Security at Monta

Organizational security

Our organizational security measures at Monta, includes 27001:2022 certification, risk management frameworks, and employee cybersecurity policies.

• ISO27001:2022 certification: Since 2023, we have been certified in ISO27001. The certificate can be found at the end of the article.
• Information security board. Our organizational security is managed by a dedicated Information Security Board, representing the entire organization at Monta.
• Risk awareness and training. We recognise that the primary source of risk for information security stems from individuals’ use of digital technologies. To mitigate this, we conduct internal onboarding, training, and awareness campaigns.
• Internal policy and guidelines. Our IT Policy establishes rules and guidelines for employees before, during, and upon termination or change of employment at Monta. This includes confidentiality obligations, acceptable use, clear desk and locked screen policies, internal reporting of incidents, and compliance with cybersecurity policies.
• Proactive risk management. Our Board of Directors has established a Risk Committee, led by board member Adrienne Gormley, which outlines a proactive risk management framework for Monta.

Access management

Discover our access management strategy, which prioritises the least privilege principle, secure login methods, isolated cloud networks, and continuous monitoring of access rights.

• Principle of least privilege. Monta’s internal access management is based on a least privilege principle. Access is granted based on job function and a need to have basis. Access reviews are done frequently by the Information Security Board to ensure ongoing.
• Secure login methods. Our log-in method is either SSO through JumpCloud or authorisation through google or github.
• Isolated cloud networks. All our cloud networks are fully isolated within private networks on AWS, with no external access. People authorised to access information will be using proxy connections with strict policies.
• Continuous monitoring and role-based access. Our sensitive data is protected in cloud environments that automatically log all access, ensuring it's continuously monitored and secure. These logs are kept isolated to guard against tampering. We rigorously evaluate and manually test access rights to ensure they align strictly with job functions. Our cloud roles, synced with GitHub SSO, integrate directly into our authentication and authorisation framework, maintaining strict access control.

Infrastructure and hosting

Learn about our AWS cloud-based infrastructure and hosting, highlighting our approach to data encryption, key management, software-based user separation, and secure internal networks, alongside system hardening practices.

• Cloud-based AWS hosting. Our entire hosting setup is cloud-based on AWS, eliminating the need for on-premise hosting. To enhance security and ensure data backup, all employee work is stored in the cloud rather than on local devices or external hardware.
• Encryption and key management. We employ Encryption At Rest for all storage, with keys managed via AWS KMS and AWS Managed Keys, entrusting AWS with full key management responsibilities.
• Software-based user separation. Our architecture features robust software-based separation among users, enabling us to concentrate on strengthening a single, secure multi-tenant platform.
• Secure internal networks. Our servers reside on an internal network without direct internet access. We leverage Kubernetes, prioritising security to protect our infrastructure.
• System hardening practices. To protect our infrastructure from potential threats, we implement rigorous system hardening practices. This involves configuring our systems and applications to minimize vulnerabilities, removing unnecessary services and applications, and applying security best practices.
• Configuration and compliance. Our hardening procedures align with industry standards and compliance requirements. We use GitOps to rollout updates fast, and are frequently replacing servers with newer base images to enforce security baselines across our environments. Regular audits and reviews ensure that our systems remain hardened against evolving threats.

Data encryption

Learn about our commitment to securing data with top-tier encryption, employing cutting-edge techniques for both data in transit and at rest, alongside strict access control measures..

• Advanced encryption standards. We adhere to industry standards, utilising advanced encryption methods: TLS 1.2 (or higher) for data in transit and AES-256 for data at rest, ensuring robust security.
• Encryption in Transit. Our primary method for safeguarding data in transit is HTTPS, strictly using the latest ciphers for maximum security. We manage certificates in two ways:
  • AWS Managed Certificates for specific systems like our OCPP endpoints, accommodating older devices with pinned root certificates.
  • Let’s Encrypt within our Kubernetes cluster, where private keys are securely stored and accessible only to our SRE team. These certificates automatically rotate every 8 months.

System monitoring

Find here about our approach to continuous system monitoring, vulnerability management, utilising the LGTM stack for comprehensive observability, ensuring encrypted data storage, and implementing redundancy in security logs.

• Utilising the LGTM stack. We deploy the LGTM stack from Grafana (Loki, Grafana, Tempo, and Mimir) as the cornerstone of our observability infrastructure. While Grafana is managed in the cloud for enhanced reliability, we host the remaining components within our cluster to maintain control over data storage.
• Encrypted data storage. All monitoring data, including metrics and logs, are securely stored for a minimum of one year in an encrypted S3 bucket, ensuring our data’s integrity and confidentiality.
• Redundancy in security logs. To bolster our security log reliability, audit logs from our infrastructure are also replicated in an OpenSearch cluster. This redundancy ensures comprehensive oversight and enhanced security log accessibility.
• Vulnerability assessments and management. At Monta, we recognize that timely identification and mitigation of vulnerabilities are crucial to maintaining a secure environment. We employ a combination of automated tools and manual assessments to identify vulnerabilities across our systems and applications. Regular vulnerability scans are conducted to ensure that potential security weaknesses are promptly identified and addressed.
• Continuous vulnerability monitoring. Our commitment to security includes continuous monitoring of our infrastructure for vulnerabilities. We use Trivy for security scanning, and we consistently ensure that new vulnerabilities are identified as they emerge. This approach enables us to respond swiftly to potential threats, reducing the risk of exploitation.

Disaster recovery and business continuity

Learn about our strategies for ensuring business continuity and robust disaster recovery, including encrypted databases, distinct environment setups, thorough testing, and cross-data centre resilience to maintain SLAs.

• Database security and environment separation. Our databases reside in private networks, shielded from internet access, and utilise encryption-at-rest. We've distinctly separated our pre-staging and production environments across different Amazon accounts for enhanced security.
• Comprehensive testing of recovery plans. We rigorously test and verify our backup and disaster recovery plans biannually by deploying a complete duplicate of our platform across all environments. This approach ensures a comprehensive test rather than a theoretical one.
• Cross-data centre availability. Our infrastructure spans a single AWS region yet is distributed across three separate data centres (availability zones), enabling us to sustain operations even if one data centre experiences an outage.
• Commitment to SLAs. Our customers can be confident in our ability to meet our Service Level Agreements (SLAs), guaranteeing reliability and trust.

Incident management

Find out about our systematic approach to incident management, encompassing a dedicated strategy, tracking through Grafana, transparent communication, and improvement via post-mortem analysis.

• Structured incident management plan. Our approach is anchored in an Incident Management Plan, overseen by the Information Security Board, ensuring a structured response to incidents.
• Tracking and resolution via Grafana. Incidents are efficiently managed and tracked using Grafana, facilitating not just insight into incidents but also the assignment of relevant personnel for resolution.
• Transparent communication. To maintain transparency with our users, we publish updates on a public status page during incidents that affect platform performance.
• Continuous improvement through post-mortem analysis. Committing to continuous enhancement, we undertake thorough post-mortem analysis of incidents to identify root causes. This process helps us understand the underlying reasons and formulate strategies to prevent future occurrences.

Secure product development

Learn how in our software-centric environment, every deployment is scrutinised to mitigate the risk of system downtime, and how we ensure systems are promptly updated to address security vulnerabilities.

• Structured development cycles. Our development is organised into 6-week cycles, each beginning with a planning session to align on priorities. This approach enhances focus, communication, and teamwork across product and engineering teams.
• Engineering and deployment. Guided by strict engineering principles, our code undergoes rigorous testing and review. Deployments are automated for efficiency, with production requiring manual approval to ensure the highest code integrity.
• Environment separation for safety and testing. Our staging environment, closely mirroring production, serves as the integration space for vetted development features, facilitating final tests before production release. The production environment, exclusive to our customers and partners, is where real customer data resides. Utilising feature flags, we incrementally roll out new features—first internally, then to Alpha and Beta users, and ultimately to all users, ensuring thorough testing and feedback at each stage.
• Patching policy and procedures. Our patch management process is designed to ensure timely application of security patches and updates across our systems. We follow a structured approach to patch management, prioritizing patches based on the severity of vulnerabilities. Critical patches are applied immediately, while others are scheduled in a timely manner to minimize disruption.
• Automated and manual patching. We utilize automated tools for regular patch deployment, ensuring that our systems are consistently up-to-date with the latest security fixes. Additionally, manual review and testing are conducted for critical patches to verify their effectiveness and ensure system stability. This dual approach enhances our ability to maintain a secure and resilient infrastructure.

Endpoint security

To ensure the security of internal systems and data on devices such as mobiles and laptops, we adopt stringent security measures

• Device and access management with JumpCloud. We centralise control over device management and access security.
• Compulsory strong passwords. Our password policy, enforced through JumpCloud, mandates that all employees' passwords must be at least 15 characters in length.
• Remote working guidelines. We have a Remote Working Policy that details the specific security measures required for work conducted outside a secure office environment.
• BYOD policy. While we permit the use of personal mobile devices, our strict Bring Your Own Device (BYOD) policy stipulates that all data access must be through Monta systems, allowing for remote deactivation, and prohibits the processing or storage of data on personal devices.

Supplier management

To balance the benefits of outsourcing with safeguarding our operations and customer data, Monta employs strategic supplier management practices.

• Vendor approval process. At Monta, we collaborate with a variety of third-party suppliers for outsourcing tasks or obtaining operational systems. Our vendor approval process is critical to balancing the commercial advantages of outsourcing against the inherent commercial and information security risks. By implementing a comprehensive set of legal, procedural, and managerial controls within this process, we ensure that these third-party suppliers adhere to our stringent standards for compliance, security, and data protection.
• Vendor management. More than a mere step, our vendor approval process is a strategic element that scrutinises compliance, security, contractual issues, and data protection. It guarantees our operations are secure, agile, and aligned with our overarching objectives, reflecting our commitment to responsible supplier management and competitive success.

Continuous improvement and validation

To ensure our information security measures are always at the forefront, we employ several key processes for ongoing improvement and validation.

• Regular reviews and audits. Our Information Security Board conducts monthly reviews of our information security management system, with additional annual evaluations by our management. An internal audit program runs quarterly, featuring sample testing to assess and refine our security measures.
• External penetration testing. We collaborate with Cobalt for annual penetration testing, offering a manual examination of our systems by seasoned security professionals. These critical assessments help validate our security posture, with reports available confidentially upon request.
• ISO certification audits. We also perform annual ISO audits, conducted by DNV. Following the 2024 audit, our auditor commended Monta for its “great enthusiasm and commitment to continuous improvement of processes within the ISMS and across the organisation.”

Personal data

• Reference to GDPR Program & Privacy Policy. 
• https://app.monta.app/gdpr
• https://app.monta.app/privacy-policy