Monroe
Sign inGet started

Security & trust

Built so the team that hires Monroe
can actually trust the agent.

We architect Monroe so the failure modes most AI agent products quietly accept — runaway spend, ambient data access, autonomous external sends — are designed-out from day one. Here’s how.

Per workspace

process isolation

OAuth-only

credential model

Hard cap

on spend

Approval gates

on external sends

SOC 2

in progress

Tenancy

One Monroe per workspace. Always.

Every customer gets a dedicated Monroe instance — process-isolated, with its own state, skills, memory, and credentials. We don't share infrastructure or context between workspaces.

  • Per-workspace container (ECS Fargate task) — never shared
  • Per-workspace EFS volume for state — POSIX-scoped + access-point-enforced
  • Per-workspace KMS envelope encryption for sensitive DB fields
  • No cross-tenant data path exists in the architecture

Credentials

OAuth-only. Monroe never sees a password.

Every tool Monroe touches is connected via OAuth with scoped permissions. You pick what Monroe can see — a folder, a repo, a channel — not the whole account. Revoke from your dashboard or the upstream tool, and Monroe loses access on the next request.

  • OAuth-first connector model — passwords never enter the system
  • Per-connector scope: folder-level Drive, repo-level GitHub, channel-level Slack
  • Per-workspace OpenRouter sub-key with hard spend cap enforced upstream
  • Customer can revoke any connector instantly; Monroe loses access on next call

Spend

Hard cap. Period.

Set your monthly cap. Monroe stops and asks before exceeding it — no surprise invoices, no runaway costs. The cap is enforced at the LLM provider layer, not just in our app, so even a buggy agent loop can't blow through it.

  • Soft warnings at 50%, 75%, 90% of cap
  • Hard stop at 100% — agent pauses, posts in-channel: "Out of budget, raise cap to continue"
  • Cap is enforced provider-side via OpenRouter sub-key limit — not just in Monroe
  • Per-run cost shown before the run executes

Approvals

Anything that leaves the building needs a human.

Monroe drafts. You approve. That's the contract. Replies, emails, CRM changes, refunds, public posts, code commits — all gated behind explicit human approval. Read-only research never needs an approval.

  • Send to a customer? Approval required.
  • Modify a CRM record? Approval required.
  • Execute a Stripe action? Approval required.
  • Commit or merge code? Approval required.
  • Read a Slack thread, summarize it, post in-thread? No approval — read-only.

Audit

Every run leaves a receipt.

Every completed Monroe action posts a 2-line receipt in-channel: what it did, what it touched, how many credits it cost. Workspace admins see the full audit log in the dashboard. Enterprise customers can export to S3/Splunk/syslog.

  • Per-run receipts in-channel with credit count + sources
  • Workspace audit log: every tool call, timestamp, outcome
  • Enterprise audit export to S3, Splunk, or syslog
  • Customer-visible run history in the dashboard, sortable by tool/cost/user

Compliance

SOC 2 in progress. Pen test booked.

We're building Monroe with SOC 2 controls baked in from v0 — not retrofitted. Type I underway with Vanta; Type II target Q1 2027. Independent penetration test booked for the production-launch window. DPA, BAA, and SCC documents available on request for Enterprise customers.

  • SOC 2 Type I — in progress with Vanta
  • SOC 2 Type II — target Q1 2027
  • Independent penetration test — scheduled for production launch
  • DPA, BAA, SCC available on request — legal@getmonroe.com
  • Data residency: US-East default; EU-West + AP-Southeast available on Enterprise

Sub-processors

The vendors that touch your data,
and what they each do.

We list every sub-processor in the data path here, with what they handle and where they run. We notify Enterprise customers 30 days before adding a new one.

VendorPurposeRegion
AnthropicLLM provider (Claude family)US
OpenAILLM provider (GPT family)US
Google Cloud / VertexLLM provider (Gemini family)US/EU
OpenRouterLLM routing + spend-cap enforcementUS
AWSHosting (ECS Fargate, EFS, RDS, S3)US-East default, EU-West available
ClerkIdentity + SSO + session managementUS
StripeBilling, payment processing, Stripe TaxUS/EU
VercelMarketing site hosting + edge CDNGlobal
VantaSOC 2 evidence collectionUS

Security FAQ

The questions your security team will ask.
Answered directly.

Do you train on my data?

No. Workspace data is never used to train foundation models — ours or anyone else’s. Your messages, your documents, your CRM records stay your data. Contractually committed in the DPA.

Where is my data stored?

US-region AWS by default. EU residency is available on Enterprise (frankfurt + dublin). Per-workspace isolation at the database row and object-storage prefix level. Sub-processor list is public at getmonroe.com/legal/subprocessors and we email customers 30 days before adding one.

How do credentials work?

OAuth-only. Monroe never sees your password, never holds an API key in a model’s context window, and never asks you to paste a secret into chat. Tokens are stored as KMS-encrypted SecureStrings in AWS SSM Parameter Store, scoped to a single workspace, rotated on a schedule, and revocable from one button in your dashboard.

What happens if I revoke access?

The connector goes dark immediately. In-flight runs that depend on it stop and post a notice in-channel. Existing receipts and run history stay in your workspace — you can audit what happened before revocation. Re-connecting at any time picks up where things left off.

What’s your SOC 2 status?

SOC 2 Type I is in progress with Vanta, Q3 2026 report target. Type II audit follows with a Q1 2027 target. Sub-processors are listed publicly so your security team can review them before any call. We don’t pretend to have certifications we’re still working toward.

How do you handle prompts that try to exfiltrate data?

Multi-layer. Prompt-injection defenses on every tool call, output-scanning on data Monroe is about to send outside your workspace, and a default-deny on cross-workspace reads. Sensitive actions (sends, posts, transfers) wait for an in-channel approval click, so a poisoned document can’t silently leak through.

Can Monroe act without approval?

For reads, yes — searching Drive, querying HubSpot, summarizing a Slack thread. For anything that writes, sends, transfers money, or changes permissions, no — those require an approval click by default. Each tool’s approval gate is configurable per workspace, so you decide which actions are safe to auto-run.

What’s your security incident response?

Page is monitored 24/7. Customer-impacting incidents trigger notification within 24 hours per the DPA, with a postmortem inside 14 days. Email security@getmonroe.com for disclosures — we acknowledge within 24h and coordinate on a 90-day default timeline.

Security disclosures

Found something?

Email security@getmonroe.com. We acknowledge within 24h and coordinate disclosure on a 90-day default timeline.

Compliance docs

Need DPA/BAA/SCC?

Email legal@getmonroe.com. Enterprise customers get fully signed copies; pilot customers get the latest under-review draft on request.

Looking for the formal legal-format security policy or privacy policy?