🔐 Built to be trusted

Your members’ data.
Your gym’s reputation.

Security is not an afterthought bolted onto a spreadsheet-and-chat-group setup — it is built into the platform your gym runs on, explained here in plain language, and independently checked.

Where your data lives

Your gym's data is hosted in European datacenters — in France, on OVHcloud infrastructure — not shipped off to a random corner of the internet.

We take a full backup every day, automatically, and keep a copy in a second location, so a hardware failure on one machine is not a data-loss event.

How we protect accounts

You can sign in with a passkey — no password to type, phish, or forget, using the same face, fingerprint, or device unlock you already use everywhere else.

If you do use a password, it is stored in a way that even we can't read it back — a one-way scramble designed specifically to resist cracking, not a reversible format.

Optional two-factor login adds a second, one-time code on top of your password.

Every new password is automatically checked against lists of passwords already leaked in other companies' breaches, and rejected if it shows up — so you can't accidentally reuse a compromised one.

How we handle your data

It's your data. You can download a complete copy of everything we hold about you, any time, from your profile.

Deleting your account actually deletes your data — it isn't a hidden flag that quietly keeps everything in the background.

We don't run ads and we don't sell your data to anyone. There's no hidden business model here.

You control what other members can see: you can opt out of receiving messages, and you can block or report anyone who bothers you.

Crew and party content — photos, chat, plans — stays private to the people you shared it with. It is never public by default.

GDPR & Swiss law

We comply with the EU's GDPR and the revised Swiss Federal Act on Data Protection (revFADP) — the two data-protection laws that apply to us and to you.

A Data Processing Agreement (DPA) is available for gyms that need one for their own records.

Your rights to see what we hold on you, correct it, or have it erased are honoured directly in the app, not buried in an email chain — and any request is answered within the legal deadline.

Tested, not just promised

In 2026 an independent, external security firm ran a full penetration test and security audit against MonkeyGrade — the same kind of test a bank or health app would commission.

Every finding that came out of that testing has been fixed and re-checked. We don't treat a report as a to-do list that sits in a drawer.

The platform is monitored continuously, and we publish a public status page so anyone can see how it's actually running, in real time, not just take our word for it.

View our live status page →

ISO 27001 — ready, not certified

We're upfront about where we stand: MonkeyGrade is not ISO 27001 certified yet.

Our day-to-day practices already line up with what that standard expects: who can access what, a log of sensitive actions, regular backups, and a plan for handling incidents.

Formal certification is on our roadmap as we grow. We'd rather tell you exactly where we are than oversell a badge we don't have.

Questions about how we handle your data?

Tell us what you need to know — a procurement checklist, a specific policy, anything.

Need a Data Processing Agreement for your gym? Use the same form and mention "DPA" in your message.

Opens our contact form — it reaches the MonkeyGrade team directly.