Information Security Policy

Last updated: Sep 24, 2024

MonetizeNow operates an AgenticAI-powered, SaaS-native Quote-to-Cash platform (CPQ, Billing, Metering).

This policy summarizes our security, privacy, and continuity practices. Detailed assurance (e.g., SOC 2 Type II summary, pen-test attestation) is available to customers under NDA.

AT-A-GLANCE‍

• Compliance: SOC 2 Type II–aligned control environment; independent penetration testing at least annually

• Encryption: AES-256 at rest (AWS KMS); TLS 1.2+ in transit

• Access: SSO/SAML, MFA, least-privilege RBAC, periodic access reviews

• DevSecOps: SAST/DAST/SCA, container/image scanning, IaC checks, gated CI/CD

• Vulnerability Management: Time-bound remediation SLAs by severity with re-scan validation

• Continuity: Documented business continuity and disaster recovery with defined RTO/RPO objectives; DR exercises at least annually

• Privacy/GDPR: Documented DSAR workflow (access, deletion, correction), sub-processor propagation

GOVERNANCE & COMPLIANCE

We maintain a documented security program aligned to SOC 2 Type II, covering policy governance, risk management, access control, secure development, incident response, business continuity, and third-party risk. Policies and standards are reviewed at least annually or after material changes. Security and privacy training is required for personnel with production access.

DATA PROTECTION

• Encryption at rest: AES-256 using AWS KMS–managed keys for databases, volumes, object storage, backups, and logs; keys segregated by environment with rotation.

• Encryption in transit: TLS 1.2+ for external and inter-service traffic; modern configurations on public endpoints.

• Secrets & keys: Managed through AWS Secrets Manager/Parameter Store with least-privilege IAM and audit logging.

• Minimization: Only necessary personal data is collected; field-level or envelope encryption used for select high-sensitivity value

DATA PROTECTION

• Encryption at rest: AES-256 using AWS KMS–managed keys for databases, volumes, object storage, backups, and logs; keys segregated by environment with rotation.

• Encryption in transit: TLS 1.2+ for external and inter-service traffic; modern configurations on public endpoints.

• Secrets & keys: Managed through AWS Secrets Manager/Parameter Store with least-privilege IAM and audit logging.

• Minimization: Only necessary personal data is collected; field-level or envelope encryption used for select high-sensitivity values.

IDENTITY & ACCESS MANAGEMENT

• Workforce access via SSO/SAML; MFA required

• Role-based/attribute-based access with least privilege and periodic reviews

• Just-in-time elevation for privileged tasks; access to customer data is restricted and logged

SECURE DEVELOPMENT & VULNERABILITY MANAGEMENT

• Secure SDLC with peer review, SAST/DAST/SCA, container/image scanning, and IaC checks integrated into CI/CD

• Independent penetration testing at least annually; targeted re-tests after remediation and material changes

• Vulnerabilities are remediated under documented, time-bound SLAs by severity; all fixes re-scanned and regression-tested

MONITORING, LOGGING & INCIDENT RESPONSE

• Centralized logging and alerting across authentication, APIs, and infrastructure

• 24×7 on-call with documented incident response procedures and post-incident reviews

• Customer notifications consistent with contractual and legal obligations

BUSINESS CONTINUITY & DISASTER RECOVERY

• Multi-AZ, multi-region architecture with automated backups and replication

• Defined RTO/RPO objectives for Tier 1 services; full DR exercises at least annually with tracked improvements

• Backups are encrypted and retained per policy; restorations are tested periodically

PRIVACY & GDPR

MonetizeNow acts as a processor; customers (controllers) manage data-subject identity and authorization. We support GDPR DSARs (access, deletion, correction) and propagate erasure requests to approved sub-processors. Legal/financial records (e.g., invoices) are retained as required by law with personal fields minimized and access-restricted. Standard completion is within 30 days (typically 7–10 business days) with a completion attestation.

THIRD-PARTY & SUB-PROCESSOR RISK

Vendors and sub-processors with potential access to customer data undergo security due diligence prior to onboarding (e.g., SOC 2 Type II or ISO 27001, pen-test summary, security questionnaire), periodic re-assessment, and contractual DPA obligations. Access is provisioned on least privilege and reviewed regularly.

ENDPOINT, PHYSICAL & CLOUD SECURITY

Endpoints are managed via a third-party MDM solution with full-disk encryption, EDR, screen-lock, and patch baselines. Production infrastructure is hosted in AWS; physical data center controls are governed by AWS. Network segmentation, security groups, and WAF help protect the perimeter.

RESPONSIBLE DISCLOSURE

We welcome security reports. Contact security@monetizenow.io and allow reasonable time for remediation prior to public disclosure. A secure channel can be arranged for artifact exchange.

Contact Us

If you have any questions about this Policy, you can contact us by emailing us at security@monetizenow.io