Security at MonkeysCloud

Cloud Provider. MonkeysCloud runs entirely on Google Cloud Platform (GCP), which maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, HIPAA, and FedRAMP certifications. Our infrastructure inherits these certifications at the physical and network layer.

Network Isolation. Customer workloads run in isolated containers on Google Kubernetes Engine (GKE) with Kubernetes Network Policies enforcing strict pod-to-pod isolation. Each project's instances communicate over a private network that is not accessible from other projects or the public internet (unless explicitly exposed via custom domains).

Private Clusters. GKE clusters run with private nodes — no public IP addresses on worker nodes. All management access is through Google Cloud IAM with enforced multi-factor authentication.

DDoS Protection. Google Cloud Armor provides layer 3/4 DDoS mitigation at the network edge. Web Application Firewall (WAF) rules protect against common attack patterns including SQL injection, cross-site scripting, and protocol abuse.

Load Balancing. Google Cloud Global Load Balancer distributes traffic with automatic SSL termination, HTTP/2 and HTTP/3 support, and geographic routing.

In Transit. All traffic between users and MonkeysCloud is encrypted with TLS 1.2 or TLS 1.3. HSTS headers are enforced with a minimum age of one year. Internal service-to-service communication within the cluster uses mutual TLS (mTLS) via Istio service mesh.

At Rest. All data stored on Google Cloud — persistent disks, Cloud SQL databases, Secret Manager entries, Cloud Storage buckets, and container images — is encrypted at rest using AES-256 with Google-managed encryption keys by default. Enterprise customers can use Customer-Managed Encryption Keys (CMEK) via Google Cloud KMS.

Secrets. Environment variables, database credentials, API keys, and other sensitive configuration are stored in Google Cloud Secret Manager with IAM-scoped access. Secrets are never written to build logs, container images, or application artifacts. Secrets are injected at runtime only.

User Authentication. MonkeysCloud supports email/password authentication with bcrypt hashing (cost factor 12), two-factor authentication via TOTP (Google Authenticator, Authy, 1Password), and OAuth 2.0 sign-in via GitHub, Google, and GitLab. Enterprise customers can configure SAML 2.0 SSO with any compliant identity provider (Okta, Azure AD, Google Workspace, OneLogin).

Session Management. Sessions use signed, encrypted JWT tokens with configurable expiration. Refresh tokens are rotated on each use. Active sessions can be viewed and revoked from account settings.

Role-Based Access Control. Organizations use four roles: Owner, Admin, Developer, and Viewer. Permissions are enforced at the API level — the dashboard is a client of the same API.

API Authentication. API access uses scoped API keys or OAuth 2.0 bearer tokens. API keys can be restricted to specific projects and operations. All API requests are logged with the authenticated identity.

Container Security. Application containers are built from minimal base images, scanned for known vulnerabilities using Trivy on every build, and run with a read-only root filesystem where possible. Container images are stored in Google Artifact Registry with vulnerability scanning enabled.

Binary Authorization. On Enterprise plans, Binary Authorization ensures that only signed, verified container images can be deployed to production environments. Unsigned or modified images are rejected at the admission controller level.

Build Isolation. Each build runs in an ephemeral, isolated container on Google Cloud Build. Build containers are destroyed after the build completes. Build artifacts are stored in private registries accessible only to the owning project.

Dependency Scanning. AI code review includes automated detection of known vulnerable dependencies during pull request review. Developers receive inline notifications for outdated or compromised packages.

Data Isolation. Each customer's data — code, databases, files, task data, monitoring metrics — is logically isolated at the project level. Database instances run as separate containers with dedicated storage volumes. There is no shared database access between projects.

Backups. Platform data (Git repositories, task data, project configuration) is backed up daily with 30-day retention. Customer database instances on paid plans include automated daily backups stored on the instance's persistent volume. Enterprise customers can configure custom backup schedules and cross-region replication.

Data Deletion. When a user deletes a project, all associated data — Git repository, database files, build artifacts, logs, and configuration — is marked for deletion and permanently removed within 30 days. Deleted data cannot be recovered after the deletion process completes.

Data Residency. By default, customer data is stored in the us-central1 (Iowa) region. Customers on Team and Enterprise plans can select from available GCP regions. Data does not leave the selected region unless explicitly configured by the customer (e.g., CDN edge caching of public assets).

Audit Logging. All administrative actions — member additions, permission changes, instance creation, deployment triggers, configuration changes — are recorded in audit logs accessible to organization admins on Team plans and above. Platform-level audit logs are maintained internally via Google Cloud Audit Logs.

Intrusion Detection. Google Cloud Security Command Center provides continuous monitoring for threats, misconfigurations, and compliance violations across our infrastructure. Alerts are triaged by the MonkeysCloud engineering team.

Incident Response. We maintain an incident response plan covering detection, containment, investigation, remediation, and communication. Security incidents affecting customer data are communicated within 72 hours via email notification to affected organization owners, consistent with GDPR Article 33 requirements.

Uptime Monitoring. Platform availability is monitored from multiple global locations and reported at monkeys.cloud/status.

SOC 2 Type II. In progress. Expected completion Q4 2026.

GDPR. MonkeysCloud complies with the General Data Protection Regulation. See our Privacy Policy for details on data processing, data subject rights, and international data transfers.

CCPA. MonkeysCloud complies with the California Consumer Privacy Act. California residents have the right to know, delete, and opt out of sale of personal information. We do not sell personal information.

Data Processing Agreement. A DPA is available for Enterprise customers on request. Contact privacy@monkeys.cloud.

We welcome responsible security research. If you discover a security vulnerability in MonkeysCloud, report it to security@monkeys.cloud. We commit to acknowledging reports within 24 hours and providing an initial assessment within 72 hours. We do not pursue legal action against good-faith security researchers who follow responsible disclosure practices.