Security Hardening: How Monospace Protects Your Data
Security is not an afterthought at Monospace — it is foundational. Today we are sharing the details of our latest security hardening release.
Encryption at Rest (AES-256-GCM)
All sensitive data is encrypted using AES-256-GCM — the same standard used by banks and governments. This covers board names, card titles, task content, notes, ticket messages, chat, subscriptions, and now purchase orders.
Webhook Signature Verification
Inbound email webhooks (Resend) now verify Svix signatures — svix-id, svix-timestamp, and svix-signature headers are checked on every request. Invalid signatures are rejected with 401.
Admin Role System
Server-side admin checks via isAdmin field and requireAdmin() helper. Admin-guarded mutations include plan changes, AI access toggles, maintenance mode, and user management.
AI Rate Limiting
30 messages per hour per user. Prevents abuse of free AI models and potential denial-of-service.
Our Security Stack
- Data at rest: AES-256-GCM
- Data in transit: TLS 1.3
- Auth: Clerk sessions
- Webhooks: Svix verification
- Admin ops: Server-side isAdmin
- AI: 30 req/hour limit
- Data residency: EU (Convex eu-west-1)
- Compliance: GDPR
For more details visit our GDPR page at monospace.page/gdpr.