Compliance
Overview
Monte Carlo maintains a dedicated Trust Center, where customers can request compliance attestations, certificates, and other related documentation. Monte Carlo undergoes an annual SOC 2 Type 2 audit and holds ISO 27001, 27017, and 27018 certifications, in addition to annual penetration testing.
New documentation from each audit cycle generally becomes available by the end of July. Customers have the option to subscribe for notifications whenever new materials are uploaded.
For non privacy related questions about compliance at Monte Carlo, please reach out to [email protected].
Links to Specific Resources
How are customers notified of changes to subprocessors?
Monte Carlo notifies customers before adding or replacing a subprocessor where the customer has subscribed to subprocessor update notifications. Customers can subscribe through the Trust Center, or by emailing [email protected] with the subject line "Subprocessor Notification Request." Subscribed customers have a 15 calendar-day window to object to a newly added subprocessor under the terms of the Data Processing Addendum. Monte Carlo does not commit to a fixed 30-day advance-notice period; the commitment is prior notice on subscription plus the 15-day objection window.
Business Continuity and Disaster Recovery
Monte Carlo maintains a documented Business Continuity and Disaster Recovery program that aligns with ISO/IEC 22301:2019. The program defines roles and responsibilities, line-of-succession planning, and backup and restoration procedures, and maintains a 24-hour RTO and RPO for critical systems. High availability is achieved through redundancy across multiple AWS Availability Zones, and multi-region disaster recovery is available for enhanced resilience.
The Business Continuity and Disaster Recovery plan, along with the incident response plan, is reviewed and tested at least annually, including backup-restoration validation and continuity of information-security controls. Customers with multi-region failover can request an annual failover simulation to validate readiness.
Vendor and Third-Party Risk Management
Monte Carlo operates a Third-Party Risk Management program governed by its Vendor Management policy. Vendor due diligence is risk-based: critical and high-risk vendors and subprocessors are reviewed at least every 12 months (or when a new use case arises), and other vendors are reviewed prior to engagement and at least every 24 months. Reviews cover security and privacy obligations, data handling, audit rights, geographic restrictions, and secure data destruction. The CISO oversees third-party risk assessments and reports significant risks to leadership.
API Security
Monte Carlo's API endpoints require authentication; APIs not intended for public access enforce authentication via API keys and integrate with customer identity providers, including MFA through SSO configurations. APIs are covered under Monte Carlo's annual application-layer penetration testing performed by certified independent third parties, with findings risk-ranked and remediated per defined SLAs.
Data accessed through the platform and its APIs is governed by Monte Carlo's data classification scheme of Confidential, Restricted, and Public, with customer data treated as Confidential and protected by encryption (AES-256 at rest, TLS 1.2+ in transit), role-based access, and audit logging.