SOC 2 & Compliance Posture
Audits, certifications, sub-processors, breach notification.
Where we are
SOC 2 Type II — audit completed Q1 2026, report available to Enterprise customers under NDA via the Trust Center. GDPR — data processing addendum available for EU customers. EU data stays in EU regions when you sign up via the EU instance (eu.monpg.app); see data residency for the full region table. HIPAA — BAA available on Enterprise for customers with PHI in their PostgreSQL logs; we default to opting OUT of log collection for HIPAA orgs unless you explicitly opt in, on the theory that "collected by default" is the wrong posture for protected data. ISO 27001 — in progress, target Q3 2026.
Sub-processors
| Sub-processor | Purpose |
|---|---|
| Microsoft Azure | Compute, storage, networking, Key Vault, Container Apps |
| Stripe | Payment processing |
| Cloudflare | CDN, DDoS protection, WAF |
| PostHog Cloud | Product analytics on the marketing site (privacy policy) |
| SendGrid | Transactional email |
| Sentry | Error tracking — no customer data is sent |
We notify of changes to this list 30 days before they take effect, per the DPA. The most common churn is "we tried a vendor for 90 days, didn't keep it" — we list active sub-processors only.
Breach notification
72-hour notification to your designated security contact for any incident affecting your data. The contact is set per-org under Settings → Security → Incident contact; default is the org owner if you don't set one. We send a structured incident report (what happened, scope, mitigation, timeline) rather than a "we had a thing, will follow up" placeholder.
Penetration testing
Annual third-party penetration test. The most recent redacted report is on the Trust Center on request — the redactions cover IP addresses and version-specific CVE references that are no longer relevant.
Vulnerability disclosure
Responsible disclosure: email [email protected], encrypt with our PGP key (linked from the Trust Center). 90-day coordinated disclosure window. Bug bounty runs through HackerOne with payouts $500 to $10,000 depending on severity. We pay even if you decide to publish — the bounty isn't conditional on your timeline.