Compliance & Assurance

Our Compliance Philosophy

Montshield operates with privacy and security by design, not as an afterthought. We build our services, processes, and infrastructure around recognized frameworks and regulatory expectations, ensuring that compliance is embedded in every engagement from day one.

While serving family offices, trusts, law firms, and high-net-worth individuals across multiple jurisdictions, we align our practices with international standards and adapt to regional requirements, ensuring that our clients can demonstrate appropriate stewardship and meet their fiduciary obligations.

Certification Status & Transparency

Current Status: Montshield is actively pursuing formal third-party certifications. We do not yet hold ISO 27001, SOC 2, or other formal attestations, but our operations are designed around these frameworks from inception.

We believe in transparency over marketing claims. Rather than overstating our compliance posture, we provide clear documentation of our security practices, operational controls, and framework alignment. Clients conducting due diligence receive comprehensive evidence of our controls, change management procedures, and governance structures.

Framework Alignment & Standards

Our operational practices align with globally recognized frameworks. While we are pursuing formal certification, our day-to-day operations implement controls consistent with:

ISO/IEC 27001:2022 (Information Security Management)

Our information security management system (ISMS) is structured around ISO 27001 principles:

• Risk-Based Approach: Documented risk assessments for all client engagements and internal systems
• Access Control: Role-based access, principle of least privilege, multi-factor authentication
• Cryptography: Encryption at rest and in transit, secure key management
• Asset Management: Inventory of information assets, ownership, and classification
• Incident Management: Defined incident response procedures, escalation paths, post-incident reviews
• Business Continuity: Documented continuity plans, backup procedures, disaster recovery testing
• Supplier Management: Vendor risk assessments, contractual security requirements

SOC 2 Type II Trust Services Criteria

Our operational controls address the five Trust Services Criteria:

• Security: Logical and physical access controls, network security, system monitoring
• Availability: System uptime monitoring, redundancy, performance management
• Processing Integrity: Data validation, error handling, quality controls
• Confidentiality: Data classification, encryption, need-to-know access
• Privacy: Consent management, data minimization, retention policies

NIST Cybersecurity Framework (CSF) 2.0

We structure security operations around the NIST CSF core functions:

• Identify: Asset inventory, risk assessment, governance structure
• Protect: Access controls, awareness training, data security, protective technology
• Detect: Continuous monitoring, anomaly detection, security events analysis
• Respond: Incident response planning, communications, analysis, mitigation
• Recover: Recovery planning, improvements, communications

CIS Critical Security Controls v8

Our baseline security posture implements CIS Controls prioritized for small and medium-sized organizations, including inventory management, secure configuration, continuous vulnerability management, controlled use of administrative privileges, audit log management, and email and web browser protections.

Regional Data Protection & Privacy

Our clients operate across multiple jurisdictions. We design services to accommodate regional data protection requirements and adapt our practices to meet local compliance expectations.

European Union: GDPR Alignment

For clients subject to the General Data Protection Regulation (GDPR), we implement:

• Lawful Basis for Processing: Clear identification of legal basis (consent, contract, legitimate interest, legal obligation)
• Data Subject Rights: Procedures for access, rectification, erasure, portability, and objection requests
• Data Minimization: Collection limited to necessary data, defined retention periods
• Data Processing Agreements: DPAs with Standard Contractual Clauses for cross-border transfers
• Breach Notification: 72-hour notification procedures to supervisory authorities and data subjects
• Records of Processing: Maintained documentation of processing activities (Article 30)

Singapore: PDPA Compliance

As a Singapore-based entity, we comply with the Personal Data Protection Act (PDPA) requirements:

• Consent Obligation: Obtaining and managing consent for collection, use, and disclosure
• Purpose Limitation: Clear specification of purposes at point of collection
• Access & Correction: Procedures for individuals to access and correct their data
• Protection Obligation: Reasonable security arrangements to protect personal data
• Retention Limitation: Destruction or anonymization when data no longer needed
• Data Breach Notification: Notification to PDPC and affected individuals for significant breaches

United Arab Emirates: Data Protection Considerations

For clients in the UAE, we address:

• Federal Data Protection Law: Alignment with UAE Federal Decree-Law No. 45 of 2021
• Free Zone Regulations: Compliance with DIFC and ADGM data protection regulations where applicable
• Data Localization: Consideration of data residency requirements for sensitive sectors
• Cross-Border Transfers: Appropriate safeguards for international data transfers

Switzerland: Federal Act on Data Protection (FADP)

For Swiss clients, we implement controls aligned with the revised FADP (effective September 2023), including data processing principles similar to GDPR, data protection impact assessments for high-risk processing, and compliance with cross-border transfer requirements.

Other Jurisdictions

We adapt our practices to meet requirements in other jurisdictions where our clients operate, including UK GDPR (post-Brexit), California Consumer Privacy Act (CCPA/CPRA), Canada's PIPEDA, Australia's Privacy Act, and Hong Kong's PDPO. Engagement-specific compliance requirements are addressed through tailored Data Processing Agreements.

Operational Security Practices

Beyond framework alignment, we implement practical security measures that protect client data and demonstrate appropriate stewardship:

Infrastructure Security

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest, encrypted backups
• Network Segmentation: Separation of client environments, dedicated VLANs, firewall rules
• Identity & Access Management: Single sign-on (SSO), multi-factor authentication (MFA), privileged access management
• Monitoring & Logging: Centralized log management, security information and event management (SIEM), audit trails
• Endpoint Protection: Anti-malware, endpoint detection and response (EDR), host-based firewalls

Change Management & Version Control

• Version Control: Git-based version control for infrastructure as code, configuration management
• Change Approval: Documented change requests, approval workflows, rollback procedures
• Change Log: Comprehensive audit trail of system modifications, configuration changes
• Testing Procedures: Pre-production testing, staging environments, validation before deployment

Vulnerability Management

• Patch Management: Regular security updates, defined patching timelines (critical: 7 days, high: 30 days)
• Vulnerability Scanning: Automated scanning, manual security reviews, penetration testing
• Issue Tracking: Vulnerability remediation tracking, risk-based prioritization

Backup & Disaster Recovery

• 3-2-1-1-0 Strategy: 3 copies, 2 different media, 1 offsite, 1 offline/immutable, 0 errors on restore
• Recovery Testing: Quarterly restore tests, documented recovery procedures
• Recovery Objectives: Defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective)

Client Engagement Compliance

Each client engagement incorporates appropriate compliance measures tailored to the specific regulatory environment and risk profile:

Pre-Engagement Due Diligence

• Regulatory Mapping: Identification of applicable regulations based on client jurisdiction and data types
• Risk Assessment: Documented assessment of data sensitivity, processing activities, cross-border transfers
• Contractual Framework: Master Services Agreement, Data Processing Agreement, security addenda

Ongoing Compliance Management

• Compliance Monitoring: Regular reviews of processing activities, control effectiveness
• Documentation: Maintained records of processing activities, risk assessments, control evidence
• Stakeholder Communication: Regular compliance reporting to client governance bodies
• Breach Notification: Defined incident response and notification procedures meeting regulatory timelines

Audit Rights & Evidence

Client contracts include audit rights provisions. We provide comprehensive evidence packages including control documentation, change logs, access logs, security configurations, backup verification records, and incident reports. Clients or their appointed auditors can review our controls, interview personnel, and inspect systems as contractually agreed.

Assurance & Evidence Packages

We provide evidence-based assurance to support client governance and fiduciary oversight:

Documentation Provided Upon Engagement

• Security Architecture Documentation: System design, network diagrams, data flow maps
• Control Matrix: Mapping of implemented controls to ISO 27001, SOC 2, NIST CSF, CIS Controls
• Risk Assessment Reports: Identified risks, likelihood, impact, mitigation strategies
• Policies & Procedures: Information security policy, incident response plan, change management procedures
• Vendor Risk Assessments: Security evaluations of sub-processors and third-party tools

Ongoing Reporting

• Quarterly Compliance Reports: Control testing results, compliance status, remediation tracking
• Incident Summaries: Security events, root cause analysis, corrective actions (anonymized across clients)
• Change Logs: Infrastructure changes, configuration updates, access modifications
• Vulnerability Reports: Scan results, penetration test findings, remediation timelines

Executive-Level Dashboards

Compliance dashboards tailored for board and trustee review, presenting security posture, compliance status, risk metrics, and remediation progress in governance-appropriate formats. Designed to support fiduciary oversight and demonstrate appropriate stewardship of technology risk.

Certification Roadmap

We are actively pursuing formal third-party certifications to provide independent validation of our security and compliance practices:

• ISO/IEC 27001:2022: Target completion within 6-12 months (information security management system certification)
• SOC 2 Type II: Target completion within 12-18 months (security, confidentiality, privacy attestation)
• ISO/IEC 27701: Under consideration following ISO 27001 (privacy information management)

Transparency Commitment: We will update this page as certifications are achieved. Clients receive direct notification of certification milestones and can request audit reports upon completion.

Compliance Inquiries

For detailed compliance documentation, security questionnaires, or audit coordination: