Security & Infrastructure

Institutional-grade security, designed for private markets.

Monolith Equity is built with defense-in-depth: strict access controls, auditable operations, and resilient infrastructure. We prioritize clarity: what we do, why we do it, and how controls are enforced.

Least privilegeAuditabilitySegregation of dutiesOperational resilience

Report a security issue Read the docs

Defense-in-depth

Controls layered across identity, data, infrastructure, and operations.

Audit-ready

Structured logs and accountability for sensitive actions and approvals.

Secure by design

Clear boundaries between services with hardened defaults.

Resilience

Monitoring, alerting, and incident response discipline built-in.

On this page

Overview Core controls Architecture Access & permissions Data protection Monitoring & response Responsible disclosure

Controls

Core security controls

A practical overview of the controls that matter most for private market workflows: identity, access, data integrity, and operational accountability.

Identity verification

Verified identity and eligibility checks are enforced before accessing sensitive actions or restricted data.

Required

Least-privilege access

Role-based permissions and strict authorization boundaries reduce blast radius and prevent overreach.

RBAC

Audit trails

Important actions produce structured logs to support investigations and compliance reporting.

Traceable

Data protection

Encryption in transit and at rest, plus controls to reduce exposure of sensitive information.

Encrypted

Infrastructure

Reference architecture

A clear, modern stack with separation of concerns. We prioritize observability and reliability alongside security.

Service boundaries

Separation between web experience, APIs, and background processing reduces cross-impact.

Observability

Metrics, traces, and structured logs enable fast diagnosis and consistent operations.

Data layer protections

Database access patterns are designed to prevent accidental cross-tenant visibility.

Secure defaults

We adopt hardening practices and minimize unnecessary exposure by design.

Frontend: Next.js (App Router)API: NestJSDatabase: PostgreSQLQueue: Redis / jobsStorage: S3-compatibleAuth: OIDC + short-lived sessionsTelemetry: OpenTelemetry

Principle

Minimize attack surface

Expose only what’s necessary, keep boundaries clear, reduce implicit trust.

Principle

Make actions accountable

Audit sensitive operations and maintain traceability for incident response.

Principle

Operate with discipline

Monitoring, alerts, and runbooks reduce downtime and incident impact.

Access

Access, permissions, and approvals

Private markets require strict guardrails. Sensitive actions are protected with role boundaries and explicit approvals.

Role-based access control

Permissions are scoped to roles and contexts. Access to investor/issuer data is restricted by eligibility and authorization checks.

Approval workflows

High-impact operations can require explicit approval steps, with traceability for “who did what, when, and why”.

Sensitive actions protection

Sensitive actions are protected with confirmation patterns and strict authorization to reduce accidental or malicious use.

Abuse prevention

Rate limiting and monitoring help mitigate abusive patterns and reduce exposure to automated attacks.

Data

Data protection & privacy

We aim to minimize exposure of sensitive information and ensure consistent protection across storage, transit, and access.

Encryption in transit

TLS is used to protect data moving between users and services.

Encryption at rest

Sensitive data is stored with encryption and access constraints.

Secrets handling

Secrets are managed with strict access and rotation practices.

Privacy

Clear documentation on data handling

See our privacy details and cookies policy in the Legal hub.

Privacy & GDPR Cookies

Operations

Monitoring, alerting, and incident response

Security is not only design — it’s operations. We monitor, respond, and continuously improve based on real-world signals.

Monitoring

Health checks and telemetry help detect anomalies early.

Alerting

Alerts route issues to the right owners based on severity.

Runbooks

Standard responses reduce confusion and response time during incidents.

Post-incident reviews

We document learnings and ship improvements to prevent recurrence.

Status

Live service status and incident updates.

View status

Support

Need help with access or security setup?

Contact support

Docs

Security best practices and setup guidance.

Read docs

Disclosure

Responsible disclosure

If you believe you’ve found a security issue, please report it responsibly. We’ll acknowledge receipt and work toward a fix.

Report security issues

Use the channel below and include reproduction details.

Include

Steps to reproduce, expected vs observed behavior
Affected URLs/endpoints, screenshots/logs if relevant
Impact assessment (what could an attacker do?)

Please avoid

Accessing data that isn’t yours
Disrupting service availability
Public disclosure before coordination

Contact

security@monolith.xyz

If you don’t have a dedicated channel yet, use our primary contact and mention “Security report”.

Email security Use primary contact

We aim to acknowledge reports promptly and coordinate responsibly. Timing depends on severity and scope.

For legal terms and additional disclosures, see Terms of Use and the Risk Disclosures.

Want the full picture?

Browse the Help Center for practical workflows and guidance.

Go to Help Center Read docs