MonkMonk

    Security

    How Monk protects your code and infrastructure.

    Last Updated: October 29, 2025

    Keeping your source code and infrastructure secure is our top priority. This page outlines our security practices and infrastructure.

    For security vulnerabilities, please email security@monk.io with detailed information.

    Infrastructure Overview

    We process your code in real-time to provide deployment and management services. Here's how data flows through our infrastructure:

    Your IDE → Cloudflare → Azure → AI Providers → Response

    Edge & Security Layer

    Cloudflare provides DDoS protection, rate limiting, and acts as our reverse proxy for all traffic.

    Primary Infrastructure

    Azure hosts our API servers in US regions, processes requests in real-time, and routes to AI providers. Code is processed in memory and deleted immediately after each request.

    AI Processing

    Azure OpenAI API and OpenAI process your code to generate deployment configurations and recommendations.

    Supporting Services

    AWS, GCP, DigitalOcean host databases, analytics, and supporting services. These systems store only account information, settings, and usage analytics — never your source code.

    How We Process Your Code

    Your code is never stored

    • Encrypted in transit with TLS 1.3
    • Processed in memory only
    • Deleted immediately after processing
    • Never written to disk or database
    • Never logged or cached

    What We Send to AI

    • Relevant code snippets
    • Project structure context
    • Deployment configurations
    • Your specific queries

    What Gets Stored

    • Account information
    • Usage analytics
    • Billing data
    • User preferences

    Security Practices

    Encryption & Authentication

    • TLS 1.3 encryption for all communications
    • OAuth 2.0 authentication via GitHub/Google
    • No password storage (OAuth only)
    • Request signing to prevent tampering
    • Regular token rotation

    Access Control

    • Multi-factor authentication for infrastructure
    • Limited production access (2-3 core engineers)
    • Principle of least privilege enforced
    • All access logged and audited

    Monitoring & Response

    • 24/7 automated monitoring via Azure and Cloudflare
    • Error tracking with Sentry (no code in logs)
    • Immediate investigation of anomalies
    • Users notified within 72 hours of incidents

    API Endpoints

    The Monk Agent communicates with these endpoints (whitelist these if you're behind a corporate firewall):

    api.monk.ioMain API endpoint
    api.app.monk.ioSecondary endpoint

    Data Residency

    • Primary Processing: US-based Azure regions
    • AI Processing: US-based servers
    • CDN: Cloudflare global network
    • No Chinese Infrastructure: We do not use any Chinese companies as subprocessors

    Security Best Practices

    When using Monk:

    • Review all AI-generated outputs before deployment
    • Test in staging environments first
    • Monitor deployments for unexpected changes
    • Keep your IDE extensions updated
    • Use strong authentication for OAuth providers

    Compliance & Certifications

    CurrentSecurity best practices, monitoring, and regular audits
    2026Third-party security audit planned
    2026SOC 2 Type II certification target

    Vulnerability Disclosure

    If you discover a security vulnerability:

    Response Time: Acknowledgment within 5 business days
    Include:
    • Detailed description
    • Steps to reproduce
    • Potential impact

    We take all security reports seriously and work to address them promptly. Quality researchers with significant findings will be credited with permission.

    Security Contact

    For security questions or concerns:

    Email: security@monk.io

    Response Time: 24-48 hours for general inquiries

    Urgent Issues: Mark subject as "URGENT - SECURITY"