monday.com & the GDPR and UK GDPR

At monday.com, our Customers’ success and the protection of their data is very important to us. With customers all over the world, we are committed to supporting our Customers’ compliance with local privacy and data protection laws.

As an organization offering services to, and processing the personal data of, individuals in the European Economic Area (EEA), Switzerland and the United Kingdom (UK), monday.com has developed a robust privacy program designed to support compliance with the requirements of European data protection laws, including the General Data Protection Regulation (GDPR).

Following Brexit, the GDPR was incorporated into local UK law, creating what is known as the “UK GDPR”. Currently, the UK GDPR contains similar requirements to the EU GDPR. When we refer to “the GDPR” we are referring both to the EU GDPR and to the UK GDPR.

Roles and Responsibilities

The GDPR defines two central roles for the processing of personal data: the “Data Controller” and “Data Processor”.

• Data Controller: the entity that determines the purposes and means for the processing of personal data.
  monday.com’s Customers are generally the Controllers of personal data submitted to the platform (e.g., via boards, workdocs, or CRM items).
  monday.com acts as a Controller in some contexts, for example, over Customer account and billing information, technical usage data, and website visitor and lead information, as further described in our Privacy Policy.
  
  
• Data Processor: the entity that processes personal data on behalf of the Controller. monday.com serves as the Processor over personal data submitted onto the platform (e.g., via boards, workdocs, or CRM items), and processes the data under the instruction of the Controller (i.e. the Customer). Where monday.com engages third parties to process such personal data on its behalf, these third parties are considered monday.com’s subprocessors.

For a more detailed breakdown of these roles and our obligations, please refer to our Terms of Service, Privacy Policy and Data Processing Addendum.

What steps has monday.com taken to support compliance with GDPR requirements?

At monday.com, we regularly monitor and review our practices to support compliance with GDPR requirements, including:

• EU data residency: We operate a dedicated data region in the EU. Customer accounts hosted in the EU region benefit from EU residency, ensuring alignment with data sovereignty preferences.

• Global certifications: We undergo annual external audits for SOC 2 Type II security certification from the American Institute of Certified Public Accountants (AICPA), ISO 27001 ISMS (information security management system) and ISO 27018 (for protecting personal data in the cloud).

• Transparency: We ensure transparency around the collection, use and disclosure of personal data through easily accessible notices, including via our Privacy Policy and Job Candidate Privacy Notice.
• Legal and contractual controls: We have a robust Data Processing Addendum(DPA) for Customers in place to ensure the protection of personal data. Such DPAs allow us to perform our role as a data Processor for our Customers, and similar DPAs allow the same when we engage with sub-processors.
• Data Subject Rights: We provide tools and functionality designed to support Customers in responding to data subject requests to exercise their privacy rights (e.g., correction, deletion, portability), and have a process in place to respond to data subject requests where we act as the Controller of such data.
• DPO & representative: We have designated a representativein the EU, and appointed a Data Protection Officer (DPO) for monitoring and advising on monday.com’s ongoing privacy and data protection compliance and serving as a point of contact in relation to data protection and privacy matters for individuals and supervisory authorities.

Data transfers subject to the GDPR

Various monday.com subsidiaries are located in jurisdictions considered as affording an “adequate” level of protection for personal data by the relevant decision-makers in the EEA, UK and Switzerland, respectively. Accordingly, transfers of personal data between these regions and to subsidiaries in Israel, Japan and Brazil (from EEA only), are done in reliance on this “adequacy” status as a lawful transfer mechanism, without the need for additional safeguards.

monday.com’s US subsidiary, monday.com, Inc., has been certified under the US Department of Commerce’s Data Privacy Framework (DPF) to receive data transfers from the EEA, UK or Switzerland to the US. Transfers from the EEA, UK and Switzerland to our US subsidiary, monday.com, Inc., are made primarily in reliance on such certification under this Framework.

To the extent we transfer personal data originating from the EEA, the UK, Switzerland to countries that have not been recognized as offering an adequate level of data protection by the relevant competent authority, we rely on, and build into our relevant agreements, appropriate trans-border data transfer mechanisms as established under applicable law, such as the standard contractual clauses (which can be found here and here). In addition to the protections provided by the SCCs, we supplement our contractual obligations with additional safeguards aimed at strengthening the rights and freedoms of data subjects beyond those granted by the SCCs, and have additional clauses in our contracts with Customers and vendors that aim to protect Customer personal data from being transferred in the event of governmental requests to surveil or otherwise gain access to such data.

We also conduct Transfer Impact Assessments (TIAs) to supplement our reliance on SCCs and the Data Privacy Framework, ensuring that the legal protections of the EEA/UK follow the data regardless of its physical location.

If you have any questions concerning monday.com’s privacy program, please feel free to contact our Data Protection Officer at [email protected].