Professional Services Terms

The terms and conditions of these monday.com Professional Services Terms (the “PS Terms”) including their Exhibits, are entered into by you, the Partner (“Partner”), and monday.com Ltd. (“monday.com”) and reflect the parties’ agreement with respect to the provision by Partner of Professional Services as a Certified Partner (as such terms are defined below). 

The Parties hereby agree that the terms and conditions set out below shall be added as an addendum integral to the applicable agreement established between monday.com and the Partner (“Agreement”). By engaging with monday.com in the framework of the Agreement, Partner r accepts these PS Terms and represents and warrants that it has full authority to bind the Partner to these PS Terms. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement. 

In the event of any conflict between certain provisions of these PS Terms and the provisions of the Agreement, the provisions of the PS Terms shall prevail but solely with respect to the provision by Partner of Professional Services.

1. Scope. monday.com hereby authorizes Partner to perform onboarding services, implementation services, consulting services, technical services and other professional services in connection with the monday.com Services for the benefit of monday.com customers, all as a Certified Partner (as defined below) and subject to the terms and conditions of these PS Terms (collectively “Professional Services”). A “Certified Partner” means a Partner that has ensured that all PS Personnel (as defined below) have successfully completed the PS Certification Program (as defined below) and remains compliant with all terms of these PS Terms throughout the duration of the term of the Agreement.
2. Engagements with monday.com Customers. Partner will provide Professional Services to customers of monday.com, under a direct engagement with such monday.com customer.Any terms agreed directly between Partner and a monday.com customer will not apply to monday.com and monday.com expressly disclaims any and all liability with respect to such engagement.
3. Certification. Partner’s personnel assigned by Partner to perform the Professional Services (“PS Personnel”) shall have appropriate technical and professional skills and experience to enable them to perform their duties in a professional and workmanlike manner, consistent with generally accepted industry standards for the performance of Professional Services. As a pre-requisite for performing any Professional Services as a Certified Partner, each PS Personnel shall be required to successfully complete the applicable certification program managed by monday.com related to the provision of Professional Services (“PS Certification Program”), as may be updated from time to time, before Partner authorizes such PS Personnel to perform any Professional Services and shall be required to maintain and update such certification on a continuous basis as may be required by monday.com from time to time. In the performance of the Professional Services, all PS Personnel shall observe and follow best industry standards and practices including such requirements and policies incorporated into these PS Terms, and any other reasonable policies and/or standards as communicated by monday.com to Partner from time to time related to the monday.com Services. Partner shall provide the PS Personnel with all equipment, facilities, tools, know-how and other resources required for the provision of the Professional Services, at the Partner’s sole cost and expense.
4. Access to Accounts. Partner and its PS Personnel shall ensure that access to the account(s) of monday.com customers created upon the purchase of a monday.com Plan (“Account”) or to accounts customer has with third party tools shall only be permitted for the performance of Professional Services as approved by such monday.com customer and in accordance with its instructions.
5. Virus & Disabling Codes. Partner and PS Personnel: (i) shall not introduce or code any virus or any unauthorized disabling code into the monday.com Services or to its customer’s network or system, any software, deliverable or as otherwise as part of any of the Professional Services; and (ii) if any software or deliverables are developed, modified or changed by Partner in connection with any of the Professional Services, Partner and its PS Personnel represent and warrant such are and will be free from viruses, worms, time bombs, trojan horses, disabling programming codes or routines, cancel bots, or other such items that may threaten, infect, damage, disable or otherwise interfere with monday.com customers’ use of any system, the monday.com Services or cause harm to any data (including Personal Information).
6. Use of the monday.com Service. Partner and the PS Personnel shall only be permitted to use the monday.com Services in order to provide the Professional Services and such use shall be subject to monday.com’s Terms of Service, Acceptable Use Policy and any other terms governing the use of the monday.coms Services.
7. Security. Partner shall maintain at least industry-standard technical and organizational measures for protection of the security (including protection against unauthorized or unlawful processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, any data and/or content uploaded or otherwise made available by monday.com customers to or through the monday.com Services or which is in any way accessed by Partner contained in an Account, and is processed or stored by Partner in the framework of providing Professional Services to monday.com customers (“Customer Data”). Such technical and organizational measures shall be as detailed in Appendix A which constitutes an integral part hereof. Partner shall further regularly monitor compliance with these measures and will immediately notify monday.com of any vulnerabilities, known or reasonably suspected breaches relating to their systems storing Customer Data.
8. Processing of Customer Data. Partner hereby represents and warrants that within the scope of the provision of Professional Services:
   8.1.Unless permitted otherwise by a monday.com customer, Partner shall not use or disclose Customer Data it processes for any purpose other than to facilitate the Professional Services in accordance with these PS Terms and to comply with customer’s reasonable and documented instructions.;Partner shall retain or store Customer Data only if requested by a monday.com customer for the provision of the Professional Services and only for the minimum time required to fulfill Partner’s obligations with respect to the Professional Services. Except if authorized otherwise by a monday.com customer, Partner PS Personnel shall permanently delete all Customer Data that is in their possession immediately after such data is no longer required to facilitate the Professional Services.
   8.2. It shall ensure that PS Personnel shall deactivate any assigned user on any customer Account(s) and/or cease any access to Customer Data and/or systems to which they may have been granted access to within the scope of the performance of the Professional Services, immediately after such user and access is no longer required to facilitate the Professional Services, unless authorized otherwise by a monday.com customer.
   8.3. At all times implement and follow guidelines and instructions as reasonably provided by monday.com with respect to processing and securing of Customer Data.
   8.4. HIPAA. To the extent that Partner will have access to Customer Data which constitutes protected health information (“PHI”) in connection with providing Professional Services, Partner shall comply with applicable laws, including the Health Insurance Portability and Accountability Act (“HIPAA”), while providing the Professional Services.
9. Intellectual Property Rights
   9.1. Non-Infringement & Background Intellectual Property. Partner shall ensure and undertake that the Professional Services provided by Partner and Partner’s intellectual property, will not contain any preexisting work subject to the copyright or other intellectual property or proprietary right of any third party (including, without limitation, any “creative commons”, “open source” or ‘free software’), or any modification, adaptation or use of such work which, inter alia, (i) if prepared without authorization of the owner of the copyright, intellectual property or other proprietary right in such preexisting work, would constitute an infringement of such copyright, intellectual property rights or other proprietary right, (ii) will require monday.com or a monday.com customer to publish or provide access or any other rights to, any source code, proprietary information, technology or intellectual property of monday.com, or (iii) restrict monday.com’s ability to distribute, use, or in any way exploit its products, including the monday.com Services, anywhere in the world. Without limiting the foregoing, in performing the Professional Services under these PS Terms, the Partner and PS Personnel agree, represent and warrant that each will not provide or develop any items that infringe intellectual property rights or other rights of any third party.
   9.2. Rights to monday.com’s Intellectual Property. Partner may not, under no circumstances, assign or grant to monday.com customers any rights in and to the monday.com Services or any intellectual property rights of monday.com, in connection with Professional Services, and any such grant or assignment shall have no force and shall be void.
10. Indemnification. In addition to any indemnification obligation under the Agreement, Partner will defend, indemnify and hold harmless monday.com, its subsidiaries, officers, employees, agents, and third parties from and against any claims, liabilities, losses, costs, damages or expenses (including attorney’s fees) arising, directly or indirectly, in connection with: (a) Partner’s acts or omissions under these PS Terms, including, without limitation, any claim of a third party resulting from Partner’s performance of Professional Services; (b) any claim of a monday.com customer with respect to a direct engagement of Partner and such monday.com customer; and (c) a third party claim, including a claim by a monday.com customer that any elements of the Professional Services infringes on a third party’s intellectual property right.
11. Insurance. Partner shall obtain and maintain, during the term of the Agreement  and for a period of at least one (1) year following expiration or termination thereof, at its sole cost and expense, appropriate adequate insurance, and in amounts sufficient to provide coverage of its liability arising out of its activities, related to the provision of Professional Services to monday.com customers and these PS Terms. 

Appendix A

Technical and Organizational Security Measures

The following are a description of the minimum technical and organisational security measures implemented by the Partner (and its PS Personnel, if any) in accordance with the PS Terms  when performing Professional Services as a Certified Partner:

1. Definitions.

All capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Agreement

“Partner Systems” means Partner’s information systems processing Customer Data (e.g. email systems, file storage solutions).

“Customers Systems” shall mean information systems of monday.com customers to which Partner or Partner PS Personnel were granted access.

“Systems” means Partner Systems and Customer Systems collectively.

“Least Privilege” means the principle of giving a user account or process only those privileges which are essential to perform its intended function.

“Need to Know” means the principle of granting access only to the information which is necessary for one to conduct one’s official duties.

2. Conducting with Customer Data.

2.1. Allowed communications. Private channels such as WhatsApp, iMessage, or WeTransfer must not be used for processing Customer Data (e.g., transferring Customer Data to a third party or among Partner’s personnel). Instead, work-related services such as Slack, monday.com or your company email should be used.

2.2. Physical processing. Processing of Customer Data in physical form (e.g. printed documents) is prohibited.  

2.3. Removable Media. Partner must not use removable media such as hard-disks, USBs and thumb drives to store or transfer Customer Data, and must not enter unfamiliar or suspicious removable media into the Systems.

2.4. Information Security Management System (“ISMS”). Partner shall implement and maintain a formal industry standard ISMS. Appropriate information security policies and procedures shall be assigned to a designated employee or team among PS Personnel and shall be reviewed at least annually or following a material change. At the very least, the designated employee or team shall be responsible for the implementation and monitoring of the organisational and technical security measures as described in the PS Terms.

2.5. Third Party Risk Management. Partner has implemented security controls designed to ensure that external parties who provide services to Partner and contribute to the delivery of the Professional Services do so in a manner consistent with the agreed security requirements set forth herein. Partner’s comprehensive third-party risk management program must be designed to ensure that external parties meet Partner’s standards through risk categorization, due diligence, contractual requirements, and ongoing monitoring and assessments.

3. Local Copies.

Customer Data may not be downloaded, screen captured or recreated by Partner and/or PS Personnel, unless required for the performance of the Professional Services as determined by a  monday.com customer. If such is permitted by a monday.com customer, no local copies of Customer Data will be retained beyond the time necessary to complete the purpose for which such copies were retained, and Partner and all PS Personnel shall permanently delete such Customer Data thereafter.

4. Endpoints.

4.1. Allowed Devices. Only work-related workstations which are managed and monitored ongoingly by the Partner shall be used for processing, hosting, or storing of Customer Data for the provision of any Professional Services- no personal workstations are allowed.

4.2.. Updates. All workstations must be running an OS version at least to within the last two versions.

4.3. Encryption. All workstations must be encrypted in accordance with industry standards (e.g., using FileVault 2/BitLocker).

4.4. Data in Transit. Partner shall encrypt Customer Data transferred across open networks using TLS 1.2 or higher.

4.5. Anti-malware. Workstations must be protected using a regularly updated anti-malware solution.

4.6. Screen lock and password. All workstations must be configured with lock screen timeout of no more than ten (10) minutes and be password protected.

5. Physical Protection. 

5.1. Devices. Devices with access to Customer Data (e.g., laptops and mobile devices), especially when taken out of Partner’s office premises, should be securely handled. Devices must not be left unattended in public areas or inside vehicles.

5.2. Reporting of Loss or Theft. Partner must immediately notify monday.com customer regarding the loss or theft of devices which can be used to access Customer Data. Clear Desk Policy. Workstations screens must not be left open while unattended, including in Partner’s offices. Workstations screens must be locked every time left unattended. 

5.3. Partner’s Premise. Only authorized personnel and approved visitors shall have access to Partner’s premises and information processing facilities. Appropriate physical security controls (i.e. CCTV, intrusion detection) must be in place to monitor Partner’s premises and processing facilities.

6. Access Control.  

6.1. Provisioning and Deprovisioning. Partner should implement an access management program that is designed to ensure that the access to Systems is granted based on “least privilege” and “need-to-know” basis and is revoked no more than 24 hours following termination of employment or change in employment of PS Personnel. Access to the Systems should be reviewed at least twice a year to ensure that all existing access is appropriate.

6.2. User Access Review. Access to Systems which process or store Customer Data should be reviewed quarterly to ensure that all existing access is appropriate.

6.3. Credentials. Partner  should enforce the following password policy on its PS Personnel:

6.3.1. Complexity. Passwords shall be at least 12 characters in length and shall contain characters from no less than three of the following four categories: uppercase letters (ABC), lowercase letters (abc), numeric (0-9) and special (!@#$%^&*).

6.3.2. Storage. Credentials should not be stored in an unsecure way, including in the browser or in paper form.

6.3.3. Rotation. Passwords must be rotated at minimum 120 days.

6.4. Identity Provider (“IdP”) and Multi-Factor Authentication (“MFA”). an organizational IdP solution shall be implemented and monitored by Partner to access Systems which store or process Customer Data. If an IdP cannot be implemented, an MFA shall be enforced on such Systems.

6.5. Mobile Devices. Access by Partner to Customer Data or Account shall not be permitted under any circumstances via mobile devices, including but not limited to smartphones, thumb drives, external hard drives, tablets etc., but excluding allowed endpoints as set forth above. Smartphones that are used to access Customer Data must be protected by a PIN code or a password.

6.6. Notification to Customers. Partner must promptly, no more than 24 hours after discovery, notify in writing the monday.com customer following termination or change of employment of any of its  PS Personnel or third parties who had access to Customer Data or to Systems or, due to which access is no longer required, in order to allow such customer to revoke or change such access.

7. Human Resources.

7.1. Background Checks. Partner shall carry out comprehensive screening of all its PS Personnel in accordance with industry standards and in alignment with applicable laws and regulations, prior to granting access to Customer Data.

7.2. Disciplinary Procedure. Partner shall maintain and communicate to all its PS Personnel a formal disciplinary procedure for violations of company policies and of the security measures described herein.

7.3. Confidentiality Undertakings. All of the  PS Personnel should undertake a confidentiality obligation as part of their employment agreement.

7.4. Awareness and Education. Partner must periodically and on an ongoing basis, at least annually, communicate to all of its PS Personnel the security requirements set forth herein.

7.5. Termination and Wiping of Devices. In case of termination of employment, PS Personnel are responsible for returning all provided Partner’s assets, such as laptops which contain Customer Data. Partner shall also ensure that all devices containing Customer Data are wiped prior to disposal of any such devices. 

7.6. Deletion. Deletion of any Customer Data should be carried out as described in the National Institute of Standard and Technology (NIST) Special Publication 800-88 for any Systems or devices storing Customer Data.

8. Notifications to monday.com. Partner must immediately notify monday.com of: (i) any activity that is not in alignment with the requirements set forth herein; (ii) any material changes which may affect Partner’s ability to align with the requirements set forth herein, including material adverse changes; (iii) breach by Partner of the requirements set forth herein; and (iv) any security incident resulting in any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data. Such notice must be sent to monday.com’s security team at securityteam@monday.com.