monday.com Developer Storage – Data Processing Addendum (DPA)
This Data Processing Addendum (“DPA”) is incorporated by reference into monday.com’s, Developer Terms, the Marketplace Listing Terms, monday code Beta Terms and Conditions and/or any other terms that may apply (“Agreement”), entered by and between you, the Developer (as defined in the Agreement) (collectively, “you”, “your”, “Developer ”), and monday.com Ltd. (“monday.com”, “us”, “we”, “our”) to reflect the parties’ agreement with regard to the Processing of End User Personal Data (as such terms are defined below) by monday.com solely on behalf of the Developer. Both parties shall be referred to as the “Parties” and each, a “Party”.
Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
The parties agree this DPA replaces and supersedes any existing data protection terms that may have previously entered into between monday.com and Developer. In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of End User Personal Data.
1. DEFINITIONS
a. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
b. The terms, “Data Subject”, “Controller“, “Member State“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR. The terms “Business”, “Business Purpose”, “Consumer” and “Service Provider” shall have the same meaning as in the CCPA.
For the purpose of clarity, within this DPA “Controller” shall also mean “Business”, and “Processor” shall also mean “Service Provider”, to the extent that the CCPA applies. In the same manner, Processor’s Sub-processor shall also refer to the concept of Service Provider.
c. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq, and its implementing regulations, as may be amended from time to time.
d. “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including those of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada, Israel and the United States of America, including the GDPR, the UK GDPR, and the CCPA, applicable to, and in effect at the time of, the Processing of End User Personal Data hereunder.
e. “Developer” has the meaning given to it in the Agreement.
f. “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
g. “End User” means individuals interacting with a Developer’s App.
h. “End User Personal Data” means Personal Data in relation to End Users (as such term is defined in the Agreement), that monday.com Processes as a Processor on behalf of the Developer by way of End User’s usage of the Developer’s App.
i. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
j. “Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or Consumer.
k. “monday Developer Storage” means monday.com’s apps infrastructure that allows Developers to host and deploy Apps, including but not limited, through the usage of monday.storage and monday code.
l. “Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) financial or credit information, credit or debit card number; (c) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning a person’s health, sex life or sexual orientation, or data relating to criminal convictions and offenses; (d) Personal Data relating to children; and/or (e) account passwords in unhashed form.
m. “Standard Contractual Clauses” means (a) in respect of transfers of End User Personal Data subject to the GDPR, the Standard Contractual Clauses between controllers and processors (located here), and between processors and processors (located here), as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including all Annexes I, II and V thereto, (”EU SCCs”), (b) in respect of transfers of End User Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 (version B.1.0), as incorporated into the EU SCCs through Annex III thereto (“UK Addendum”); and (c) in respect of transfers subject to the Federal Act on Data Protection (FADP – as revised as of 25 September 2020), the terms set forth in Annex IV of the EU SCCs (“Switzerland Addendum”).
n. “Sub-processor” means any third party that carries out specific Processing activities of End User Personal Data under the instruction of monday.com.
o. “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
2. PROCESSING OF END USER PERSONAL DATA
2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of End User Personal Data solely by monday.com on behalf of Developer: (a) Developer is the Controller or Processor of End User Personal Data and (b) monday.com is the Processor or Sub-processor of such End User Personal Data (in which case, Developer processes either acts as a Controller or Processor respectively in regards to End User Personal Data).
2.2 Developer ’s Obligations. Developer is responsible for determining whether monday Developer Storage is appropriate and suitable for the hosting and Processing of End User Personal Data under Data Protection Laws. Developer, in its use of monday Developer Storage, and Developer’s instructions to monday.com, shall comply with Data Protection Laws, the Agreement and this DPA. Developer shall establish and have any and all required legal bases (including consents as appropriate) in order to authorize and instruct monday.com to Process End User Personal Data pursuant to the Agreement on Developer’s behalf. Developer shall promptly notify monday.com if it is unable to comply with its obligations under Data Protection Laws or its instructions could cause monday.com to be in breach of Data Protection Law.
2.3 monday.com Processing of End User Personal Data. monday.com shall Process End User Personal Data for the following purposes: (a) in accordance with the Agreement and this DPA; (b) in connection with its provision monday Developer Storage, including for facilitating, maintaining, and improving monday Developer Storage; (c) to comply with Developer’s reasonable and documented instructions, where such instructions are consistent with the terms of the Agreement and this DPA, and regard the manner in which the Processing shall be performed; (d) to share End User Personal Data with, or receive End User Personal Data from, third parties in connection with Developer’s instructions and/or pursuant to Developer’s use of monday Developer Storage (i.e. by way of integrations and other services as configured by Developer); and (e) as required under the laws applicable to monday.com, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that monday.com shall inform Developer of the legal requirement before Processing, unless such law or order prohibits disclosing such information.
monday.com shall inform Developer without undue delay if, in monday.com’s reasonable opinion, an instruction for the Processing of End User Personal Data given by Developer infringes applicable Data Protection Laws, unless monday.com is prohibited from notifying Developer under applicable Data Protection Laws. It is hereby clarified that monday.com has no obligation to assess whether instructions by Developer infringe any Data Protection Laws.
2.4 Details of Processing. The subject-matter of Processing of End User Personal Data by monday.com is the provision of monday Developer Storage pursuant to the Agreement and this DPA, including providing hosting and computing services in connection with monday Developer Storage. The details relating to the duration, nature and purpose, types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of Processing) to this DPA.
2.5 Sensitive Data. The Parties agree that monday Developer Storage is not intended for the hosting and Processing of Sensitive Data, and that if Developer wishes to allow End Users to submit Sensitive Data to its App, Developer must first obtain the End User’s explicit prior written consent – or other valid legal basis as appropriate under Data Protection Law. Prior to allowing Sensitive Data to be submitted by Developers App, it shall provide notice to monday.com and enter into any additional agreements as may be required by monday.com. In the case the Developer fails to provide notice to monday.com of the Processing of Sensitive Data on the App, monday.com shall be entitled to terminate this DPA and remove the App from the Marketplace.
2.6 CCPA Standard of Care; No Sale or Sharing of Personal Information. To the extent End User Personal Data includes Personal Information under CCPA, monday.com acknowledges and confirms that it does not receive or process any Personal Information as consideration for any services or other items that monday.com provides to Developer under the Agreement or this DPA. monday.com certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling or sharing (as such terms are defined in the CCPA) any Personal Information Processed hereunder, without Developer’s prior written consent or instruction, nor take any action that would cause any transfer of Personal Information to or from monday.com, under the Agreement or this DPA to qualify as “selling” and/or “sharing” such Personal Information under the CCPA. monday.com acknowledges that Developer discloses Personal Information to monday.com only for limited and specified purposes set out in this DPA and the Agreement. monday.com shall process all Personal Information only (i) for such limited and specific purpose(s); and (ii) in compliance with applicable sections of the CCPA. monday.com shall not (i) retain, use, or disclose Personal Information outside the direct business relationship of the Parties, as described in the Agreement, or for any business or commercial purpose other than for the specific business purpose of performing the Services or as otherwise permitted by the CCPA, the Agreement and/or this DPA, nor (ii) combine Personal Information with personal information monday.com processes on behalf of other parties unless expressly permitted under the CCPA, its implementing regulations and the Agreement between the Parties. monday.com further acknowledges that Developer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information by monday.com. monday.com shall notify Developer if monday.com makes a determination that it can no longer meet its obligations under the CCPA.
3. END USER REQUESTS
Taking into consideration the nature of Processing and without derogating from the Agreement, monday.com shall – insofar as this is possible and reasonable – enable Developer (at Developer’s expense) to respond to an End User’s request to exercise their rights (to the extent available to them under Data Protection Laws) of access, to rectification, restriction of Processing, erasure, data portability, objection to the Processing, not to be subject to automated individual decision making, to opt-out of the sale of Personal Information, or the right not to be discriminated against (“End User Request”). If monday.com were to receive a direct End User Request, monday.com shall notify Developer or refer End User to Developer for the treatment of such request.
4. CONFIDENTIALITY
monday.com shall ensure that its personnel and contractors engaged in the Processing of End User Personal Data have committed themselves to confidentiality or are otherwise under an statutory obligation of confidentiality.
5. SUB-PROCESSORS
5.1 Appointment of Sub-processors.
Developer acknowledges and agrees that (a) monday.com Affiliates may be engaged as Sub-processors; and (b) monday.com may each engage third party Sub-processors in connection with the provision of the Services.
5.2 List of Current Sub-processors and Notification of New Sub-processors.
5.2.1 As of the Effective Date, Developer hereby grants monday.com general written authorization to engage the Sub-processors as listed in Schedule 2 to this DPA
5.2.2 In the case monday.com wishes to replace an existing or engage a new Sub-processor, monday.com shall provide written notice to Developer prior to such Sub-processor will first Process End User Personal Data.
5.3. Developer may reasonably object to monday.com’s use of a new or replacement of a Sub-processor, for reasons relating to the protection of End User Data intended to be Processed by such Sub-processor. Such objection must be submitted promptly by notifying monday.com in writing to privacy@monday.com within seven (7) days following publication of a new Sub-processor Notice, in which Developer shall detail the reasons for the objection to using such new Sub-processor. Where Developer has not objected within such seven (7) day period in the manner described above, the use of the new Sub-Processor shall be deemed accepted by Developer. In the event that Developer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, monday.com will use reasonable efforts to propose a resolution. If monday.com is unable to make available such a resolution within thirty (30) days following receipt of the objection, Developer may, as a sole remedy, terminate the Agreement and this DPA by providing written notice to Processor. Developer will have no further claims against monday.com due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
5.4 Agreements with Sub-processors. monday.com has entered into a written agreement with each existing Sub-processor, and shall enter into a written agreement with each new Sub-processor, containing the same or materially similar data protection obligations as set out in this DPA, in particular obligations to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR. Where a Sub-processor fails to fulfill its data protection obligations concerning its Processing of End User Personal Data, monday.com shall remain responsible to the Developer for the performance of the Sub-processor’s obligations.
6. SECURITY & AUDITS
6.1 Controls for the Protection of End User Personal Data. Developer (as further described in the Agreement) and monday.com shall maintain appropriate industry-standard technical and organizational measures for protection of End User Personal Data (including measures against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, End User Personal Data, confidentiality and integrity of End User Personal Data). Upon Developer’s reasonable request, monday.com will reasonably assist Developer, at Developer ’s cost and subject to the provisions of Section 11.1 below, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the Processing and the information available to Processor.
6.2 Audits. Upon Developer’s 45 days prior written request at reasonable intervals (but no more than once every 12 months), and subject to strict confidentiality undertakings by Developer, monday.com shall provide written responses and such other information necessary to demonstrate compliance with this DPA. monday.com may satisfy its obligations under this section by answering Developer’s questionnaire-based audits. Any information provided to Developer shall only be used by Developer to assess monday.com’s compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without monday.com’s prior written approval.
7. DATA INCIDENT MANAGEMENT AND NOTIFICATION
7.1 monday.com shall notify Developer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to End User Personal Data Processed by monday.com on behalf of the Developer (a “Data Incident”). monday.com shall make reasonable efforts to identify and take those steps as monday.com deems necessary and reasonably designed to remediate and/or mitigate the cause of such Data Incident to the extent the remediation and/or mitigation is within monday.com’s reasonable control. The obligations herein shall not apply to Data Incidents that are caused by Developer, its End Users or anyone who uses monday Developer Storage on Developer’s behalf. monday.com’s notification of, or any remediation steps taken by monday.com in connection with a Data Incident, shall not be construed as acknowledgement of liability with respect to the Security Incident.
7.2 Developer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Data Incident which directly or indirectly identifies monday.com (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without monday.com’s prior written approval, unless, and solely to the extent that, Developer is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Developer shall provide monday.com with reasonable prior written notice to provide monday.com with the opportunity to object to such disclosure and in any case, Developer will limit the disclosure to the minimum scope required by such laws.
8. RETURN AND DELETION OF END USER PERSONAL DATA
Following termination of the Agreement and cessation of the provision of monday Developer Storage, at the choice of Developer or at the instruction of End User, monday.com will delete all End User Personal Data it Processes on behalf of the Developer in the manner described in the Agreement, unless laws applicable to monday.com requires or permits otherwise.
9. CROSS-BORDER DATA TRANSFERS
9.1 Transfers from the EEA, Switzerland and the United Kingdom to countries that offer an adequate level of data protection. If Developer (as “data exporter”) transfers End User Personal Data to monday.com (as “data importer”) from EU Member States and Norway, Iceland and Liechtenstein (collectively, “EEA”), Switzerland and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant authorities of the EEA, Switzerland, and/or the UK as relevant (“Adequacy Decisions”), as applicable, no further safeguards are being necessary.
9.2 Transfers from the EEA, Switzerland and the United Kingdom to other countries. If the Developer (as “data exporter”) transfers End User Personal Data to monday.com (as “data importer”):
(i) from the EEA to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative compliance mechanism recognized by Data Protection Laws (as may be adopted by monday.com in its own discretion) (“EEA Transfer”), the terms set forth in the EU SCCs shall apply;
(ii) from the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative compliance mechanism recognized by Data Protection Laws (as may be adopted by monday.com in its own discretion) (“UK Transfer”), the terms set forth in the UK Addendum shall apply;
(iii) from Switzerland to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative compliance mechanism recognized by Data Protection Laws (as may be adopted by monday.com in its own discretion) (“Switzerland Transfer”), the terms set forth in the Switzerland Addendum shall apply;
9.3 Transfers from other countries: If the Processing of End User Personal Data by monday.com includes a transfer of End User Personal Data by and/or mandated by Developer to monday.com from any other jurisdiction which mandates a particular compliance mechanism for the lawful transfer of such data be established, Developer shall notify monday.com of such applicable requirements, and the Parties may seek to make any necessary amendments to this DPA in accordance with provisions of Section 11.2 below.
11. OTHER PROVISIONS
11.1 Data Protection Impact Assessment and Prior Consultation. Upon Developer ’s reasonable request, monday.com shall provide Developer, at Developer’s cost, with reasonable cooperation and assistance needed to fulfill Developer’s obligation under the GDPR or the UK GDPR (as applicable) to carry out a data protection impact assessment related to Developer’s use of the monday code, to the extent Developer does not otherwise have access to the relevant information, and to the extent such information is available to Developer. Developer shall provide, at Developer’s cost, reasonable assistance to Developer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 11.1, to the extent required under the GDPR or the UK GDPR, as applicable.
11.2 Modifications. Each Party may by at least forty-five (45) calendar days prior written notice to the other Party, request in writing any variations to this DPA if they are required as a result of any change in applicable Data Protection Laws to allow Processing of Developer End User Personal Data to be made (or continue to be made) without breach of such Data Protection Laws. Pursuant to such notice the Parties shall use commercially reasonable efforts to accommodate such required modification, and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements under applicable Data Protection Law as identified in Developer’s or monday.com’s’s notice as soon as is reasonably practicable. In addition, monday.com may amend this DPA from time to time without notice, provided that such changes are not adverse in any material aspect with respect to the Developer’s rights or monday.com’s obligations (i.e. error and typos fixing, making technical adjustments or for any other reasons as monday.com deems necessary). For clarity, if monday.com makes any material adverse change to Developer’s rights or monday.com’s obligations, Processor will notify Developer by sending an email.
SCHEDULE 1 – DETAILS OF THE PROCESSING
Nature and Purpose of Processing
1. Providing monday Developer Storage to Developer, including for facilitating, maintaining, and improving monday Developer Storage;
2. Performing the Agreement, this DPA and/or other contracts executed by and between the Parties;
3. Acting upon Developer’s instructions, where such instructions are consistent with the terms of the Agreement;
4. Sharing End User Personal Data with, or receive End User Personal Data from, third parties in connection with Developer’s instructions and/or pursuant to Developer’s use of monday Developer Storage (i.e. by way of integrations and other services as configured by Developer);
5. Complying with applicable laws and regulations;
6. All tasks related to any of the above.
Duration of Processing
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, monday.com will Process End User Personal Data for the duration of the Agreement and as long as Developer hosts and deploys Apps on monday.com’s Developer Storage, unless otherwise agreed upon in writing.
Type of Personal Data
Any Personal Data provided related to End Users, or at the instructions of Developer, provided to monday.com (or at the instructions of Developer), that is submitted to and hosted on monday Developer Storage.
No Sensitive Data shall be submitted to monday Developer Storage.
Categories of Data Subjects
Developer’s End Users.
Schedule 2 – monday code Sub-processors
Sub-processor | Type of Service | Hosting Region | Transfer Mechanism |
Amazon Web Services, Inc | Cloud computing provider:
Hosts all End User Personal Data that is submitted to the Developer’s App as hosted and deployed on monday Developer Storage |
United States | SCC |
Google LLC (Google Cloud Provider) | Cloud computing provider:
Hosts secrets and technical components to run Developer’s Apps on monday code |
United States | SCC |