monday.com & Canada’s PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the processing of personal data by private-sector organizations in Canada. monday.com’s privacy program is designed to help Customers meet and exceed these standards.

Roles and Responsibilities

Under PIPEDA, the responsibility for protecting personal information rests with the organization that has the information under its “control”.

• Organization (Customer): monday.com’s Customers are generally considered the organization in control of the personal information submitted to the platform (e.g., via boards, workdocs, or CRM items).
  monday.com acts as an organization in control in some contexts, for example, over Customer account and billing information, and website visitor and lead information, as further described in our Privacy Policy.
  
  
• Service Provider (monday.com): monday.com acts as a service provider (processor) when handling Customer data to provide our services, processing information solely under the instructions of our Customers.

What steps has monday.com taken to support compliance with PIPEDA requirements?

Our robust privacy program is built on the ten core principles of PIPEDA, including accountability, identifying purposes, and limiting collection.

monday.com has taken the following steps to support compliance with PIPEDA requirements:

• Transparency: We ensure transparency through easily accessible notices, including our Privacy Policy.
• International data transfers: We ensure that personal information remains protected when transferred across borders. We use robust contractual undertakings to ensure that any third-party processing data on our behalf provides a level of protection comparable to that required under PIPEDA.
• Mandatory Breach Notification: We have robust procedures to assess and handle security incidents. In compliance with PIPEDA’s mandatory reporting requirements, we maintain records of all breaches and have processes to assist our Customers in notifying the Office of the Privacy Commissioner and affected individuals if an incident creates a “real risk of significant harm”.
• Individual access and accuracy: Our platform includes built-in self-service tools that allow users to access, rectify, and challenge the accuracy of their data, supporting the right to correction and portability.
• Global Security Certifications: To safeguard personal information against loss or unauthorized access, we undergo annual external audits for SOC 2 Type II security certification from the American Institute of Certified Public Accountants (AICPA), ISO 27001 ISMS (information security management system) and ISO 27018 (for protecting personal data in the cloud).
• Legal and contractual controls: We have robust agreements in place to ensure the protection of Customer personal information. We have similar agreements in place with our third-party vendors that process personal information on our behalf.
• Privacy support: We have internal as well as external dedicated privacy teams for monitoring and ensuring that personal information processed by monday.com is protected. 

If you have any questions concerning monday.com’s privacy program, please feel free to contact our Data Protection Officer and privacy team at [email protected].