions and expire after 7 days of inactivity.
Emissa is a B2B SaaS application. We collect data to provide the emissions reporting service you signed up for — nothing more.
What we collect: Company name, contact information (name, email, phone), QuickBooks transaction data (vendor names, amounts, dates, category classifications), and emissions calculations. We do not sell your data or share it with third parties beyond the subprocessors listed below.
How we use it: Data is used exclusively to generate Scope 1, 2, and 3 emissions calculations and produce compliance reports in the formats you request. Buyer verification portal data is accessible only to the supplier who sent the invite and the buyer who accepted it.
Data retention: We retain your data for as long as your account is active. You may request deletion of your data at any time by contacting hello@emissa.tech. We will delete or anonymize your data within 30 days of your request, except where retention is required by law.
GDPR & CCPA: Emissa is committed to GDPR and CCPA compliance. If you are a data subject in the EU or California, you have the right to access, correct, or delete your personal data. Contact us at hello@emissa.tech to exercise these rights.
Emissa is sold as an annual subscription. The current pricing is available on our Pricing page. Subscriptions include a 12-month commitment. A setup fee applies to new accounts. Refunds are not provided for partial periods — you are billed annually in advance.
Acceptable use: Emissa is designed for legitimate emissions reporting and compliance workflows. You may not use the service to generate fraudulent reports, impersonate another company, or attempt to gain unauthorized access to buyer verification portals.
Limitation of liability: Emissa provides software tools for emissions calculations. Emissions factors are sourced from publicly available EPA and GHG Protocol data. While we strive for accuracy, Emissa does not guarantee that any generated report will satisfy a specific buyer's audit requirements. You are responsible for reviewing and approving all reports before submission.
If your procurement team requires a Data Processing Agreement (DPA) as part of a vendor security review, we can provide one.
A DPA formalizes our commitments as a data processor under GDPR and other data protection frameworks. It covers data categories, processing purposes, security measures, subprocessor controls, data breach notification, and data subject rights assistance.
We engage third-party subprocessors to deliver the Emissa service. These providers process data only on our behalf and under our instructions. We do not use any subprocessor that would process your emissions data for their own purposes.
| Provider | Service | Category |
|---|---|---|
| Render | Application hosting and deployment | Infrastructure |
| Neon (隶属于 Convex) | PostgreSQL database — customer data, emissions records, report metadata | Infrastructure |
| Stripe | Payment processing — handles subscription billing and card data (we never see full card numbers) | Payments |
| Polsia | AI agent infrastructure and deployment platform — processes app requests in the same way a cloud provider processes workloads | AI Infrastructure |
We will update this list if we add or change subprocessors. Significant changes will be communicated via email to account owners at least 30 days before they take effect.
If you are evaluating Emissa for a compliance procurement review, we are happy to answer security questions and provide supporting documentation. Reach out to our team directly.
hello@emissa.tech