Trust Center

MontyCloud Trust Center

Security and compliance you can verify

MontyCloud’s security program covers both company operations and the MontyCloud platform architecture, and is anchored by industry-standard compliance requirements, independently audited controls, and clearly defined data-handling practices that protect customer environments at every layer.

Line-art security shield with a centered padlock representing MontyCloud platform security

SOC 2 Type II seal
SOC 2 Type II
AICPA / SSAE 18

Active

GDPR Compliant badge
GDPR Compliant
EU 2016/679

Active

AWS Built-in Competency badgeAWS Cloud Operations Software Competency badgeAWS Well-Architected Partner Program badge
AWS Competencies

Active

Compliance Program

Certifications & Standards

SOC 2 Type II

MontyCloud is SOC 2 Type II compliant, audited in accordance with American Institute of Certified Public Accountants (AICPA) standards for SOC for Service Organizations (SSAE 18). Controls are evaluated over an extended observation period covering Security, Availability, and Confidentiality Trust Service Criteria. The full report is available to customers and prospects under mutual NDA.

GDPR

MontyCloud is GDPR compliant, aligned with the requirements set forth by the General Data Protection Regulation (EU) 2016/679. Privacy and data protection practices are designed to safeguard personal data and ensure transparency, accountability, and control in accordance with European Union law. Data subject rights for EU, EEA, and UK individuals are fully supported.

AWS Partner

MontyCloud is a member of the AWS Well-Architected Partner Program, holding the AWS Cloud Operations Software Competency and AWS Built-in Competency. The MontyCloud platform undergoes regular Foundational Technical Reviews (FTR) conducted by AWS technical experts, including thorough security audits of architecture, internal processes, and data-handling practices.

Penetration Testing

MontyCloud undergoes regular penetration testing performed by an independent third-party security firm. Pen test summaries are available to customers under NDA. Contact infosec@montycloud.com to request access.

AWS Infrastructure Compliance

The MontyCloud platform is built on AWS infrastructure and is hosted in data centers that have achieved:

ISO 27001 certification
PCI DSS Level 1 compliance
SAS70 Type II certification

TrustCloud Verification

MontyCloud’s compliance program and controls are independently verified and published on TrustCloud. Customers may view our TrustCloud profile for additional due diligence documentation.

Security Architecture

How We Protect Your Data

MontyCloud employs a defense-in-depth and zero-trust approach across every layer of the platform.

Access Controls

Least-Privilege Access

All employees and subcontractors operate under strict least-privilege access policies for underlying code, data access, and physical access to working spaces. Subcontractor access is restricted to the development environment only, and all work undergoes additional review before being committed to the code repository.

Multi-Factor Authentication

Multi-factor authentication (MFA) is mandatory for all employees and subcontractors across all company systems, as well as on all employee and subcontractor devices, which carry active, up-to-date endpoint security software.

Cross-Account IAM Role

The MontyCloud platform accesses customer AWS accounts via a Cross-Account IAM Role vetted by AWS technical experts. The role is scoped to access only resource metadata (names and tag key/value pairs) and logging streams such as AWS CloudTrail. All actions are logged in the customer’s own AWS CloudTrail logs. Permissions are granted solely to the MontyCloud production application, not to any individual user. No MontyCloud employees or subcontractors ever have access to customer AWS accounts.

User Authentication & Authorization

Authentication

The MontyCloud platform leverages Amazon Cognito using industry-standard protocols and does not use any custom password hashing. Firewall barriers, data encryption, and authentication procedures protect every customer session and personal information from unauthorized access.

Role-Based Access Controls (RBAC)

Robust RBAC governs every feature within the platform, preventing unauthorized data access across tenant boundaries. All new feature implementations begin with a well-defined authorization and RBAC design. The platform also supports SSO authentication via Azure Active Directory and SAML providers.

Data Encryption, Isolation & Recovery

Data Encryption

All data is encrypted at rest and in transit using SSL/TLS protocols. MontyCloud does not store private keys, passwords, or authentication tokens. Customer cloud access occurs exclusively via the scoped IAM Role with a unique, per-customer external ID that only MontyCloud’s designated AWS account IDs can assume.

Multi-Tenant Architecture

Customer data is logically separated by tenant ID and customer ID. Every record in MontyCloud back-end databases carries both identifiers. MontyCloud has taken all necessary and industry-standard steps to ensure that no individual customer tenant’s data can be made available erroneously to another customer tenant.

Disaster Recovery

24 hrs
Recovery Point Objective
6 hrs
Recovery Time Objective

MontyCloud conducts regular disaster recovery testing. Customer data backups are stored only as long as necessary and are subject to secure deletion policies.

Data Practices

What We Collect & How We Use It

MontyCloud is purpose-built to operate with the minimum required data access. The following summarizes what is and is not collected.

Data We Collect

Account registration information: name, email, company name, phone number
Cloud account metadata: resource names, tag key/value pairs, AWS CloudTrail log streams
Usage and session data: IP address, browser type, platform, clickstream (used for service improvement)
Temporary IAM access keys (held in application memory only, never stored or logged)
AI Console interaction transcripts (with explicit user consent)

What We Never Access

Customer application data or server contents
Private keys, passwords, or authentication tokens (these are not stored)
Payment data; the MontyCloud platform does not collect payment information and is PCI DSS out-of-scope
Customer AWS accounts by any individual employee or subcontractor
Data across customer tenants; strict logical isolation is enforced at all times

How We Use Your Data

MontyCloud uses personal information only for the purposes of providing, improving, and securing its services. Specific uses include:

Delivering the MontyCloud platform and associated services
Responding to customer support inquiries and questions
Analytics for service improvement, security monitoring, and internal audits
Compliance with applicable legal obligations
AI-powered features (only with explicit consent); transcripts are processed under contractual safeguards

MontyCloud does not sell or share personal information for targeted advertising or profiling purposes.

Privacy Rights

Your Privacy Rights

MontyCloud respects and supports data subject rights under applicable privacy laws, including GDPR, the UK Data Protection Act 2018, and applicable U.S. state privacy laws (California, Colorado, Connecticut, Texas, and Virginia, among others).

Rights Available to All Users

Right to know and access: request confirmation of whether we process your data and obtain a copy
Right to correction: request correction of inaccurate personal information
Right to deletion: request deletion of personal information, subject to legal retention requirements
Right to data portability: receive your data in a machine-readable format
Right to opt out of sale or sharing: MontyCloud does not sell or share personal data
Right to non-discrimination: exercising your rights will not result in different service quality

EU / EEA / UK Data Subject Rights (GDPR)

Individuals in the EU, EEA, and United Kingdom are additionally entitled to:

Restrict the way MontyCloud processes and shares personal information
Object to processing based on legitimate interests
Transfer personal information to a third party
Withdraw consent at any time for consent-based processing
Lodge a complaint with the relevant supervisory authority

How to Exercise Your Rights

To submit a data subject rights request, contact privacy inquiries at privacy@montycloud.com or security inquiries at infosec@montycloud.com. Requests will be verified and responded to within the timeframe prescribed by applicable law.

Responsible AI

MontyCloud AI Policy

MontyCloud is committed to taking steps to implement responsible AI practices, grounded in transparency. By integrating advanced AI capabilities into our platform and processes, we combine innovation with practical CloudOps to deliver measurable value for our customers. As leaders in CloudOps, we recognize the responsibility that comes with deploying AI and strive to meet the highest standards of accountability and trust.

Ethical & Transparent

Ethical and transparent AI use across our services.

Privacy & Security

Directly addressing the implications of privacy and security in every AI capability.

Organization-Wide Oversight

AI oversight led organization-wide by the MontyCloud InfoSec team.

MontyCloud’s commitment to responsible AI reflects our dedication to meeting client expectations with effective innovations. By adhering to these practices, the MontyCloud platform empowers customers with AI-driven insights while maintaining high standards of accountability and transparency.

Subprocessors

Key Subprocessors

MontyCloud uses a limited set of vetted third-party processors, each operating under appropriate data protection agreements. All subcontractors are restricted to the development environment.

Processor Purpose Data Region
Amazon Web Services Infrastructure hosting, compute, storage, database, and security services US / Global
HubSpot Store and manage customer relationship information and contact details US
Atlassian (Jira & Confluence) Provide MontyCloud platform support to customers US
Microsoft O365 Enable email communication US

Full subprocessor list available on request. Contact infosec@montycloud.com.

Frequently Asked Questions

MontyCloud Security FAQs

Do MontyCloud employees have access to my AWS account or data?

No. MontyCloud employees and subcontractors never have access to customer AWS accounts at any time. The platform operates via a scoped Cross-Account IAM Role accessing only metadata and AWS CloudTrail logs. No individual user, including MontyCloud staff, holds direct access permissions.

Is MontyCloud SOC 2 Type II certified?

Yes. MontyCloud has achieved SOC 2 Type II certification, audited by an independent CPA firm in accordance with AICPA standards (SSAE 18). The report is available under NDA.

How is my data encrypted?

All data in transit is encrypted using SSL/TLS. Data at rest is encrypted using AES-256. MontyCloud does not store private keys, passwords, or authentication tokens. Customer access occurs only through a scoped IAM Role with a unique per-customer external ID.

Does MontyCloud comply with GDPR?

Yes. MontyCloud is aligned with EU GDPR (2016/679). All data subject rights (access, correction, deletion, portability, restriction, and objection) are supported. Contact infosec@montycloud.com to exercise these rights.

What is MontyCloud’s disaster recovery posture?

MontyCloud maintains an RPO of 24 hours and an RTO of 6 hours, with regular DR testing. All infrastructure runs on AWS, leveraging inherent high-availability and regional redundancy per the AWS Shared Responsibility Model.

How do I request security documentation?

The SOC 2 Type II report, penetration test summaries, and responses to security questionnaires are available under a mutual NDA only for prospects in active sales discussions or current customers. Contact infosec@montycloud.com or discuss with your assigned MontyCloud sales representative. The MontyCloud InfoSec team aims to respond to all security review requests within 2 business days.

Contact Us

Additional Resources

Topic Contact
Security questions & documentation infosec@montycloud.com
Privacy & data subject rights privacy@montycloud.com
General support support@montycloud.com
MCP Server Security Statement montycloud.com/mcp-server-security-statement

This page reflects MontyCloud’s security and compliance posture as of the date of publication and is subject to change.