MontyCloud Trust Center
Security and compliance you can verify
MontyCloud’s security program covers both company operations and the MontyCloud platform architecture, and is anchored by industry-standard compliance requirements, independently audited controls, and clearly defined data-handling practices that protect customer environments at every layer.

Active

Active



Active
Certifications & Standards
SOC 2 Type II
MontyCloud is SOC 2 Type II compliant, audited in accordance with American Institute of Certified Public Accountants (AICPA) standards for SOC for Service Organizations (SSAE 18). Controls are evaluated over an extended observation period covering Security, Availability, and Confidentiality Trust Service Criteria. The full report is available to customers and prospects under mutual NDA.
GDPR
MontyCloud is GDPR compliant, aligned with the requirements set forth by the General Data Protection Regulation (EU) 2016/679. Privacy and data protection practices are designed to safeguard personal data and ensure transparency, accountability, and control in accordance with European Union law. Data subject rights for EU, EEA, and UK individuals are fully supported.
AWS Partner
MontyCloud is a member of the AWS Well-Architected Partner Program, holding the AWS Cloud Operations Software Competency and AWS Built-in Competency. The MontyCloud platform undergoes regular Foundational Technical Reviews (FTR) conducted by AWS technical experts, including thorough security audits of architecture, internal processes, and data-handling practices.
Penetration Testing
MontyCloud undergoes regular penetration testing performed by an independent third-party security firm. Pen test summaries are available to customers under NDA. Contact infosec@montycloud.com to request access.
AWS Infrastructure Compliance
The MontyCloud platform is built on AWS infrastructure and is hosted in data centers that have achieved:
TrustCloud Verification
MontyCloud’s compliance program and controls are independently verified and published on TrustCloud. Customers may view our TrustCloud profile for additional due diligence documentation.
How We Protect Your Data
MontyCloud employs a defense-in-depth and zero-trust approach across every layer of the platform.
Access Controls
Least-Privilege Access
All employees and subcontractors operate under strict least-privilege access policies for underlying code, data access, and physical access to working spaces. Subcontractor access is restricted to the development environment only, and all work undergoes additional review before being committed to the code repository.
Multi-Factor Authentication
Multi-factor authentication (MFA) is mandatory for all employees and subcontractors across all company systems, as well as on all employee and subcontractor devices, which carry active, up-to-date endpoint security software.
Cross-Account IAM Role
The MontyCloud platform accesses customer AWS accounts via a Cross-Account IAM Role vetted by AWS technical experts. The role is scoped to access only resource metadata (names and tag key/value pairs) and logging streams such as AWS CloudTrail. All actions are logged in the customer’s own AWS CloudTrail logs. Permissions are granted solely to the MontyCloud production application, not to any individual user. No MontyCloud employees or subcontractors ever have access to customer AWS accounts.
User Authentication & Authorization
Authentication
The MontyCloud platform leverages Amazon Cognito using industry-standard protocols and does not use any custom password hashing. Firewall barriers, data encryption, and authentication procedures protect every customer session and personal information from unauthorized access.
Role-Based Access Controls (RBAC)
Robust RBAC governs every feature within the platform, preventing unauthorized data access across tenant boundaries. All new feature implementations begin with a well-defined authorization and RBAC design. The platform also supports SSO authentication via Azure Active Directory and SAML providers.
Data Encryption, Isolation & Recovery
Data Encryption
All data is encrypted at rest and in transit using SSL/TLS protocols. MontyCloud does not store private keys, passwords, or authentication tokens. Customer cloud access occurs exclusively via the scoped IAM Role with a unique, per-customer external ID that only MontyCloud’s designated AWS account IDs can assume.
Multi-Tenant Architecture
Customer data is logically separated by tenant ID and customer ID. Every record in MontyCloud back-end databases carries both identifiers. MontyCloud has taken all necessary and industry-standard steps to ensure that no individual customer tenant’s data can be made available erroneously to another customer tenant.
Disaster Recovery
MontyCloud conducts regular disaster recovery testing. Customer data backups are stored only as long as necessary and are subject to secure deletion policies.
What We Collect & How We Use It
MontyCloud is purpose-built to operate with the minimum required data access. The following summarizes what is and is not collected.
Data We Collect
What We Never Access
How We Use Your Data
MontyCloud uses personal information only for the purposes of providing, improving, and securing its services. Specific uses include:
MontyCloud does not sell or share personal information for targeted advertising or profiling purposes.
Your Privacy Rights
MontyCloud respects and supports data subject rights under applicable privacy laws, including GDPR, the UK Data Protection Act 2018, and applicable U.S. state privacy laws (California, Colorado, Connecticut, Texas, and Virginia, among others).
Rights Available to All Users
EU / EEA / UK Data Subject Rights (GDPR)
Individuals in the EU, EEA, and United Kingdom are additionally entitled to:
How to Exercise Your Rights
To submit a data subject rights request, contact privacy inquiries at privacy@montycloud.com or security inquiries at infosec@montycloud.com. Requests will be verified and responded to within the timeframe prescribed by applicable law.
MontyCloud AI Policy
MontyCloud is committed to taking steps to implement responsible AI practices, grounded in transparency. By integrating advanced AI capabilities into our platform and processes, we combine innovation with practical CloudOps to deliver measurable value for our customers. As leaders in CloudOps, we recognize the responsibility that comes with deploying AI and strive to meet the highest standards of accountability and trust.
Ethical & Transparent
Ethical and transparent AI use across our services.
Privacy & Security
Directly addressing the implications of privacy and security in every AI capability.
Organization-Wide Oversight
AI oversight led organization-wide by the MontyCloud InfoSec team.
MontyCloud’s commitment to responsible AI reflects our dedication to meeting client expectations with effective innovations. By adhering to these practices, the MontyCloud platform empowers customers with AI-driven insights while maintaining high standards of accountability and transparency.
Key Subprocessors
MontyCloud uses a limited set of vetted third-party processors, each operating under appropriate data protection agreements. All subcontractors are restricted to the development environment.
| Processor | Purpose | Data Region |
|---|---|---|
| Amazon Web Services | Infrastructure hosting, compute, storage, database, and security services | US / Global |
| HubSpot | Store and manage customer relationship information and contact details | US |
| Atlassian (Jira & Confluence) | Provide MontyCloud platform support to customers | US |
| Microsoft O365 | Enable email communication | US |
Full subprocessor list available on request. Contact infosec@montycloud.com.
MontyCloud Security FAQs
Do MontyCloud employees have access to my AWS account or data?
No. MontyCloud employees and subcontractors never have access to customer AWS accounts at any time. The platform operates via a scoped Cross-Account IAM Role accessing only metadata and AWS CloudTrail logs. No individual user, including MontyCloud staff, holds direct access permissions.
Is MontyCloud SOC 2 Type II certified?
Yes. MontyCloud has achieved SOC 2 Type II certification, audited by an independent CPA firm in accordance with AICPA standards (SSAE 18). The report is available under NDA.
How is my data encrypted?
All data in transit is encrypted using SSL/TLS. Data at rest is encrypted using AES-256. MontyCloud does not store private keys, passwords, or authentication tokens. Customer access occurs only through a scoped IAM Role with a unique per-customer external ID.
Does MontyCloud comply with GDPR?
Yes. MontyCloud is aligned with EU GDPR (2016/679). All data subject rights (access, correction, deletion, portability, restriction, and objection) are supported. Contact infosec@montycloud.com to exercise these rights.
What is MontyCloud’s disaster recovery posture?
MontyCloud maintains an RPO of 24 hours and an RTO of 6 hours, with regular DR testing. All infrastructure runs on AWS, leveraging inherent high-availability and regional redundancy per the AWS Shared Responsibility Model.
How do I request security documentation?
The SOC 2 Type II report, penetration test summaries, and responses to security questionnaires are available under a mutual NDA only for prospects in active sales discussions or current customers. Contact infosec@montycloud.com or discuss with your assigned MontyCloud sales representative. The MontyCloud InfoSec team aims to respond to all security review requests within 2 business days.
Additional Resources
| Topic | Contact |
|---|---|
| Security questions & documentation | infosec@montycloud.com |
| Privacy & data subject rights | privacy@montycloud.com |
| General support | support@montycloud.com |
| MCP Server Security Statement | montycloud.com/mcp-server-security-statement |
This page reflects MontyCloud’s security and compliance posture as of the date of publication and is subject to change.