Security and Compliance

Designed by security industry veterans, the Monte Carlo platform can meet stringent privacy and security standards.

Highlights

• Monte Carlo only extracts metadata, query logs and aggregated statistics into its cloud service. In particular, Monte Carlo can support a setup where no individual records or PII are ever taken out of your environment.
• Monte Carlo uses read-only access via APIs and/or dedicated service accounts and allows granular permissions to datasets of your choice.
• Monte Carlo's hybrid architecture allows you to run its collector on your own cloud infrastructure so you never have to expose any of your data warehouses, data lakes and BI tools to Monte Carlo's cloud.

Compliance

• Monte Carlo will provide a SOC 2 Type 2 report upon request (Security, Availability and Confidentiality criteria).
• Monte Carlo will sign NDAs and/or DPAs where appropriate.
• Monte Carlo collects metadata, logs, and metrics for the purpose of identifying data reliability issues. However, we acknowledge that the service may collect and process personal data as part of query logs or through other data sampling search functionality that you initiate within the Monte Carlo platform. If any such data is passed to Monte Carlo, it is used for the sole purpose of identifying data reliability issues.
• This data is encrypted in transit and at rest, and is only stored on the Data Collector, which you have the option of hosting in your own environment.

Security and privacy practices

Monte Carlo's team implements industry best practices across the board to protect the security of its application, and the data privacy of its customers. The following are only some of the elements of our security program and system architecture:

• Monte Carlo will only collect metadata, logs, and metrics for the sole purpose of identifying data reliability issues. Your information will only be used to generate your own reports and will not be shared with any external parties.
• Processing is conducted on secure servers hosted on Amazon Web Services. All storage systems are encrypted, and all servers are tightly access controlled and audited. Data is encrypted in-transit at all times.
• In cases where debugging or maintenance work is required, a minimal number of engineers will be permitted to access the data necessary for this purpose. All engineers use encrypted laptops and are required to remove data from their devices when their debugging session is complete. Laptop security policies are enforced using MDM.
• Monte Carlo will access your environment from a single source IP dedicated to you, allowing you to protect access to your data resources at the network level.
• An annual penetration test is performed to validate Monte Carlo's posture and identify vulnerabilities. Our latest penetration test report was issued in February 2023.
• Monte Carlo's service runs on highly available and highly redundant cloud services, mostly on Amazon Web Services in the US East 1 region.
• Access to all critical systems and production environments is protected using strong passwords and multi-factor authentication. Where possible, SSO is used for centralized access control. Access is reviewed prior to being granted and then periodically thereafter.

Information Monte Carlo collects

The following information may be processed and stored by Monte Carlo: