Security is our #1 priority

Built secure from the first packet.

AccessMonk is engineered with defense-in-depth, true end-to-end encryption, and a zero-trust architecture. Every session is private, verified, and accountable — by design, not by configuration.

Audited and aligned to the standards your security team expects

SOC 2 Type IICertified
HIPAACertified
GDPRCertified
ISO 27001In progress

We report our compliance posture honestly. Items marked “In progress” are actively being pursued — request current reports and our roadmap during a security review.

Defense in depth

Layered controls on every connection

Security is built into the architecture, not bolted on. Each layer stands on its own and reinforces the others.

True end-to-end encryption

Media and control channels are encrypted directly between agent and technician. Our relay forwards only ciphertext — it never holds the keys or sees session content.

Mandatory MFA + passkeys

Every account is protected with multi-factor authentication and phishing-resistant passkeys. SMS codes are never used as a factor.

Role-based access control

Granular roles scope exactly what each technician can see and do, down to individual device groups and session capabilities.

Per-tenant isolation

Each organization is logically isolated. There is no shared session state and no path for one tenant to reach another’s devices or data.

Full audit logging

Every authentication, connection, file transfer, and in-session action is recorded in an immutable, exportable audit trail.

Device identity & code-signed agents

Agents are code-signed and present a verifiable device identity, so technicians always connect to the machine they intend to.

Session consent & recording controls

Configurable consent prompts, visible session indicators, and policy-driven recording give end users and admins control and transparency.

Hardened infrastructure

Least-privilege services, encrypted data at rest and in transit, continuous patching, and isolated environments across our platform.

How it works

How a session is secured

Five enforced steps stand between a connection request and a live session. None can be skipped.

  1. Step 1

    Identity

    User authenticates with MFA or a passkey; the device proves its signed identity.

  2. Step 2

    Authorization

    RBAC and device-group policy decide exactly what this session is allowed to do.

  3. Step 3

    E2E key exchange

    Agent and technician negotiate session keys directly. The relay never sees them.

  4. Step 4

    Encrypted media

    Screen, input, and files flow end-to-end encrypted; the relay forwards ciphertext only.

  5. Step 5

    Audit

    Every action is signed into an immutable, exportable audit log as it happens.

Trust & transparency

Compliance & data handling

Clear answers to the questions your security and legal teams will ask first.

Where your data lives

Account and metadata are stored in your selected region. Session media is end-to-end encrypted and is not stored by our relay.

Retention

Audit logs and recordings follow the retention windows you configure. Defaults are conservative and fully adjustable per tenant.

Crypto-shred deletion

When data is deleted we destroy the associated encryption keys, rendering any residual ciphertext permanently unrecoverable.

Subprocessors

We maintain a current, public list of subprocessors and notify customers in advance of any material changes.

Responsible disclosure

We welcome reports from the security community. If you believe you have found a vulnerability, contact security@accessmonk.com. We acknowledge reports promptly, investigate every submission, and will not pursue good-faith research conducted under our policy.

Bring your toughest questions.

Read the full technical security model, or sit down with our team for a detailed review of architecture, controls, and compliance.