Security

Encryption

• All data is encrypted at rest using AES-256.
• All connections use TLS 1.3 (TLS 1.2 minimum on legacy endpoints).
• Enterprise customers can request per-tenant key isolation backed by AWS KMS.

Access control

• SSO via SAML 2.0 (Okta, Azure AD, Google Workspace, OneLogin) on Enterprise.
• SCIM 2.0 provisioning on Enterprise.
• Connector scopes are least-privilege by default; users explicitly approve every scope at OAuth time.
• Per-channel and per-folder scoping available for Slack, Teams, Google Drive, and HubSpot.

Network & infrastructure

• Hosted on AWS in US-East. EU data residency on the roadmap for Q4 2026.
• VPC isolation; no direct public ingress to data planes.
• WAF and rate limiting on all public endpoints (Vercel + Cloudflare).
• Secrets managed via AWS Secrets Manager with automated rotation.

Data handling

• Your workspace data is never used to train foundation models.
• Run receipts are retained for the life of your account; raw logs purged after 30 days.
• Personal data deleted within 30 days of account termination, except as required by law.

Vendor security

• Annual third-party penetration test; summary available under NDA.
• Subprocessors vetted for SOC 2 or equivalent before onboarding.
• Vulnerability disclosure: security@getmonroe.com (PGP key on request).

Compliance

• SOC 2 Type II — in progress (target Q3 2026).
• GDPR / UK GDPR — DPA available on request.
• HIPAA — BAA available for Enterprise on request.
• CCPA — covered under standard DPA terms.

Incident response

Documented incident response plan with 24/7 paging for severity-1 issues. Customer notification within 72 hours for any incident involving personal data, per GDPR Article 33.

Security questionnaires

We pre-fill standard questionnaires (CAIQ, SIG Lite, Vanta Trust Profile) on request. Average turnaround: 3 business days.

Contact

security@getmonroe.com reaches the on-call engineer.