Organizational security

• ISO 27001:2022 certification: Monta has been certified since 2023. The certificate is available at the bottom of this page.
• SOC 2 Type II attestation: We have obtained a SOC 2 Type II attestation confirming that our security controls are well designed and operating effectively over time. The attestation is available at the bottom of this page.
• Information Security Board: Organizational security is managed by a dedicated board representing the entire organization.
• Risk awareness and training: We conduct internal onboarding, training, and awareness campaigns to reduce human-related security risk.
• Internal policy and guidelines: Our IT Policy covers confidentiality obligations, acceptable use, clear desk and locked screen policies, internal incident reporting, and compliance with cybersecurity policies.
• Proactive risk management: Our Board of Directors has established a Risk Committee that oversees a proactive risk management framework.
• Governance cadence: The Information Security Board runs monthly ISMS reviews, quarterly internal audits, and an annual management review. Annual ISO audits are conducted by DNV.
• Continuous compliance with Drata: We use Drata for continuous control monitoring, automated evidence collection, and centralized policy attestations across our ISO 27001 scope.

Access management

• Principle of least privilege: Access is granted based on job function and a need-to-know basis.
• Secure login methods: Login is via SSO through JumpCloud or authorization through Google or GitHub.
• Isolated cloud networks: All cloud networks are fully isolated within private networks on AWS with no external access. Authorized access uses proxy connections with strict policies.
• Continuous monitoring and role-based access: Sensitive data is protected in cloud environments that automatically log all access. Logs are kept isolated to prevent tampering. Access rights are evaluated and manually tested to ensure alignment with job functions.
• Access reviews: Conducted frequently by the Information Security Board to ensure ongoing least-privilege access.

Infrastructure and hosting

• Cloud-based AWS hosting: All hosting is cloud-based on AWS. Employee work is stored in the cloud rather than on local devices or external hardware.
• Encryption and key management: Encryption at rest is applied to all storage, with keys managed via AWS KMS (Key Management Service) and AWS Managed Keys.
• Software-based user separation: Our architecture uses robust software-based separation among users, allowing us to strengthen a single, secure multi-tenant platform.
• Kubernetes orchestration: We use Kubernetes to run and scale our services.
• System hardening: We minimize vulnerabilities by removing unnecessary services and applications, and applying security best practices. We use GitOps to roll out updates and frequently replace servers with newer base images.

Network and communications security

• Private networks and segmentation: Application and data services run on internal networks with no direct internet exposure. Only tightly scoped HTTPS endpoints are public. Pre-production and production environments are isolated.
• Office networks: Corporate offices use enterprise-grade network equipment with centrally managed firewalling and segmentation.
• Information transfer: Sensitive content is exchanged via secure channels in line with our internal IT and cybersecurity policies.

Data encryption

• Standards: We use TLS 1.2 or higher for data in transit and AES-256 for data at rest.
• Encryption in transit: Our primary method is HTTPS using the latest ciphers. Certificates are managed via:
  • AWS Managed Certificates for systems such as our OCPP endpoints.
  • Let's Encrypt within our Kubernetes cluster — private keys are secured and accessible only to our SRE team. Certificates rotate automatically every 8 months.

System monitoring

• Dashboards and alerting (Grafana): Platform health and security signals are monitored in Grafana with on-call escalation integrated into our collaboration tools.
• Vulnerability detection and management: Automated scanning covers infrastructure and runtime environments. Findings are triaged and remediated on risk-based SLAs.
• Centralised logging and audit: Application and security events are consolidated in a central audit logging service. Access to logs is itself audited and follows least-privilege.
• Searchable retention (encrypted S3): Logs are archived to AWS S3 with encryption at rest and lifecycle-managed retention.

Disaster recovery and business continuity

• Documented plans: We maintain Business Continuity and Disaster Recovery (BCP/DR) plans defining how we keep services available and recover systems during disruption.
• Testing cadence: BCP is exercised at least twice per year; DR is tested at least annually using tabletop and technical exercises.
• Data protection and backups: Backups are encrypted and regularly restore-tested. Our architecture uses multi-availability zone and regional resilience to reduce single-point-of-failure risk.
• Communications: Updates are published on our public status page at status.monta.app during incidents affecting platform performance.

Incident management

• Regulatory notifications: We assess incidents for GDPR personal data breach implications and for significant cybersecurity incidents under NIS2, and notify competent authorities where required.
• Structured incident management plan: Managed by the Information Security Board, with incidents tracked and resolved via Grafana.
• Continuous improvement: We conduct thorough post-mortem analysis after incidents to identify root causes. A weekly incident review shares learnings and tracks remediation actions.

Secure product development

• Structured development cycles: Development is organised into 6-week cycles, each starting with a planning session to align on priorities.
• Engineering and deployment: Code undergoes rigorous testing and review. Production deployments require manual approval.
• Environment separation: A staging environment mirrors production for final testing. Feature flags allow incremental rollout — first internally, then to alpha and beta users, then to all users.
• Patching policy: Critical patches are applied immediately. All other patches follow a risk-based schedule. Automated tools handle regular patch deployment; manual review is conducted for critical patches.

Endpoint security

• Device protection: Company-managed laptops and mobiles enforce full-disk encryption, screen lock, remote wipe, and automatic updates via our mobile device management (MDM) system, JumpCloud.
• Password policy: All employee passwords must be at least 15 characters, enforced through JumpCloud.
• Remote working: A Remote Working Policy specifies security measures for work outside a secure office environment.
• BYOD policy: Personal mobile devices are permitted but all data access must be through Monta systems. Storage or processing of data on personal devices is prohibited.

Supplier management

• Vendor approval process: All third-party suppliers undergo a comprehensive approval process covering compliance, security, contractual terms, and data protection.
• Vendor management: Our vendor process scrutinises security, contractual terms, and data protection to ensure our operations remain secure and aligned with our objectives.

Continuous improvement and validation

• Regular reviews and audits: The Information Security Board conducts monthly ISMS reviews. An internal audit program runs quarterly with sample testing.
• External penetration testing: We collaborate with Cobalt for annual penetration testing. Reports are available confidentially upon request.
• ISO certification audits: Annual ISO audits are conducted by DNV. Following the 2024 audit, our auditor commended Monta for its "great enthusiasm and commitment to continuous improvement of processes within the ISMS and across the organisation."

Personal data

• GDPR Program and Privacy Policy: app.monta.app/gdpr
• Privacy policy: app.monta.app/privacy-policy

ISO 27001:2022 certificate

View the certificate

SOC 2 Type II attestation

View the attestation