Security at Monetizr
Monetizr team establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.
Monetizr maintains a SOC 2 Type I attestation and will be implementing ISO 27001 compliance certification. Monetizr SOC 2 Type I report and ISO 27001 certificate will be published in this page.
After SOC-2 Type I Monetizr will work on improving and maintaining better compliance with GDPR and CCPA.
Our policies are based on the following foundational principles:
- Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.
- Security controls should be implemented and layered according to the principle of defense-in-depth.
- Security controls should be applied consistently across all areas of the enterprise.
- The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.
- Data at rest:
All datastores with customer data are encrypted at rest. The data is encrypted even before it hits the database so that neither physical access, nor logical access to the database, is enough to read the sensitive information.
- Data in transit: Monetizr uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit. Server TLS keys and certificates are managed by GCP and deployed via CERT issuers and Load Balancers.
- Secret management: Encryption keys are managed via GCP Secret Manager. Application secrets are encrypted and stored securely via GCP Secrets Manager and Secrets & Configmaps, and access to these values is strictly limited.
Monetizr is using vulnerability scanning at key stages of our Software Development Lifecycle:
- Static analysis (SAST) testing of code during pull requests and on an ongoing basis
- Software container analysis to identify known vulnerabilities in our software containers
- Malicious activity monitoring to prevent the introduction of malware into our software
- Network vulnerability scanning on a period basis using intrusion detection system
- Dynamic analysis of running applications using cluster security posture scanning
Monetizr is using Vanta security and compliance verification managment platform to constantly monitor enterprise security and compliance.
- Endpoint protection: Corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates. .
- Security education: Monetizr provides comprehensive security training to all employees upon onboarding and annually through educational modules within Vanta’s security platform. In addition, all new employees attend a mandatory live onboarding session centered around key security principles. All new engineers also attend a mandatory live onboarding session focused on secure coding principles and practices.
- Identity and access management: Monetizr uses Google workspace to secure our identity and access management. We enforce the use of phishing-resistant authentication factors, using 2FA mandatory wherever possible.
Monetizr employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.
Updated about 2 months ago