Privacy & Security

Updated: November 1, 2023


1. Overview2. Privacy3. Security

Monaco Foundry takes the privacy of our clients, investors, and business partners very seriously. Our experienced technical team builds privacy and security controls into our systems, business practices, and regulatory compliance. We subscribe to internationally-recognized, standards-based cybersecurity implementation, operations, and incident response principles to protect the confidentiality, integrity, and availability of our services, systems, and data. The Monaco Foundry partners bring a fully-global perspective and guide our interactions with national and regional privacy and security compliance management bodies.

The following is an overview of our security and privacy precepts and practices. If you have less detailed experience in the domain it empowers your decisions on what information you want to provide Monaco Foundry about yourself, as well as the businesses you represent.

An overview of our practices

Privacy and security are two different domains, but each domain guides the other with requirements - we might use business practices to handle a specific privacy requirement, whereas we might use business processes and technical means to address another. Conversely, our security efforts may set privacy requirements where personal information might be required before you can access a system or business process.


  1. Notice and Consent: You need to be made aware of how we are going to use your private data. You need to know with whom we might share it, and you have the ability to provide and withhold consent.
  2. Private Data Collection and Removal: We are guided by the concept of private data minimization. As an example, we design our end-user systems (like the Monaco Foundry Meta World) to allow interaction with only an email address. If you want to participate in more experiences, they might need additional information, such as a social networking handle or phone number. If you are unwilling to provide data, we understand, but it may limit your functionality. When you want to have your private data removed, you can notify us by sending an email to, and we will remove it to the extent that it is not further required by an overriding.
  3. Regulatory Compliance: There are overriding authorities that, when you request removal or your private information, we may not be able to remove all of it. As an example, the private information associated with banking and investments may require that we hold on to transactional details for seven years in case of an audit.
  4. Monitoring and Reporting: We have monitoring and reporting requirements, largely associated with where you live and work, where our systems are operating. If we have an incident where private information may have been exposed, we have a duty to inform cognizant authorities and comply with notice requirements.
  5. Regulatory Compliance: There are overriding authorities that, when you request removal or your private information, we may not be able to remove all of it. As an example, the private information associated with banking and investments may require that we hold on to transactional details for seven years in case of an audit.
  6. Private Data Protection: Our privacy team provides security requirements such as: private data must be encrypted a certain way when it is sitting in a database or moved to a system; some limited number of individuals need to access private data without encryption; and when a user accesses unencrypted data, we need to note who and when it occurred.


  1. Confidentiality: We have policies and procedures that are designed to protect sensitive data (not just private data) from accidental disclosure or access by non-permissioned persons.

    a. Encryption: We encrypt data-at-rest and data-in-motion with sufficiently complex encryption algorithms (AES-256) to prevent improper disclosure.

    b. Access Control: We control access to sensitive information using strong authentication and authorization tools.

    c. Training and Evaluation: We actively train our staff on the human-caused sources of cyber vulnerabilities. We conduct random exercises to make sure our staff complies with the practices we train. Our customers and partners are trained to spot fraud or malfeasance to help make the entire system more secure.

    d. Operate: We operate a 24x7 cybersecurity monitoring and response team with tools that highlight potential threats so we can stop them early and often.

    e. Audit: We recond all of the actions we take and we store those records so independent assessors can validate the information protection practices we have in place.
  2. Integrity: In a system that will be used for conducting financial transactions, paying bills, and monitoring performance, we need to make sure that the data and processes have not altered the data, algorithms, or other services.

    a. Risk Identification: Both our technology team, as well as our operations team, incorporate information and process integrity into requirements from the outset. We ask questions like: What unintentional errors in this new capability would cause us, or our customers, to lose confidence in the accuracy of its output? How would somebody knowingly get access to our information assets or processing capabilities to cause commercial embarrassment, secondary theft, or render us unable to process the transactions and provide access to our information.

    b. Change Control: We implement strong change control practices and train all employees on the importance of orderly and efficient changes across our enterprise. We use unalterable transaction ledgers that immediately alert us to a change in your transaction history, and we test our new algorithms and product output regressively and progressively to make sure that we didn’t “break” the connection between our data and your decisions and transaction.

    c. Backup and Restoration: We maintain a history of changes in data, code development, business processes, and services; when we discover an integrity issue, we are able to replay the transactions to identify the source and restore trusted data.
  3. Availability: We review our services and the systems used to deliver them to set requirements on the importance of continuous operations and your access to those services. We analyze how a system can be inaccessible or non-functional before it negatively impacts your business objectives. We also establish how far back we will have to go to reproduce transactions.

    a. Risk Identification: We identify the services we offer our end users as well as the underlying components. We establish what kind of risks are reasonable (and those that aren’t), and we should find a way to operate through those risks.

    b. Recovery Time and Recovery Point: Transactional systems need to be able to restore all of the way to the point of the last complete transaction. Experience based systems might only need to know what happened at most 24 hours prior. We set those objectives for each system and process, thereby setting our tech and human resource requirements.

    c. Backup and Recovery: We set up systems to backup our records, transaction histories, system settings, code, and other data. We identify the resources who will step in and replace people who cannot perform their business function.

    d. Training and Exercise: We train our team on their responsibilities as well as the responsibilities of the team around time. We make sure all individuals know alternate communications for those times when the normal path doesn’t work. Finally we practice operations through simulated events and training systems to make sure our plans work and team members know their roles.