Carbon Accounting Software for CIOs and Enterprise IT Teams

AASB S2 landed carbon reporting on the enterprise data platform without the multi-month integration project the sustainability team was asking for. IT is being asked to expose the ERP, the utility feeds, and the fleet management system to a carbon reporting workflow that most vendors treat as an afterthought. Carbonly was built with the enterprise integration model as a first-class concern - five access modes, API-first architecture, OAuth-secured MCP server, and a security posture built for CIO review, not for a proof of concept.

Talk to us

What changes for cios and enterprise it teams

  • Five access modes so IT does not have to pick one integration pattern: web UI, per-project email ingestion, OneDrive/SharePoint folder sync, API + outbound webhooks, and MCP server
  • MCP (Model Context Protocol) server exposes the platform to ChatGPT, Claude Desktop, Cursor, and any MCP-compatible client with OAuth 2.1 + PKCE, refresh tokens, and tier-gated permissions
  • Enterprise SSO (SAML, OpenID Connect), SCIM 2.0 provisioning, MFA with security stepup on high-risk actions
  • Every write captured as a typed audit event with actor identity (human user or AI agent), timestamp, content hash, and structured payload - seven-year retention
  • Australian data residency for compliance with public sector and regulated industry data governance
  • Session revocation and token versioning so a compromised session can be revoked without a global logout

What the system does

  • API keys with scoped permissions per integration and IP allowlists - every call logged against the key for forensics and revocation
  • Outbound webhooks for emission events (record created, extraction complete, period locked, anomaly flagged) with signed payloads, retry semantics, and a delivery log
  • OneDrive and SharePoint folder sync per project via Microsoft Graph API - configure the folder once, drop documents there, they land in the AI extraction pipeline
  • MCP server with 8 smart tools (ask_copilot, take_action, upload_document, check_compliance, generate_report, email_report, switch_context, connect) and ~20 individually tier-gated sub-actions on take_action
  • Multi-tenant isolation verified by IDOR canary tests on every router - cross-tenant queries return NOT_FOUND, no data leakage possible
  • Rate limits and abuse detection at both the tenant level and the individual user/API-key level

Frequently asked

Where is data hosted and how is residency handled?

Australian data residency for the platform and its stored source documents. Enterprise deployments can pin data to specific regions and configure retention beyond the seven-year default to match sector-specific obligations (financial services, resources, regulated industries).

How does the MCP server actually work with our AI stack?

Claude Desktop → Settings → Connectors → Add MCP server → https://carbonly.ai/api/mcp. One-click connect if the user is already signed into the Carbonly web UI, otherwise a browser login redirect. Session persists across restarts. Access tokens rotate. Every MCP call is audited end-to-end against the same audit trail as the web UI. ChatGPT connectors and Cursor use the same OAuth flow.

What integrations exist with ERP and accounting systems?

Carbonly imports from any accounting or ERP system that can produce a CSV, Excel, or PDF export - SAP, Oracle, Dynamics 365, Xero, MYOB, QuickBooks, or bespoke. Folder sync, email ingestion, API, and webhooks cover the four common integration patterns. Direct write-back to accounting systems is not the goal; the carbon ledger is a specialised sibling to the finance ledger with a clear boundary.

Related reading

Ready to see how this works for your operation?

Email hello@carbonly.ai with your reporting obligation, number of sites or projects, and current process. We reply within business hours.

Talk to us