Last updated: Sep 24, 2024
MonetizeNow operates an AgenticAI-powered, SaaS-native Quote-to-Cash platform (CPQ, Billing, Metering).
This policy summarizes our security, privacy, and continuity practices. Detailed assurance (e.g., SOC 2 Type II summary, pen-test attestation) is available to customers under NDA.
AT-A-GLANCE‍
• Compliance: SOC 2 Type II–aligned control environment; independent penetration testing at least annually
• Encryption: AES-256 at rest (AWS KMS); TLS 1.2+ in transit
• Access: SSO/SAML, MFA, least-privilege RBAC, periodic access reviews
• DevSecOps: SAST/DAST/SCA, container/image scanning, IaC checks, gated CI/CD
• Vulnerability Management: Time-bound remediation SLAs by severity with re-scan validation
• Continuity: Documented business continuity and disaster recovery with defined RTO/RPO objectives; DR exercises at least annually
• Privacy/GDPR: Documented DSAR workflow (access, deletion, correction), sub-processor propagation
GOVERNANCE & COMPLIANCE
We maintain a documented security program aligned to SOC 2 Type II, covering policy governance, risk management, access control, secure development, incident response, business continuity, and third-party risk. Policies and standards are reviewed at least annually or after material changes. Security and privacy training is required for personnel with production access.
DATA PROTECTION
• Encryption at rest: AES-256 using AWS KMS–managed keys for databases, volumes, object storage, backups, and logs; keys segregated by environment with rotation.
• Encryption in transit: TLS 1.2+ for external and inter-service traffic; modern configurations on public endpoints.
• Secrets & keys: Managed through AWS Secrets Manager/Parameter Store with least-privilege IAM and audit logging.
• Minimization: Only necessary personal data is collected; field-level or envelope encryption used for select high-sensitivity value
DATA PROTECTION
• Encryption at rest: AES-256 using AWS KMS–managed keys for databases, volumes, object storage, backups, and logs; keys segregated by environment with rotation.
• Encryption in transit: TLS 1.2+ for external and inter-service traffic; modern configurations on public endpoints.
• Secrets & keys: Managed through AWS Secrets Manager/Parameter Store with least-privilege IAM and audit logging.
• Minimization: Only necessary personal data is collected; field-level or envelope encryption used for select high-sensitivity values.
IDENTITY & ACCESS MANAGEMENT
• Workforce access via SSO/SAML; MFA required
• Role-based/attribute-based access with least privilege and periodic reviews
• Just-in-time elevation for privileged tasks; access to customer data is restricted and logged
SECURE DEVELOPMENT & VULNERABILITY MANAGEMENT
• Secure SDLC with peer review, SAST/DAST/SCA, container/image scanning, and IaC checks integrated into CI/CD
• Independent penetration testing at least annually; targeted re-tests after remediation and material changes
• Vulnerabilities are remediated under documented, time-bound SLAs by severity; all fixes re-scanned and regression-tested
MONITORING, LOGGING & INCIDENT RESPONSE
• Centralized logging and alerting across authentication, APIs, and infrastructure
• 24×7 on-call with documented incident response procedures and post-incident reviews
• Customer notifications consistent with contractual and legal obligations
BUSINESS CONTINUITY & DISASTER RECOVERY
• Multi-AZ, multi-region architecture with automated backups and replication
• Defined RTO/RPO objectives for Tier 1 services; full DR exercises at least annually with tracked improvements
• Backups are encrypted and retained per policy; restorations are tested periodically
PRIVACY & GDPR
MonetizeNow acts as a processor; customers (controllers) manage data-subject identity and authorization. We support GDPR DSARs (access, deletion, correction) and propagate erasure requests to approved sub-processors. Legal/financial records (e.g., invoices) are retained as required by law with personal fields minimized and access-restricted. Standard completion is within 30 days (typically 7–10 business days) with a completion attestation.
THIRD-PARTY & SUB-PROCESSOR RISK
Vendors and sub-processors with potential access to customer data undergo security due diligence prior to onboarding (e.g., SOC 2 Type II or ISO 27001, pen-test summary, security questionnaire), periodic re-assessment, and contractual DPA obligations. Access is provisioned on least privilege and reviewed regularly.
ENDPOINT, PHYSICALÂ & CLOUDÂ SECURITY
Endpoints are managed via a third-party MDMÂ solution with full-disk encryption, EDR, screen-lock, and patch baselines. Production infrastructure is hosted in AWS; physical data center controls are governed by AWS. Network segmentation, security groups, and WAF help protect the perimeter.
RESPONSIBLE DISCLOSURE
We welcome security reports. Contact security@monetizenow.io and allow reasonable time for remediation prior to public disclosure. A secure channel can be arranged for artifact exchange.
If you have any questions about this Policy, you can contact us by emailing us at security@monetizenow.io