Monotype’s Information Security Management System is ISO 27001:2022 Certified

Through our Information Security Management System, we address the General Data Protection Regulation (GDPR) through the following controls:

1. Physical Access Control

   Access to Monotype offices is controlled by keys, biometrics and/or electronic cards. Visitors are always escorted by Monotype personnel. Monotype data centers are access controlled either by Monotype or by the data center service providers. Monotype has no physical access to the Amazon Web Services (AWS) locations it employs.

2. Usage Control

   Monotype employees are identified by a master record that contains unique user names for each account and the corresponding passwords. Monotype’s main identity system is managed internally, and applies password complexity policies as well as automatic blocking.

   Additionally, employees are required to use two-factor verification. When possible, the use of groups and roles is deployed. In transit, information encryption is enforced through mandatory use of Transport Layer Security (TLS).

3. Virtual Access Control

   Access to Monotype assets, services and systems is only given as needed. Monotype conducts regular checks to ensure access is restricted to only those employees that are authorized to have it. When possible, the use of groups and roles is implemented.

4. Confidentiality Control

   Access to all Monotype systems is only permitted over TLS-encrypted protocols. All access requires authentication and authorization. Use of Monotype assets are logged, monitored and reported. All access to Monotype systems is completed through a web application firewall that ensures only authorized access to services and information.

5. Input Control

   Monotype implements a logging, monitoring and report system to detect data modification, implemented either internally or by third-party services.

6. Availability Control

   Availability is assured by hosting our services on Infrastructure-as-a-Service (Iaas) providers, or data centers managed by Monotype, which provide at least 99.5% uptime availability. Monotype’s infrastructure includes a web application firewall, load balancers and dynamically allocated servers. For Software-as-a-Service (SaaS) infrastructure, our providers are responsible for data redundancy and infrastructure security, providing protection against both distributed denial of service attacks (DDoS) and application layer attacks. For Monotype-hosted solutions, we provide state-of-the-art infrastructure security and utilize best-in-class services to protect against these attacks. Monotype performs regular security checks, scans and penetration tests on systems to ensure that software and configurations are up-to-date.

7. Separation Control

   Monotype deploys databases that have different privileges, and end users cannot write to master databases. Monotype employs software control mechanisms to ensure customer data isolation, such that one customer cannot access information belonging to another customer.

8. Resilience Control

   Monotype ensures resilience by hosting our services on IaaS providers, that provide mechanisms for our service to survive local and regional disasters. All services hosted in a Monotype data center have controls for locally and regionally distinct replication of data to ensure our service will survive a local or regional disaster.

9. Integrity Control

   Monotype leverages TLS to ensure data integrity during transport. Monotype’s services leverage data validation routines, checksums and hashes to ensure data integrity during processing.

View a copy of our ISO 27001 certificate here.

View a copy of our Security, Trust, Assurance and Risk (STAR) Level 2 Service Provider certificate here.