Built secure from the first packet.
AccessMonk is engineered with defense-in-depth, true end-to-end encryption, and a zero-trust architecture. Every session is private, verified, and accountable — by design, not by configuration.
Audited and aligned to the standards your security team expects
We report our compliance posture honestly. Items marked “In progress” are actively being pursued — request current reports and our roadmap during a security review.
Defense in depth
Layered controls on every connection
Security is built into the architecture, not bolted on. Each layer stands on its own and reinforces the others.
True end-to-end encryption
Media and control channels are encrypted directly between agent and technician. Our relay forwards only ciphertext — it never holds the keys or sees session content.
Mandatory MFA + passkeys
Every account is protected with multi-factor authentication and phishing-resistant passkeys. SMS codes are never used as a factor.
Role-based access control
Granular roles scope exactly what each technician can see and do, down to individual device groups and session capabilities.
Per-tenant isolation
Each organization is logically isolated. There is no shared session state and no path for one tenant to reach another’s devices or data.
Full audit logging
Every authentication, connection, file transfer, and in-session action is recorded in an immutable, exportable audit trail.
Device identity & code-signed agents
Agents are code-signed and present a verifiable device identity, so technicians always connect to the machine they intend to.
Session consent & recording controls
Configurable consent prompts, visible session indicators, and policy-driven recording give end users and admins control and transparency.
Hardened infrastructure
Least-privilege services, encrypted data at rest and in transit, continuous patching, and isolated environments across our platform.
How it works
How a session is secured
Five enforced steps stand between a connection request and a live session. None can be skipped.
- Step 1
Identity
User authenticates with MFA or a passkey; the device proves its signed identity.
- Step 2
Authorization
RBAC and device-group policy decide exactly what this session is allowed to do.
- Step 3
E2E key exchange
Agent and technician negotiate session keys directly. The relay never sees them.
- Step 4
Encrypted media
Screen, input, and files flow end-to-end encrypted; the relay forwards ciphertext only.
- Step 5
Audit
Every action is signed into an immutable, exportable audit log as it happens.
Trust & transparency
Compliance & data handling
Clear answers to the questions your security and legal teams will ask first.
Where your data lives
Account and metadata are stored in your selected region. Session media is end-to-end encrypted and is not stored by our relay.
Retention
Audit logs and recordings follow the retention windows you configure. Defaults are conservative and fully adjustable per tenant.
Crypto-shred deletion
When data is deleted we destroy the associated encryption keys, rendering any residual ciphertext permanently unrecoverable.
Subprocessors
We maintain a current, public list of subprocessors and notify customers in advance of any material changes.
Responsible disclosure
We welcome reports from the security community. If you believe you have found a vulnerability, contact security@accessmonk.com. We acknowledge reports promptly, investigate every submission, and will not pursue good-faith research conducted under our policy.
Bring your toughest questions.
Read the full technical security model, or sit down with our team for a detailed review of architecture, controls, and compliance.