Security, compliance, and reliability at moneta.

moneta maintains the following independent attestations and certifications:

• SOC 2 Type II — annual audit covering Security, Availability, Confidentiality. Report available under NDA.
• ISO/IEC 27001 — certified information security management system.
• GDPR & UK GDPR — full DPA, SCCs, and EU representative documentation. See DPA.
• CCPA / CPRA — compliant; honors verified consumer rights requests within 30 days.
• CSA STAR — Cloud Security Alliance Self-Assessment available.
• FinOps Foundation — Premier Member, contributors to the framework.

Request reports under NDA by emailing security@monetacloud.com.

Architecture. moneta runs on AWS in us-east-1, us-west-2, and eu-west-1. Customer data residency can be selected at the workspace level. All traffic is TLS 1.2+. Storage is AES-256 at rest. We use customer-managed keys (BYOK) for Enterprise customers.

Access control. Production access requires hardware MFA, is reviewed quarterly, and follows least-privilege. All production changes go through code review, automated tests, and audit logging.

Network. Production is segmented by VPC. Bastion-less access. WAF in front of all customer-facing endpoints.

Monitoring. 24×7 on-call rotation. SIEM aggregation of application, infrastructure, and identity logs. Anomaly detection on production identities.

Testing. Quarterly penetration tests by an independent CREST-certified firm. Continuous dependency scanning. Annual red-team exercise.

Encryption. TLS 1.2+ in transit, AES-256 at rest, KMS-managed keys. Field-level encryption for high-sensitivity fields.

Backups. Daily encrypted snapshots; 35-day retention; quarterly restore drills.

Customer Data isolation. Each workspace has logical separation in our data plane; Enterprise customers can opt into dedicated isolated tenants.

Deletion. On account closure, Customer Data is exported on request and deleted within 90 days. See DPA §10.

Current Sub-processors used to deliver the Service:

• Amazon Web Services — primary cloud infrastructure (compute, storage, networking).
• Cloudflare — CDN and edge security.
• Sentry — application error monitoring.
• Plausible Analytics — privacy-friendly product and site analytics (anonymized).
• Postmark — transactional email delivery.
• Linear — internal issue tracking (no Customer Data).
• Notion — internal documentation (no Customer Data).

We notify customers at least 30 days before onboarding a new Sub-processor. Subscribe to notifications: security@monetacloud.com.

Security incidents are managed by an on-call rotation following NIST SP 800-61 patterns. We commit to:

• Initial triage within 1 hour of detection.
• Customer notification within 72 hours of confirming a personal data breach (DPA §8).
• Public post-mortem for incidents that impacted multiple customers, published at status.monetacloud.com within 5 business days of resolution.

Report a suspected incident: security@monetacloud.com (PGP key on request).

moneta targets 99.9% monthly uptime for production services on Pro and Enterprise. Service status, current incidents, and historical uptime are published at status.monetacloud.com. SLA credits are available on Enterprise plans per Order Form.

Security researchers should review and follow our Responsible Disclosure policy. We commit to acknowledging reports within 3 business days and to safe-harbor for good-faith research.

Documents available under NDA: SOC 2 Type II report, ISO 27001 certificate, penetration test summary, business continuity plan, security questionnaire (SIG / CAIQ).

Request access: security@monetacloud.com.