Partner Policy

1. Purpose of this Policy

The Carbon Foundation (“Carbon Foundation”, “we”, “us”, “our”) routinely receives highly sensitive information from governments, First Nations and Indigenous partners, project owners and developers, brokers and intermediaries, financial institutions and investors (together, “Partners”).

This Investor / Partner Information Policy (the “Policy”) sets out how we receive, use, protect and disclose such information, and how we meet our confidentiality, information security and data protection obligations across all jurisdictions in which we operate.

​

This Policy is designed to work alongside:

​

• Our Privacy Policy and Cookie Policy

• Our Confidentiality / Non-Disclosure Agreements (NDAs) with specific Partners

• Our Information Security, Data & MRV Governance and Carbon Claims & Transparency policies

• Applicable laws and regulations (including the EU GDPR, UK GDPR, and equivalent regimes)

 

In the event of any conflict between this Policy and a signed NDA or contract with a Partner, the stricter confidentiality standard will apply.

 

2. Scope and who this Policy applies to

This Policy applies to all information provided to us by Partners in connection with, for example:

​

• Carbon projects (existing or proposed)

• Sovereign or governmental frameworks and negotiations

• MRV (Measurement, Reporting and Verification) data and methodologies

• Registry operations, trading arrangements and offtake structures

• Investment, financing and due diligence processes

• Strategic partnerships, joint ventures and other commercial arrangements

 

It binds:

​

• All employees, officers and directors of the Carbon Foundation group

• Long-term consultants, contractors and advisers who have access to Partner information

• Any third-party service providers who process such information on our behalf, under contract

 

3. Definitions

For the purposes of this Policy:

​

• Partner Information means any information provided to us by or on behalf of a Partner, whether in written, oral, visual or electronic form, including documents, data, models, analyses, presentations, correspondence and meeting notes.

• Confidential Information means Partner Information that is:

  • Marked or described as “confidential”, “private” or similar; or

  • Reasonably understood by its nature or context to be confidential, including:

    • Commercial strategies, financial models, pricing and valuation data

    • Technical specifications, methodologies, proprietary MRV systems and know-how

    • Governmental and sovereign proposals, draft frameworks and negotiation positions

    • Project-level operational, engineering and environmental data

    • Business plans, forecasts, investor presentations and term sheets

    • Personal data relating to identifiable individuals (which is also subject to our Privacy Policy and data protection laws)

• Personal Data has the meaning given in applicable data protection laws (e.g. EU/UK GDPR).

 

4. Principles governing Partner Information

 

We handle all Partner Information in accordance with the following principles:

​

1. Purpose limitation – We only use Partner Information for the specific, legitimate purposes for which it was provided or as otherwise permitted under a signed agreement or by law.

2. Confidentiality by default – We treat Partner Information as confidential unless it is demonstrably public or expressly stated otherwise.

3. Need-to-know access – We restrict access to Partner Information to individuals and teams who need to know it for the agreed purpose.

4. Proportionality – We only request the minimum information reasonably necessary to perform the agreed work and comply with legal obligations.

5. Security and integrity – We apply appropriate technical and organisational measures to protect Partner Information against unauthorised access, loss, alteration or disclosure.

6. Transparency – We are clear with Partners about how their information will be used, who may have access and under what circumstances it might be disclosed.

7. Compliance with law and contract – We comply with all applicable laws and regulations, and with the specific terms of our contracts and NDAs with Partners.

 

5. How we use Partner Information

 

We may use Partner Information for the following purposes (as relevant to the relationship):

​

• Assessing, structuring and delivering carbon projects, including eligibility, feasibility, MRV design and methodology application

• Designing and operating sovereign-aligned frameworks and registries

• Conducting due diligence on projects, offtake arrangements and counterparties

• Supporting structuring of carbon-linked financial products, investments and offtakes

• Fulfilling our contractual obligations to Partners

• Complying with legal, regulatory, audit and reporting obligations

• Internal governance, risk management, quality assurance and dispute resolution

 

We do not use Partner Information for any purpose that is inconsistent with the purpose for which it was provided, unless:

​

• We have obtained the Partner’s explicit prior consent; or

• It is required by law, regulation or a competent authority (see “Limited and lawful disclosures” below).

 

6. Confidentiality commitments

Subject to the disclosure provisions below, we will not disclose Confidential Information to any third party without:

​

• A legitimate need to know for the purposes described in this Policy; and

• Appropriate contractual and confidentiality protections in place.

 

We will not:

​

• Disclose Confidential Information to competing project owners or investors in a way that could reasonably be expected to disadvantage the Partner;

• Use Confidential Information to pursue projects, structures or opportunities against the clearly expressed interests of the Partner;

• Publicly reference the Partner’s identity or specific projects without prior agreement, except where such information is already public or disclosure is required by law.

 

Where we reproduce or distribute Confidential Information internally, we do so only to those who are subject to equivalent confidentiality obligations and who need access for the agreed work.

 

7. Intellectual Property in Partner Information

Nothing in this Policy or in our receipt of Partner Information transfers ownership of any intellectual property rights in such information to the Carbon Foundation.

We will not claim proprietary rights over Partner Information, save for:

​

• Limited rights of use strictly necessary to perform the agreed services and comply with legal obligations; and

• Rights in any analyses, models or aggregated outputs we independently develop, provided that such outputs do not disclose the Partner’s Confidential Information or enable the Partner to be reasonably identified.

 

8. Handling of Personal Data

Where Partner Information contains Personal Data, we will process that information in accordance with:

​

• Applicable data protection laws (including EU/UK GDPR, where applicable); and

• Our Privacy Policy, which sets out our legal bases, rights and safeguards in detail.

 

We limit the Personal Data we collect and seek to anonymise or pseudonymise data where feasible, particularly when aggregating MRV data, engineering data or project performance information for internal analysis or market reports.

​

Where necessary, we will put in place data processing agreements (DPAs) and, for cross-border transfers, appropriate safeguards (such as Standard Contractual Clauses or equivalent mechanisms).

 

9. Security and access control

We apply a layered set of security measures to protect Partner Information, proportionate to its sensitivity and the risks involved. These may include:

​

• Role-based access control, ensuring Partner Information is available only to authorised users

• Strong authentication and password policies

• Encryption of data in transit and at rest, where appropriate

• Secure document management and restricted sharing mechanisms

• Logging and monitoring of access to high-sensitivity repositories

• Physical security measures for offices and any physical records

• Secure disposal or destruction of records at end of retention periods

 

All staff and long-term contractors with access to Partner Information are bound by contractual confidentiality obligations and receive training on information security and data protection relevant to their role.

 

10. Derived analyses and aggregated outputs

 

We may generate internal analyses, models, benchmarks or aggregated statistics using Partner Information. To the extent such outputs do not disclose or permit reverse-engineering of the Partner’s Confidential Information, they may be used by us for:

​

• Internal governance and risk management

• Methodology development and validation

• Market insights, research and thought leadership

 

Any external publication or sharing of such outputs will be prepared in a form that does not reasonably enable identification of specific Partners or disclosure of their Confidential Information.

 

11. Cross-border handling of confidential information

 

Given the international nature of our operations, Partner Information may be accessed or stored in multiple jurisdictions by authorised personnel and service providers.

Regardless of location, we:

​

• Apply confidentiality and security standards that are no less protective than those described in this Policy; and

• Ensure that third parties with access are bound by contractual obligations that are no less protective than our own obligations and, where applicable, the specific terms agreed with the relevant Partner.

 

Where Partner Information includes Personal Data, cross-border transfers are subject to the safeguards described in our Privacy Policy and in applicable data protection laws.

​

12. Limited and lawful disclosures

We may share Partner Information in the following limited circumstances, always on a need-to-know basis and under appropriate protections:

​

1. Within the Carbon Foundation group

   • With other entities in our group for governance, risk management, technical assessment or delivery of services, under intra-group confidentiality arrangements.

2. With professional advisers and service providers

   • With lawyers, auditors, consultants, IT service providers, MRV providers and similar third parties who support our work, subject to confidentiality and data processing obligations.

3. With verification / certification bodies and regulators

   • Where necessary for independent verification, accreditation or supervisory review of projects, frameworks or registries.

4. With co-investors, co-financiers or counterparties

   • Where a Partner has requested or consented to joint discussions, or where such sharing is clearly required to structure a transaction, and subject to appropriate confidentiality protections.

5. Where required by law or a competent authority

   • We may disclose Partner Information to courts, regulators, law enforcement, tax or other authorities where we are legally obliged to do so, or where we reasonably believe such disclosure is necessary to protect our rights or those of a Partner or third party.

 

Where legally permitted, we will use reasonable efforts to notify the relevant Partner before disclosing their Confidential Information to a third-party authority, so they may seek protective measures, unless to do so would be unlawful or impracticable.

 

13. Exceptions to confidentiality

The obligations in this Policy do not apply to information which:

​

• Is or becomes publicly available other than as a result of a breach by us;

• Was lawfully known to us on a non-confidential basis before disclosure by the Partner;

• Is received from a third party who, to our knowledge, is not bound by a duty of confidence in respect of that information;

• Is independently developed by us without reference to the Partner’s Confidential Information; or

• Must be disclosed under applicable law, regulation, stock exchange rule or order of a court or competent authority.

 

The burden of proving an exception applies rests with the party asserting it.

 

14. Incident response and notifications

We maintain internal procedures for identifying, investigating and responding to actual or suspected unauthorised access, disclosure or loss of Partner Information.

 

Where an incident materially affects a Partner’s Confidential Information, we will:

​

1. Take prompt steps to contain and assess the incident;

2. Notify the affected Partner without undue delay where reasonably practicable and not prohibited by law; and

3. Cooperate in good faith with the Partner to address reasonable information needs and mitigation steps, subject to our own legal and regulatory obligations.

 

Where Personal Data is involved, we will also comply with any applicable data breach notification requirements under relevant data protection laws.

 

15. Conflicts of interest and information barriers

Given the nature of our work, we may engage with multiple Partners whose interests could intersect or diverge. To manage these situations:

​

• We assess potential conflicts of interest at the outset of engagements and on an ongoing basis.

• Where appropriate, we implement information barriers (Chinese walls) so that individuals working with one Partner do not have access to confidential information relating to another Partner whose interests may conflict.

• We may decline or terminate an engagement if we reasonably consider that a conflict cannot be adequately managed in the interests of all parties and our own integrity.

 

Our staff are required to escalate any potential conflict promptly to senior management or the designated compliance lead.

 

16. Retention and deletion of Partner Information

We retain Partner Information only for as long as reasonably necessary to:

​

• Fulfil the purposes described in this Policy;

• Comply with legal, regulatory, accounting and audit obligations;

• Establish, exercise or defend legal claims; or

• Maintain necessary records of our decisions, methodologies and project assessments.

 

Retention periods will vary depending on:

​

• The nature of the information;

• The legal and regulatory context (e.g. financial, tax, or environmental rules); and

• The terms of any NDA or contract with the Partner.

 

Where we no longer require Partner Information for any of the above purposes, we will securely delete or anonymise it. Where a Partner has a specific contractual right to request deletion or return of information, we will respect that right subject to any legal obligations to retain certain records.

 

17. Market communications and attribution

We recognise that Partners may be sensitive about public references to:

​

• Their identity as a client, investor or counterparty;

• Specific projects, frameworks, investments or transactions; and

• Performance data, MRV outputs or other project metrics.

 

Accordingly:

​

• We will not publicly identify a Partner or disclose project-specific information without prior agreement, unless such information is already public or disclosure is required by law.

• Where we wish to reference a Partner or project as a “case study” or in marketing materials, we will obtain written approval for the proposed wording, subject to reasonable revisions.

• Any aggregated or anonymised insights we publish will be prepared in such a way that no Partner is reasonably identifiable.

 

18. Competition and market conduct

We recognise that certain Partner Information may be competitively sensitive. We do not use Partner Information to facilitate anti-competitive behaviour or unlawful information sharing between market participants.

 

Where we work with multiple Partners in potentially competing positions, we apply appropriate information barriers and governance measures to mitigate competition law risks, and we expect all parties to comply with applicable competition and antitrust laws.

 

19. Governance, training and enforcement

The implementation of this Policy is overseen by [insert title – e.g. Chief Operating Officer / General Counsel / Data Protection Lead] on behalf of the Carbon Foundation’s senior management.

We will:

​

• Provide appropriate training and guidance to relevant staff and contractors

• Monitor compliance through proportionate checks and audits

• Review and update this Policy periodically to reflect changes in law, regulation, technology or our operating model

 

Breaches or suspected breaches of this Policy are taken seriously and may result in:

​

• Internal disciplinary action, up to and including termination of employment or contract; and/or

• Contractual remedies and claims for damages where a third party is responsible.

 

Partners who believe their information has been mishandled are encouraged to contact us promptly using the details in the Contact section.

 

20. Relationship with other policies and agreements

This Policy complements and does not limit:

​

• Any NDA, confidentiality clause or information security schedule agreed with a specific Partner;

• Our Privacy Policy, which governs processing of Personal Data;

• Our Information Security and Data & MRV Governance frameworks; and

• Any regulatory or professional obligations we may have (e.g. anti-money laundering, sanctions, market conduct).

 

Where there is a conflict between this Policy and a specific written agreement with a Partner, the more protective confidentiality standard for the Partner’s information shall prevail.

 

21. Non-contractual nature of this Policy

​

This Policy describes our standard approach to handling Investor and Partner Information. It does not, by itself, create contractual rights or obligations.

 

Any legally binding confidentiality, data protection or information-handling obligations will arise from:

​

• Applicable law and regulation; and

• The specific terms of NDAs or other agreements we enter into with Partners.

 

In the event of inconsistency, the terms of such agreements will prevail to the extent they provide a higher level of protection for the Partner.

 

22. Contact and queries

If you have any questions about this Policy, or concerns about how your information is being handled, please contact:

 

Investor / Partner Information Enquiries
The Carbon Foundation
Email: compliance@carbonfoundation.com
 

We will respond as promptly as reasonably possible and, where appropriate, work with you to resolve any concerns.