monday.com & Japan’s APPI

Japan’s Act on the Protection of Personal Information (APPI) regulates how personal data is handled. monday.com takes measures to support Customers in compliance with the requirements set by the Personal Information Protection Commission (PPC).

Roles and Responsibilities

The APPI distinguishes between entities based on their control over personal data:

• Personal Information Handling Business Operator (PIHBO): monday.com’s Customers generally act as the PIHBO for personal data submitted to the platform (e.g., via boards or CRM items), as they determine the purpose of use.
  monday.com acts as a PIHBO in some contexts, for example, over Customer account and billing information, and website visitor and lead information, as further described in our Privacy Policy.
• Entrusted Service Provider (Processor): monday.com acts as an entrusted service provider (processor) when processing personal data on behalf of our Customers to provide our services, acting strictly under the Customer’s instructions.

What steps has monday.com taken to support compliance with the requirements of the APPI?

We regularly review our practices to support compliance with the APPI and PPC guidelines:

• International transfers and adequacy: We rely on the mutual adequacy arrangement between the EU and Japan, which recognizes that both regions provide an equivalent level of protection. This allows the seamless and secure flow of personal data between these jurisdictions without the need for additional individual contracts.
• Mandatory Breach Notification: In accordance with the APPI, we have established protocols to support our Customers to notify the PPC and affected individuals in the event of a data breach that meets statutory thresholds.
• Security controls: We implement systematic, human, physical, and technical security control measures as recommended by PPC guidelines. These are validated through our annual external audits for SOC 2 Type II security certification from the American Institute of Certified Public Accountants (AICPA), ISO 27001 ISMS (information security management system) and ISO 27018 (for protecting personal data in the cloud).
• Transparency and purpose use: Through our Privacy Policy and Job Candidate Privacy Notice, we provide clear and easily accessible information regarding the purposes for which we collect, use, and disclose personal data.
• Individual rights support: We provide self-service tools that support our Customers in responding to requests for disclosure, correction, or cessation of use, ensuring that Japanese data subjects can easily exercise their rights under the APPI.
• Legal and contractual controls: We have robust agreements in place to ensure the protection of Customer personal information. We have similar agreements in place with our third-party vendors that process personal information on our behalf.
• Privacy support: We have internal as well as external dedicated privacy teams for monitoring and ensuring that personal information processed by monday.com is protected.

If you have any questions concerning monday.com’s privacy program, please feel free to contact our Data Protection Officer at [email protected].