Schedule 3 – PPL

SCHEDULE 3 – PPL

1.    SCOPE, APPLICATION & INTERPRETATION

1.1  Provider acknowledges that the terms set forth herein are required to ensure monday.com’s compliance with Regulation 15(a)(2) of Israel’s Protection of Privacy (Data Security) Regulations, 5777-2017, which prescribes specific contractual arrangements a Database Controller (as defined below) must establish with any external service provider engaged to perform a service that involves access to Personal Data on its behalf.

1.2  The term of the Parties’ engagement is as set forth in the Agreement, and the term of this Schedule 3 shall follow that of the DPA. The Parties agree that this Schedule 3 shall also apply retroactively to all Personal Data already Processed by Provider as of the date the DPA takes effect, including any such data made available to, transferred to, created, or received by Provider on behalf of monday.com before that date.

1.3  This Schedule 3 prevails over any conflicting terms of the Agreement or the DPA with respect to the Processing of Personal Data originating from Israel but does not otherwise modify the Agreement or the DPA, and shall be interpreted in favor of the Parties’ intent to comply with Israel’s Protection of Privacy Law 5741-1981 and the regulations promulgated thereunder (“PPL”).

2.   DEFINITIONS

For the purposes of this Schedule 3, and in addition to the capitalized terms defined elsewhere in the DPA, the following terms shall have the meanings set forth below:

2.1  “Authorized User” means any Provider Personnel authorized by Provider to access: (i) the Personal Data; (ii) the Database Systems; or (iii) information or components essential for operating or accessing the Database. “Database” means a collection of Personal Data Processed by digital means by Provider on behalf of monday.com.

2.2  “Database Controller” means the natural or legal person that, alone or jointly with others, determines the purposes of Processing Personal Data in the Database.

2.3  “Database Systems” means systems serving the Database that are important in relation to aspects of Data Security.

2.4 “Data Security” means ensuring the integrity of Personal Data or Protecting Personal Data from unauthorized Processing.

2.5  “Data Security Procedure” means a written procedure that sets forth appropriate Data Security measures binding on Authorized Users, addressing at a minimum: (i) physical protection and secure surroundings; (ii) access, identification, authentication and authorization; (iii) safeguards for protecting Database Systems and ensuring information security (iv) instructions for Authorized Users regarding data protection; (v) identification and mitigation of Data Security risks; (vi) Security Incident response based on incident severity and sensitivity of affected data; (vii) portable devices; (viii) monitoring and logging of Database access, and retention of security data; (ix) periodic Data Security audits; (x) data backup and recovery procedures; and (xi) Data Security in workforce management, development activities and developer access.

2.6 “Security Incident” means any event raising concerns about the potential unauthorized Processing of Personal Data, Processing beyond granted authorization, or a compromise of the integrity of Personal Data.

2.7  For the purposes of this schedule, the following terms in the DPA or their equivalent shall be construed as follows: “Data Protection Laws” means the PPL; and “Controller” means “Database Controller”.

3.   CROSS-BORDER DATA TRANSFERS

Provider shall not transfer or permit the transfer of Personal Data originating from Israel to any recipient outside the EEA or a country subject to an Adequacy Decision of the European Commission, unless Provider has ensured that the recipient is bound by a written agreement that imposes, in substance, the same obligations as those binding Provider under this Schedule 3.

4.   IMPLEMENTATION OF DATA SECURITY OBLIGATIONS

Without limiting any provision of this Schedule 3, Provider makes the following representations and warranties:

4.1  It shall comply with all the provisions of the PPL applicable to its Processing of Personal Data hereunder;

4.2  It has established and shall maintain a Data Security Procedure, ensure that only the necessary portions of it are disclosed to its Authorized Users strictly to the extent required for the performance of their duties, and assess the need for updates to such procedure at least annually and, in any event, upon becoming aware of new technological risks affecting the Database Systems and/or a material change to such systems or Processing activities;

4.3 It shall ensure that up-to-date documentation detailing the structure and inventory of its Database Systems is securely maintained, with access restricted to Authorized Users strictly as required for their duties. This documentation shall include, at a minimum: (i) the date of its last update; (ii) infrastructure and hardware systems, software systems, data exchange interfaces, communication components, and Data Security elements; and (iii) a network diagram illustrating the connections between system components and their physical locations;

4.4  It shall conduct, at least once every eighteen (18) months, risk assessments to identify security vulnerabilities in its Database Systems and penetration tests to evaluate their resilience against internal and external threats, discuss their findings, implement corrective measures where required, and update its Data Security Procedure as necessary;

4.5 It shall hold periodic discussions (at least quarterly) regarding any Security Incidents and assess the need to update its Data Security Procedure accordingly;

4.6 It shall restrict or prohibit connections of portable devices to its Database Systems in a manner appropriate to the sensitivity of Personal Data;

4.7   It shall ensure that its Database Systems are subject to appropriate Data Security measures, including physical security with appropriate access monitoring and logging, and regular system updates;

4.8  It shall ensure that any transmission of Personal Data over a public network or the internet is conducted using industry-standard encryption methods, and that reasonable measures are used to authenticate Authorized Users accessing Personal Data remotely and to verify their authorization to perform such remote activities, including by physical authentication means under the Authorized User’s exclusive control;

4.9  It shall securely retain, for at least twenty-four (24) months, the data generated in the course of fulfilling the obligations outlined in Sections ‎4.5, ‎4.7, ‎4.8, ‎4.11, ‎4.12, ‎4.13, ‎4.15, ‎4.16 hereto, and shall back up such data in a manner that ensures its integrity and enables its restoration to its original state at any time;

4.10 It shall ensure that before granting an Authorized User access to Personal Data or modifying their access privileges, the Authorized User has received appropriate training on Provider’s obligations under this Schedule 3;

4.11 It shall maintain up-to-date documentation detailing access permissions to the Database and Database Systems for each role, as well as role-based permissions for each Authorized User, ensuring that permissions are strictly limited to those necessary for the performance of their role;

4.12 It has implemented and maintains an automated logging mechanism that: (i) records and logs access to the Personal Data and its Database Systems, including the logging of user identity, timestamp, the system component attempted to be accessed, and the outcome of access attempts (i.e., granted or denied) (collectively, “Access Logs”); (ii) retains Access Logs for at least 24 months; and (iii) detects and sends alerts to the Provider on any disabling or modification of its operation, while preventing such actions to the extent possible. Provider shall regularly review the Access Logs and document identified issues and corrective actions taken;

4.13 It shall maintain records, based on automated logging where feasible, of any Security Incidents;

4.14 It shall, to the extent reasonably practicable, maintain segregation between (a) its Database Systems enabling access to the Personal Data, and (b) other computing systems used by Provider;

4.15 It shall ensure that its Database Systems are not connected to the internet or other public networks unless appropriate safeguards are in place to protect against unauthorized access and/or malicious software capable of causing harm or disruption to computer systems, software or data;

4.16 It shall ensure that at least once every twenty-four (24) months, a qualified Data Security auditor who is not Provider’s Security Officer conducts an audit to verify Provider’s compliance with this Section 4. The audit shall include a documented assessment of the adequacy of Provider’s Data Security measures against its Data Security Procedure and obligations in this Section ‎4, identification of deficiencies, and recommended corrective actions. Provider shall review each audit report and assess whether updates to its Data Security Procedure are required.

5.    COMPLIANCE REPORTING

Without limiting Provider’s obligations under Section 6.3 of the DPA, or any other section relating to “Audits and Inspections” in the DPA, Provider shall report to monday.com at least annually on the manner in which it performs its obligations under this Schedule 3.