Security at Monta

Organizational security

Our organizational security measures at Monta, include 27001:2022 certification, risk management frameworks, and employee cybersecurity policies.

• ISO27001:2022 certification: Since 2023, we have been certified in ISO27001. The certificate can be found at the end of the article.
• Information security board. Our organizational security is managed by a dedicated Information Security Board, representing the entire organization at Monta.
• Risk awareness and training. We recognise that the primary source of risk for information security stems from individuals’ use of digital technologies. To mitigate this, we conduct internal onboarding, training, and awareness campaigns.
• Internal policy and guidelines. Our IT Policy establishes rules and guidelines for employees before, during, and upon termination or change of employment at Monta. This includes confidentiality obligations, acceptable use, clear desk and locked screen policies, internal reporting of incidents, and compliance with cybersecurity policies.
• Proactive risk management. Our Board of Directors has established a Risk Committee, led by board member Adrienne Gormley, which outlines a proactive risk management framework for Monta.
• Governance cadence. Our Information Security Board runs monthly ISMS reviews, with quarterly internal audits and an annual management review, and we undergo annual ISO audits by DNV.
• Continuous compliance with Drata. We’re adopting Drata to provide continuous control monitoring, automated evidence collection, and centralised policy attestations across our ISO 27001 scope, improving audit readiness while reducing manual effort.

Access management

Discover our access management strategy, which prioritises the least privilege principle, secure login methods, isolated cloud networks, and continuous monitoring of access rights.

• Principle of least privilege. Monta’s internal access management is based on a least privilege principle. Access is granted based on job function and a need to have basis.
• Secure login methods. Our log-in method is either SSO through JumpCloud or authorisation through google or github.
• Isolated cloud networks. All our cloud networks are fully isolated within private networks on AWS, with no external access. People authorised to access information will be using proxy connections with strict policies.
• Continuous monitoring and role-based access. Our sensitive data is protected in cloud environments that automatically log all access, ensuring it’s continuously monitored and secure. These logs are kept isolated to guard against tampering. We rigorously evaluate and manually test access rights to ensure they align strictly with job functions. Our cloud roles, synced with GitHub SSO, integrate directly into our authentication and authorisation framework, maintaining strict access control.
• Access reviews. Access reviews are conducted frequently by the Information Security Board to ensure ongoing appropriateness and least-privilege access.

Infrastructure and hosting

Learn about our AWS cloud-based infrastructure and hosting, highlighting our approach to data encryption, key management, software-based user separation, and secure internal networks, alongside system hardening practices.

• Cloud-based AWS hosting. Our entire hosting setup is cloud-based on AWS, eliminating the need for on-premise hosting. To enhance security and ensure data backup, all employee work is stored in the cloud rather than on local devices or external hardware.
• Encryption and key management. We employ Encryption At Rest for all storage, with keys managed via AWS KMS and AWS Managed Keys, entrusting AWS with full key management responsibilities.
• Software-based user separation. Our architecture features robust software-based separation among users, enabling us to concentrate on strengthening a single, secure multi-tenant platform.
• Kubernetes orchestration. We use Kubernetes to run and scale our services. Network-layer protections are described in “Network & communications security”.
• System hardening practices. To protect our infrastructure from potential threats, we implement rigorous system hardening practices. This involves configuring our systems and applications to minimize vulnerabilities, removing unnecessary services and applications, and applying security best practices.
• Configuration and compliance. Our hardening procedures align with industry standards and compliance requirements. We use GitOps to rollout updates fast, and are frequently replacing servers with newer base images to enforce security baselines across our environments. Regular audits and reviews ensure that our systems remain hardened against evolving threats.

Network & communications security

• Private networks & segmentation. Our application and data services run on internal networks with no direct internet exposure; only tightly scoped HTTPS endpoints are public. Network controls and policies limit east–west traffic, and pre-production and production are isolated.
• Office networks. Corporate offices use enterprise-grade network equipment with centrally managed firewalling and segmentation.
• Information transfer. Sensitive content is exchanged via secure channels following our internal IT & cybersecurity policies.

Data encryption

Learn about our commitment to securing data with top-tier encryption, employing cutting-edge techniques for both data in transit and at rest, alongside strict access control measures..

• Advanced encryption standards. We adhere to industry standards, utilising advanced encryption methods: TLS 1.2 (or higher) for data in transit and AES-256 for data at rest, ensuring robust security.
• Encryption in Transit. Our primary method for safeguarding data in transit is HTTPS, strictly using the latest ciphers for maximum security. We manage certificates in two ways:
  • AWS Managed Certificates for specific systems like our OCPP endpoints, accommodating older devices with pinned root certificates.
  • Let’s Encrypt within our Kubernetes cluster, where private keys are securely stored and accessible only to our SRE team. These certificates automatically rotate every 8 months.

System monitoring

Find here about our approach to continuous system monitoring, vulnerability management, utilising the LGTM stack for comprehensive observability, ensuring encrypted data storage, and implementing redundancy in security logs.

• Dashboards & alerting (Grafana). We monitor platform health and security signals in Grafana, with on-call escalation and incident triage integrated with our collaboration tools.
• Vulnerability detection & management. We use automated vulnerability scanning across our infrastructure and runtime (e.g., operating system, container images, and dependencies). Findings are triaged and remediated on risk-based SLAs, and patching is tracked to closure.
• Performance & security signals. Key metrics, logs and traces are collected to detect service degradation, anomalous behaviour and potential security issues before they impact customers.
• Centralised logging & audit. Application and security events are consolidated in a central audit logging service to support compliance, troubleshooting and incident investigations. Access to logs follows least-privilege and is itself audited.
• Searchable retention (encrypted S3). Logs remain searchable for investigations and are archived to AWS S3 with encryption at rest and lifecycle-managed retention. Data is encrypted in transit end-to-end.
• Evidence & resilience checks. During incidents we use logs for forensics and scoping. Our disaster-recovery exercises verify that monitoring, alerting and logging continue to function as expected.

Disaster recovery and business continuity

Learn about our strategies for ensuring business continuity and robust disaster recovery, including encrypted databases, distinct environment setups, thorough testing, and cross-data centre resilience to maintain SLAs.

• Documented plans & scope. We maintain Business Continuity and Disaster Recovery plans that define how we keep services available and recover systems and data during disruption.
• Testing cadence. We exercise BCP at least twice per year and test DR at least annually using a mix of tabletop and technical exercises to validate real-world readiness.
• Data protection & backups. Backups are encrypted and regularly restore-tested. Our architecture uses multi-AZ/regional resilience where appropriate to reduce single-point-of-failure risk.
• Recovery approach. We prioritise critical services first, rebuild environments using infrastructure-as-code and backups, and only conclude recovery after health, logging, security and alerting checks pass.
• Continuity & communications. Operations continue from alternate/remote working arrangements as needed. We provide updates on our public status page and notify affected customers where appropriate.

Incident management

Find out about our systematic approach to incident management, encompassing a dedicated strategy, tracking through Grafana, transparent communication, and improvement via post-mortem analysis.

• Regulatory notifications. We assess incidents for GDPR personal-data breach implications and for ‘significant’ cybersecurity incidents under NIS2, and we notify the competent authorities where required.
• Structured incident management plan. Our approach is anchored in an Incident Management Plan, overseen by the Information Security Board, ensuring a structured response to incidents.
• Tracking and resolution via Grafana. Incidents are efficiently managed and tracked using Grafana, facilitating not just insight into incidents but also the assignment of relevant personnel for resolution.
• Transparent communication. To maintain transparency with our users, we publish updates on a public status page during incidents that affect platform performance.
• Continuous improvement through post-mortem analysis. Committing to continuous enhancement, we undertake thorough post-mortem analysis of incidents to identify root causes. This process helps us understand the underlying reasons and formulate strategies to prevent future occurrences.
• Continuous learning ritual. We run a weekly incident review to share learnings, track remediation actions, and prevent recurrence.

Secure product development

Learn how in our software-centric environment, every deployment is scrutinised to mitigate the risk of system downtime, and how we ensure systems are promptly updated to address security vulnerabilities.

• Structured development cycles. Our development is organised into 6-week cycles, each beginning with a planning session to align on priorities. This approach enhances focus, communication, and teamwork across product and engineering teams.
• Engineering and deployment. Guided by strict engineering principles, our code undergoes rigorous testing and review. Deployments are automated for efficiency, with production requiring manual approval to ensure the highest code integrity.
• Environment separation for safety and testing. Our staging environment, closely mirroring production, serves as the integration space for vetted development features, facilitating final tests before production release. The production environment, exclusive to our customers and partners, is where real customer data resides. Utilising feature flags, we incrementally roll out new features—first internally, then to Alpha and Beta users, and ultimately to all users, ensuring thorough testing and feedback at each stage.
• Patching policy and procedures. Our patch management process is designed to ensure timely application of security patches and updates across our systems. We follow a structured approach to patch management, prioritizing patches based on the severity of vulnerabilities. Critical patches are applied immediately; all other patches follow a risk-based schedule to minimise disruption while maintaining security.
• Automated and manual patching. We utilize automated tools for regular patch deployment, ensuring that our systems are consistently up-to-date with the latest security fixes. Additionally, manual review and testing are conducted for critical patches to verify their effectiveness and ensure system stability. This dual approach enhances our ability to maintain a secure and resilient infrastructure.

Endpoint security

To ensure the security of internal systems and data on devices such as mobiles and laptops, we adopt stringent security measures

• Device protection. Company-managed laptops and mobiles enforce full-disk encryption, screen-lock, remote-wipe, and automatic updates via our MDM, JumpCloud.
• Compulsory strong passwords. Our password policy, enforced through JumpCloud, mandates that all employees’ passwords must be at least 15 characters in length.
• Remote working guidelines. We have a Remote Working Policy that details the specific security measures required for work conducted outside a secure office environment.
• BYOD policy. While we permit the use of personal mobile devices, our strict Bring Your Own Device (BYOD) policy stipulates that all data access must be through Monta systems, allowing for remote deactivation, and prohibits the processing or storage of data on personal devices.

Supplier management

To balance the benefits of outsourcing with safeguarding our operations and customer data, Monta employs strategic supplier management practices.

• Vendor approval process. At Monta, we collaborate with a variety of third-party suppliers for outsourcing tasks or obtaining operational systems. Our vendor approval process is critical to balancing the commercial advantages of outsourcing against the inherent commercial and information security risks. By implementing a comprehensive set of legal, procedural, and managerial controls within this process, we ensure that these third-party suppliers adhere to our stringent standards for compliance, security, and data protection.
• Vendor management. More than a mere step, our vendor approval process is a strategic element that scrutinises compliance, security, contractual issues, and data protection. It guarantees our operations are secure, agile, and aligned with our overarching objectives, reflecting our commitment to responsible supplier management and competitive success.

Continuous improvement and validation

To ensure our information security measures are always at the forefront, we employ several key processes for ongoing improvement and validation.

• Regular reviews and audits. Our Information Security Board conducts monthly reviews of our information security management system, with additional annual evaluations by our management. An internal audit program runs quarterly, featuring sample testing to assess and refine our security measures.
• External penetration testing. We collaborate with Cobalt for annual penetration testing, offering a manual examination of our systems by seasoned security professionals. These critical assessments help validate our security posture, with reports available confidentially upon request.
• ISO certification audits. We also perform annual ISO audits, conducted by DNV. Following the 2024 audit, our auditor commended Monta for its “great enthusiasm and commitment to continuous improvement of processes within the ISMS and across the organisation.”

Personal data

• Reference to GDPR Program & Privacy Policy. 
• https://app.monta.app/gdpr
• https://app.monta.app/privacy-policy