Monotype’s Information Security Management System is ISO 27001:2013 Certified

Through our Information Security Management System, we address the General Data Protection Regulation (GDPR) through the following controls:

  1. Physical Access Control

    Access to Monotype offices is controlled by keys, biometrics and/or electronic cards. Visitors are always escorted by Monotype personnel. Monotype data centers are access controlled either by Monotype or by the data center service providers. Monotype has no physical access to the Amazon Web Services (AWS) locations it employs.

  2. Usage Control

    Monotype employees are identified by a master record that contains unique user names for each account and the corresponding passwords. Monotype’s main identity system is managed internally, and applies password complexity policies as well as automatic blocking.

    Additionally, employees are required to use two-factor verification. When possible, the use of groups and roles is deployed. In transit, information encryption is enforced through mandatory use of Transport Layer Security (TLS).

  3. Virtual Access Control

    Access to Monotype assets, services and systems is only given as needed. Monotype conducts regular checks to ensure access is restricted to only those employees that are authorized to have it. When possible, the use of groups and roles is implemented.

  4. Confidentiality Control

    Access to all Monotype systems is only permitted over TLS-encrypted protocols. All access requires authentication and authorization. Use of Monotype assets are logged, monitored and reported. All access to Monotype systems is completed through a web application firewall that ensures only authorized access to services and information.

  5. Input Control

    Monotype implements a logging, monitoring and report system to detect data modification, implemented either internally or by third-party services.

  6. Availability Control

    Availability is assured by hosting our services on Infrastructure-as-a-Service (Iaas) providers, or data centers managed by Monotype, which provide at least 99.5% uptime availability. Monotype’s infrastructure includes a web application firewall, load balancers and dynamically allocated servers. For Software-as-a-Service (SaaS) infrastructure, our providers are responsible for data redundancy and infrastructure security, providing protection against both distributed denial of service attacks (DDoS) and application layer attacks. For Monotype-hosted solutions, we provide state-of-the-art infrastructure security and utilize best-in-class services to protect against these attacks. Monotype performs regular security checks, scans and penetration tests on systems to ensure that software and configurations are up-to-date.

  7. Separation Control

    Monotype deploys databases that have different privileges, and end users cannot write to master databases. Monotype employs software control mechanisms to ensure customer data isolation, such that one customer cannot access information belonging to another customer.

  8. Resilience Control

    Monotype ensures resilience by hosting our services on IaaS providers, that provide mechanisms for our service to survive local and regional disasters. All services hosted in a Monotype data center have controls for locally and regionally distinct replication of data to ensure our service will survive a local or regional disaster.

  9. Integrity Control

    Monotype leverages TLS to ensure data integrity during transport. Monotype’s services leverage data validation routines, checksums and hashes to ensure data integrity during processing.

A copy of our certificate can be found here.