Data Security Statement
Keeping user data secure and private is an essential aspect of MontyCloud’s business and a serious obligation we approach with the utmost care and concern. MontyCloud employs extensive industry-standard security practices and technical safeguards to ensure user and customer data and information security.
Amazon Web Services Partner
To ensure user data is managed in the most secure manner possible and consistent with industry best practices, MontyCloud designed our platform architecture and security strategy using the best practices guidance published by Amazon Web Services (AWS).
MontyCloud is an AWS Public Sector Partner, part of the AWS Well-Architected Partner Program, holds the AWS Cloud Operations Software Competency, was a launch partner for AWS Built-In, and is listed on AWS Marketplace. MontyCloud was additionally highlighted as a Top 10 innovative startup for the AWS Startup Showcase.
As a part of these certifications, competencies, and program inclusions, MontyCloud has undergone regular Foundational Technical Reviews conducted by AWS technical experts, as well as thorough security audits of our platform architecture, internal processes, and data-handling practices.
The MontyCloud DAY2 platform is built on AWS infrastructure and stores data on AWS data centers that have achieved ISO 27001 certification, PCI DSS Level 1 compliance, and SAS70 Type II. All underlying AWS infrastructure uses the most advanced security technology and encryption and is managed pursuant to the AWS Shared Responsibility Model. More information about AWS security protocols and safeguards can be found here: https://aws.amazon.com/security/
MontyCloud strives to deploy the strictest, least-privilege access controls for all employees and any contract workers (hereinafter ‘subcontractors’) throughout our business — for underlying code, data and information access, and physical access to working spaces. MontyCloud additionally mandates multi-factor authentication for all employees and subcontractors for both our AWS accounts and all other company systems and all employee and subcontractor computers have active and up-to-date endpoint security software installed. Subcontractor access is restricted to the MontyCloud development environment only and any development work performed by subcontractors undergoes additional review prior to being committed to our code repository.
The MontyCloud DAY2 platform leverages a Cross-Account IAM Role on the customer account. MontyCloud DAY2 accesses only metadata such as resource names and tag key/value pairs, and logging streams such as CloudTrail, to deliver visibility into a customer’s cloud footprint. When taking action on a customer account, MontyCloud DAY2 uses AWS native services such as AWS Systems Manager and AWS CloudFormation to execute customer-initiated actions such as provisioning and resource configuration changes. MontyCloud’s IAM Role has been verified and vetted by AWS technical experts and all actions taken by or within the platform are logged in the customer’s AWS CloudTrail logs for traceability purposes.
These permissions are granted solely to the MontyCloud DAY2 production application and not to any individual user. No MontyCloud employees or subcontractors have access to customer AWS accounts at any time. Further, MontyCloud does not have a global system administrative user with access to all customer accounts within the platform.
MontyCloud’s least privilege policies also apply to individual features within the platform. Certain functionalities (some referred to as “bots” — such as ‘Security Bot’) have different roles that are least-privilege to perform the required function.
MontyCloud employees and subcontractors never access data on the customer servers or the customer applications we handle.
MontyCloud leverages a combination of firewall barriers, data encryption techniques and authentication procedures, among others, to maintain the security of a customer’s online session and to protect customers’ personal information and MontyCloud systems from unauthorized access.
The MontyCloud DAY2 platform’s user authentication leverages AWS Cognito using industry-standard protocols and does not use any custom password hashing.
The MontyCloud DAY2 platform has robust role-based access controls (RBAC) that prevent unauthorized access to data within a customer’s tenant. MontyCloud DAY2 platform features are backed by this RBAC system and the different levels of access (“roles”) can be assigned to different users in a customer account to meet each customer’s unique needs. All net-new MontyCloud DAY2 feature implementations begin with a well-defined authorization and RBAC design.
MontyCloud DAY2 also allows customers to augment user authorization by using SSO authentication with Azure Active Directory or via SAML providers.
At MontyCloud, we take all necessary steps to encrypt data both at rest and in transit using SSL/TLS protocols.
The MontyCloud DAY2 platform does not store private keys, passwords, or authentication tokens, and all access to customer cloud resources happens only via the aforementioned AWS Cross-Account IAM Role. Only MontyCloud’s designated AWS account IDs can access this specific IAM Role, and only with a unique external ID that MontyCloud has generated for the customer upon their registration.
Backups & Disaster Recovery
MontyCloud conducts regular disaster recovery testing and maintains a Recovery Point Objective of 24 hours and a Recovery Time Objective of 6 hours. Backups of customer data are stored only as long as necessary.
MontyCloud leverages logical separation of data through tenant ID and customer ID. There is no customer data stored within MontyCloud back-end databases that does not have an associated tenant ID and customer ID.
MontyCloud has taken all necessary and industry-standard steps to ensure that no individual customer tenant’s data can be made available erroneously to another customer tenant.
In building our platform and policies, MontyCloud follows industry-standard compliance best practices such as CIS Benchmarks and the AWS Well-Architected Framework. Our software engineers are security conscious and are trained to apply industry-accepted secure design and coding practices.
MontyCloud undergoes regular penetration testing performed by an independent third party.
MontyCloud works with customers across regulated industries, including Fortune 200 companies, healthcare, financial services, and higher education.
The MontyCloud DAY2 platform does not collect any payment information and therefore is not subject to PCI-DSS.
“Confidential Information” shall mean all information disclosed by a customer to MontyCloud, whether orally or in writing, that is either designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including but not limited to trade secrets, know-how, business and financial information, and other proprietary information. Customer Confidential Information includes all data collected by MontyCloud while accessing customer accounts through the use of customer-provided credentials and/or received through performing associated services. However, Confidential Information does not include any information that
(i) is or becomes generally known to the public without breach of any obligation owed to the customer,
(ii) was known to MontyCloud prior to its disclosure by the customer,
(iii) is received from a third party without breach of any obligation owed to the customer, or
(iv) was independently developed by MontyCloud
MontyCloud will use the same degree of care in treating customer data and information as Confidential Information that it uses to protect the confidentiality of its own Confidential Information of like kind, and no less than a standard of reasonable care.
If you have any concerns or questions about our data security protocols and practices or require further detail, please feel welcome to contact firstname.lastname@example.org