Frequently Asked Questions – PPL Supplement to the DPA
1. Why are we being asked to sign this supplement?
This supplement ensures compliance with the Israeli Protection of Privacy Law, 1981 (PPL) and its Data Security Regulations. As a vendor who may process Israeli-originating personal data on monday.com’s behalf, you’re required to meet specific local data security standards.
2. We process low-risk data — why do we need to sign this?
Under Israeli law, any vendor processing monday.com’s data must sign Schedule 3. It is the controller’s responsibility for classifying the data and database shared, and for defining the appropriate security obligations.
3. Does this supplement apply to us if we don’t operate in Israel?
Yes. The supplement applies if you process personal data that originates from Israel, regardless of your physical location. The legal obligations follow the origin of the data, not the processor’s jurisdiction.
4. We already follow ISO/SOC audits — isn’t this duplicative?
That’s great — if you’re compliant with standards like ISO 27001 or SOC 2, you likely already meet many of the obligations set out in Schedule 3. However, Israeli law requires specific technical and organizational measures to be documented contractually. Certifications alone are not sufficient — the obligations must also be contractually binding.
5. We’re not a processor — we control the data.
If you act solely as a data controller (i.e., you independently determine the purposes and means of processing), the DPA and Schedule 3 may not apply. However, please confirm this in writing, and we will validate it internally.
6. Is this supplement optional?
No. This is a compliance-driven requirement. Our DPA includes a clause that permits updates necessary to reflect changes in applicable data protection laws. This supplement is part of our obligation to comply with Israeli legal standards.
7. Can we redline or negotiate the language?
The supplement has been standardized to ensure consistency and scalability across our vendor base. As such, we are not accepting redlines or customized versions at this time.
8. What are the key obligations introduced?
The supplement incorporates a new schedule (Schedule 3) which outlines technical and organizational security measures in line with Israeli Regulation 15. These are broadly consistent with international security expectations (e.g., GDPR, ISO 27001), and many vendors already meet them operationally.
9. Does this change our existing DPA?
No. The supplement is an addition to our existing DPA. All existing terms remain unchanged unless explicitly amended in our executed DPA or any amendment thereto.