SOC badge

Security you can trust

Confidence in the carbon market starts with confidence in your data’s security.

Data security

Patch’s security standards are built to protect every byte of your information at every stage.

Your data is encrypted at rest

All customer data in our data stores is encrypted while at rest. Moreover, sensitive collections and tables are encrypted at the row level. Because data is encrypted prior to being stored in the database, neither physical nor logical access to the database alone is sufficient to access any sensitive data.

Your data is encrypted in transit

Patch uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. In addition, Patch uses HTTP Strict Transport Security to maximize the security of in-transit data. Server TLS keys and certificates are managed by Amazon Web Services.

Your secrets are protected

Patch’s encryption keys (256-bit Advanced Encryption Standard) are managed via AWS Key Management System (KMS). KMS stores key material in Hardware Security Modules (HSMs), which prevents direct access by any individuals — including employees of Amazon and Patch. The keys stored in HSMs are used for encryption and decryption via Amazon’s KMS APIs. Application secrets are encrypted and stored securely via AWS Secrets Manager and Parameter Store, and access to these values is strictly limited.

Access is limited and documented

Patch adheres to the “Principle of Least Privilege,” which ensures that access to any production system or datastore is limited to only those with a legitimate business need and only granted for the minimum time needed. All access requests are documented.

Product security

The Patch platform is systematically defended against threats


Patch does full penetration testing covering our entire product at a minimum of once a year.


All code changes undergo human review, automated review and analysis, and a comprehensive set of automated tests.


Patch employs constant vulnerability scanning:

  • Static analysis of every code commit
  • Third-party libraries and dependencies
  • Real-time application threat detection

Enterprise security

The Patch team holds ourselves to the highest standards of internal security.

  • SOC 2 Type II Compliant

    Patch is SOC 2 Type II certified. Contact us to read our SOC 2 report.

  • Endpoint protection

    Every Patch device is equipped with mobile device management software and anti-malware protection — all managed centrally.

  • Security education

    Every Patch employee undertakes comprehensive security training during onboarding and every year thereafter. Engineers undertake additional training focused on secure coding principles and practices.

  • Network vulnerability scanning

    Patch’s network systems are monitored for vulnerabilities to either internal or external threats.

  • Intrusion detection

    Patch relies on Amazon GuardDuty to constantly monitor and protect our accounts from malicious activity.

Contact us

For any security matters or responsible disclosure, please contact us at

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.