Technical and Organizational Security Measures

Technical and Organizational Security Measures

The following are a description of the technical and organizational security measures (“TOMS”) which must be implemented by Partner (and its Sub-Processors (as such term is defined in the Data Processing Agreement incorporated into the Project PS Terms, i.e. the “DPA”), if any) in accordance with the Project Professional Services Terms and Conditions (“Project PS Terms”), the Services Subcontracting Program incorporated therein (“Services Program”) and the Channel Partner Program Terms and Conditions (“CP Terms”). These TOMS are for the protection of monday.com’s Confidential Information and Customer Data, including its confidentiality and integrity, as may be amended from time to time and as applicable to Partner’s Subcontracting Tier (as such term is defined in the Project PS Terms) in order to provide Project Customers with Project Professional Services. These TOMS shall be utilized by Partner and are applicable to monday.com’s Confidential Information and Customer Data stored, hosted or processed by Partner. These TOMS shall also serve as Annex II of the Standard Contractual Clauses, containing the minimum technical and organisational security measures implemented by the data importer.

The relevant TOMS for each Subcontracting Tier are listed below under each designated security tier (each a “Security Tier”). For the avoidance of doubt, the security measures detailed under Security Tier 1 shall apply to all types of Project Professional Services under all Subcontracting Tiers as detailed in the Services Program. The security requirements detailed under Security Tier 2, shall supplement the security measures detailed under the Security Tier 1.

Interpretation

All capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Standard Contractual Clauses or Project PS Terms.

1.   “Partner Systems” means Partner’s information systems processing Customer Data and monday.com Confidential Information (e.g. email systems, file storage solutions).

2. “monday.com Systems” means monday.com’s information systems to which monday.com has granted Partner or Partner Project Personnel access.

3.  “Customers’ Systems” shall mean Project Customer’s information systems to which Partner or Partner Project Personnel were granted with access.

4.  “Systems” means Partner Systems, monday.com Systems and Customer’s Systems collectively.

5.   “Customer Data” has the meaning under the Project PS Terms.

6.   “monday.com’s Confidential Information” has the meaning under the CP Terms.

7.  “Least Privilege” means the principle of giving a user account or process only those privileges which are essential to perform its intended function.

8.   “Need to Know” means the principle of granting access only to the information which is necessary for one to conduct one’s official duties.

B.         Security Tier 1

Below are the basic security measures Partner and its certified Project PS Personnel authorized to provide Project Professional Services must implement and maintain in order to participate in Services Program and to provide all types of Project Professional Services under all Subcontracting Tiers.

1.  Physical Processing. Processing of monday.com Confidential Information and Customer Data in physical form (e.g. printed documents) is prohibited.

2.    Removable Media. Partner must not use removable media such as hard-disks, USBs and thumb drives to store or transfer monday.com Confidential Information and Customer Data and must not enter unfamiliar or suspicious removable media into the Systems or to a workstation which contain monday.com Confidential Information or Customer Data. 

3.    Information Security Management System (“ISMS”). Partner shall implement and maintain a formal industry standard ISMS, such as detailed in ISO/IEC 27001:2022. Appropriate information security policies and procedures shall be assigned to a designated employee or team among Partner Personnel, including Partner Project Personnel and shall be reviewed at least annually and following a material change. Partner’s designated employee or team shall be responsible for the implementation and monitoring of the organisational and technical security measures as described in the CP Terms and the PS Addendum.

4.          Third Parties and Tools

4.1.    Allowed Communications. Partner is required to adhere to strict security protocols when engaging with third-party services and tools in the delivery of Project Professional Services. All communications involving monday.com Confidential Information and Customer Data must be conducted through work-related channels that are approved and centrally managed by Partner, such as Slack, monday.com, or company email. The use of private communication channels like WhatsApp, iMessage, or WeTransfer for these purposes is strictly prohibited.

4.2.    Third Party Risk Management. Partner must implement a comprehensive third-party risk management program to ensure that all external parties providing services align with the agreed security requirements set forth herein. This program should include risk categorization, due diligence, contractual obligations, and ongoing monitoring and assessments to maintain high security standards.

4.3.    Third Party Tools. Project PS Personnel are restricted from using unauthorized third-party products or tools, which are not approved and centrally managed by Partner in accordance with their third party risk management policy, which must be provided by the Partner at its own expense. Additionally, Partner may utilize the monday.com Services and other designated third-party platforms, such as Salesforce, as provided by monday.com in accordance with monday.com’s instructions and access policies.

5.          Encryption

5.1.     All workstations must be encrypted in accordance with industry standards (e.g., using FileVault 2/BitLocker). 

5.2.     Partner encrypts all Customer Data transferred across open networks using TLS 1.2 at minimum.

6.          Endpoints

6.1.   Allowed Devices. Only work-related workstations which are managed and monitored ongoingly by the Partner shall be used for processing, hosting, or storing of Customer Data and monday.com’s Confidential Information for the provision of any Project Professional Services- no personal workstations or devices are allowed.

6.2.   All workstations must be running an OS (operating system) version at least updated to within the last two versions.

6.3.   All workstations must be protected using a regularly updated anti-malware solution.

6.4.    All workstations must be configured with lock screen timeout of no more than ten (10) minutes and be password protected.

7.           Physical Protection

7.1.   Devices. Devices with access to monday.com Confidential Information and Customer Data (e.g., laptops and mobile devices), especially when taken out of Partner’s office premises, must be securely handled. For example, devices must not be left unattended in public areas or inside vehicles.

7.2.    Clear Desk Policy. Workstations screens must not be left open while unattended, including in Partner’s office premises. Workstations screens must be locked every time left unattended. 

7.3.    Partner’s Premise. Only authorized personnel and approved visitors shall have access to Partner’s premises and information processing facilities. Appropriate physical security controls (i.e. CCTV, intrusion detection, security guard) must be in place to monitor Partner’s premises and processing facilities.

8.          Customer Data

8.1.   Local Copies. Customer Data must not be downloaded, transferred, screen captured or recreated by Partner and/or Partner Project Personnel, unless required for the performance of the Project Professional Services under a specific Project as instructed in writing by monday.com. If such is permitted by monday.com for a specific Project, no local copies of Customer Data will be retained beyond the time necessary to complete the purpose for which such copies were retained, and Partner and all Partner Project Personnel shall permanently delete such Customer Data thereafter. If requested by monday.com, Partner shall provide an attestation of such deletion.

8.2.    Transferring Customer Data shall only be done in accordance with the “Least Privilege” and “Need to Know” principles, for the minimum amount of time necessary, over encrypted channels and only by using communication systems approved by monday.com in writing. 

9.          Audits

9.1.    monday.com’s right to audit Partner under Section 6.3 of the DPA shall also extend to include monday.com having the right to require Partner to make available to monday.com all information necessary to demonstrate Partner’s compliance with the security measures detailed herein and in the Project PS Terms. monday.com shall further have the right to immediately initiate any audit or inspection of Partner in case monday.com reasonably suspects suspicious activities by Partner and/or within Project Customer’s Account.

9.2.   Partner shall allow for and contribute to such audits, including on-site interviews, by monday.com and/or a third party qualified audit service provider appointed by monday.com.

9.3.   Re-assessment. In the event any audit or questionnaire reveals that the measures implemented by the Partner are not sufficient or are not in conformity with the requirements herein, at monday.com’s discretion, Partner shall, at its own expense and without undue delay, implement the necessary corrective measures, including as instructed by monday.com, which shall be subject to a new audit and/or security assessment by monday.com.

10.       Access Control

10.1.  Provisioning and Deprovisioning. Partner should implement an access management program that is designed to ensure that the access to Systems is granted based on a “Need-To-know” and “Least Privilege” basis and is revoked promptly, no more than 24 hours following termination of employment or change in employment of Partner Personnel, including Partner Project Personnel. In addition to Section 11.3 below, access to all Partner Systems should be reviewed at least quarterly to ensure that all existing access is appropriate.

10.2.   Secure Login. Partner and Partner Project Personnel, shall only access Project Customer’s Accounts for the provision of the Project Professional Services under a specific Project with an approved justification from monday.com for each Project, through either a secure web browser and identity provider (IDP) made available by monday.com and/or via any other secure login process made available to Partner by monday.com as may be updated from time to time and as determined by monday.com. 

10.3.      Access to Project Customer Account. Partner shall ensure that its appointment as an Account Administrator (“Admin”) in Project Customer’s Account (if approved by Project Customer) shall be in accordance with the specific roles and privileges determined by monday.com for the Project, and Partner shall not modify such roles and privileges without monday.com’s prior written consent. Furthermore, if a Project Customer modifies, grants or notifies Partner of its desire to grant additional privileges or modify such Admin roles and privileges assigned to Partner, then Partner shall immediately (within 4 hours from such modification, grant of such privileges and/or notice) notify its monday.com appointed representative who manages the relationship with Partner on behalf of monday.com (“PPM”).

10.4.      User Access Review. Access to Systems which process or store Customer Data should be reviewed on a monthly basis to ensure that all existing access is appropriate and required. Partner will share the results of such review with its PPM within 24 hours from the date of such review.

10.5.   Credentials. Partner must enforce the following password policy for access to Partner Systems:

10.5.1.  Complexity. Passwords shall be at least 12 characters in length and shall contain characters from no less than three of the following four categories: uppercase letters (ABC), lowercase letters (abc), numeric (0-9) and special (!@#$%^&*). Password cannot be a generic common-used password.

10.5.2.   Storage. Credentials must be stored in a secure manner, and not in insecure ways such as in the browser or in paper form.

10.5.3.   Rotation. Passwords must be changed at minimum every 120 days.

10.6. Identity Provider (“IdP”) and Multi-Factor Authentication (“MFA”). An organizational IdP solution shall be implemented and monitored by Partner to access Systems which store or process Customer Data. If an IdP cannot be implemented, an MFA shall be enforced on such Systems. 

10.7.   Mobile Devices. Access by Partner to Customer Data or Project Customer’s Account shall not be permitted under any circumstances via mobile devices, including but not limited to smartphones, thumb drives, external hard drives, tablets etc., but excluding allowed endpoints as set forth in Section 6 above. Smartphones that are used to access monday.com’s Confidential Information must be protected by a PIN code or a password.

10.8.  Access to Customer’s Systems. If Partner is required to access Customer’s Systems, it shall only do so in accordance with monday.com’s instructions and policies which will take into consideration Project Customer’s policies and instructions.

11.       Notification

11.1.      Termination Notification of Partner Project Personnel. Partner must promptly, no more than 24 hours after discovery, notify in writing its PPM following termination or change of employment of any of its Partner’s Project Personnel or third parties who had access to Customer Data or to Systems, when such access is no longer required and shall remove immediately (within 4 hours) any and all access rights from Systems.

11.2.  Notification to Customers. Partner will comply with all of monday.com’s instructions if Partner is requested by monday.com to provide a Project Customer with the notification with respect to a termination or change of employment of any of its Partner’s Project Personnel or third parties who had access to Customer Data or to Customers’ Systems.

11.3.     Reporting of Loss or Theft. Partner must immediately, no later than one (1) hour of discovery, notify monday.com regarding the loss or theft of devices which can be used to access store, or process Customer Data to the following emails: (1) the email of Partner’s PPM; (2) security@monday.com; and (3) privacy@monday.com.

12.       Human Resources

12.1.    Confidentiality Undertakings. All of Partner’s Personnel, including Partner’s Project Personnel should undertake a confidentiality obligation as part of their employment agreement and shall be subject to the confidentiality obligations under the CP Terms.

12.2.    Background Checks. Partner shall carry out comprehensive screening of all its Partner Project Personnel in accordance with industry standards and in alignment with applicable laws and regulations, prior to granting access to Customer Data and monday.com Confidential Information. 

12.3.   Disciplinary Procedure. Partner shall maintain and communicate to all its Partner Project Personnel a formal disciplinary procedure for violations of company policies and of the security measures described herein.

12.4.  Awareness and Education. Partner must communicate to all of its Partner Personnel, including Partner Project Personnel the security requirements set forth herein on an ongoing basis, at the minimum, at least annually.

12.5.  Termination and Wiping of Devices. In case of termination of employment, Partner’s Project Personnel are responsible for returning all provided Partner assets, such as laptops, which contain monday.com Confidential Information and/or Customer Data. Partner shall also ensure that all devices containing monday.com Confidential Information and Customer Data are wiped prior to disposal of any such devices. 

13.   Deletion. Deletion of any Customer Data should be carried out as described in the National Institute of Standard and Technology (NIST) Special Publication 800-88 for any Partner Systems or devices storing Customer Data.

14.    Restricted Technologies. The following high-risk technologies are not allowed to be used by Partner and Partner Project Personnel for the provision of Project Professional Services:

14.1.      All Allowed Devices used to provide the Project Professional Services must block the use of any software and products from Kaspersky Labs (including its subsidiaries, affiliates and/or any successor entity (collectively Kaspersky Labs), (including but not limited to their anti virus products). Additionally, equipment from Kaspersky Labs shall not be used for the development of any Work Product. 

14.2.    All Allowed Devices used to provide the Project Professional Services must not have installed nor use any software and products from ByteDance Limited or entities owned by ByteDance Limited (e.g. TikTok).

14.3.   All Allowed Devices or components of any Partner Systems that are used to provide the Project Professional Services shall not include nor use any software and products from Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiaries affiliates and/or successors of such entities).

14.4.  To the extent monday.com authorized Partner to use any third party in performance under the Project PS Terms, including any Partner’s Affiliates’ for the provision of the Project Professional Services, Partner will ensure that such third parties adhere to the provisions of this Section 14. Partner also agrees that if Partner becomes aware of any breach of this Section 14 Partner shall immediately report such to monday.com’s security team at security@monday.com.

C.      Security Tier 2

The following technical and security measures shall be observed by Partner and its certified Project PS Personnel authorized to provide Project Professional Services in addition to the security measures listed under Security Tier 1 for the provision of Project Professional Services under Subcontracting Tier 4 (as described in the Services Program):

1.    Certification. Partner follows internationally recognized industry standard security- specific certifications, as applicable to Partner such as ISO 27001, SOC 2, ISO 27002, etc.

2.      Human Resources.

2.1.    monday.com’s Security Training. In addition to the training and educational requirements stated under Section 12.4 of the Security Tier 1 security requirements, Partner and its Project Personnel authorized to provide Projects under Subcontracting Tier 4 will be required before being assigned to any Project and annually thereafter, to successfully complete monday.com’s internal security awareness program.

2.2.   Questionnaires. Partner shall respond to monday.com’s security and privacy questionnaires shared with
Partner from time to time (at a minimum annually and in case of a Data Incident) by providing any applicable security documentation which shall be true, accurate, and complete. This security and privacy questionnaires shall not be considered as an audit within the meaning of Audit Section of the DPA.

3.          Allowed Devices.

3.1.      Notwithstanding the security requirements under Security Tier 1, Partner Project Personnel who are certified to provide Subcontracting Tier 4 Project Professional Services shall receive monday.com provided devices for the performance of Project Professional Services which are the only devices authorized to be used to deliver Project Professional Services under Subcontracting Tier 4 (i.e this is not a requirement for Project Professional Services which can be delivered under Subcontracting Tier 3 and below). Partner is responsible to ensure that upon termination of the Project PS Terms or at monday.com’s discretion upon written notice to Partner, all monday.com provided devices shall be returned to monday.com. 

3.2.    Partner and each Partner Project Personnel shall sign monday.com’s Acceptable Use Policy (“AUP”) with respect to each of their use of the monday.com provided devices, and Partner shall ensure that each Partner Project Personnel complies with the terms of the AUP.

4.    Business Continuity Plan. Partner will maintain, for the duration of the Project PS Terms, a comprehensive disaster recovery and business continuation plan (“BCP”) in accordance with best industry practice for restoring any of its business functions in the event of a disruption that could reasonably have an impact on the Partner’s (including any Partner’s Affiliates’ and/or Sub-Processors ) ability to provide the Professional Services under each Project.

5.      Incident Response Plan. Partner shall maintain appropriate security incident
management policies and procedure and shall, upon monday.com’s request, provide such policies to monday.com for review and approval.

6.    Vulnerability Testing. Partner shall perform industry standard periodic vulnerability scans of its systems that contain Customer Data or Work Product (as such term is defined under the Project PS Terms), including penetration testing and network scans and shall remediate any vulnerabilities and/or findings. The executive summaries of such tests and scans will be made available to monday.com immediately upon request.

7.    Change Management. Partner shall implement and maintain change management policies and procedures to establish tracking and reporting processes for all changes to applications, procedures, systems and Partner Systems processing Customer Data. Partner shall establish a process for defining, raising, testing, documenting, assessing and authorizing emergency changes that do not follow the established change process.

8.          Patch Management. Partner shall implement and maintain vulnerability and patch management program which minimally ensures remediation of vulnerabilities in accordance with their severity. The severity rating shall be classified in accordance with industry standards such as the Common Vulnerability Scoring System (CVSS).

9.     Network and Data Segmentation. Network and network devices security policies shall be implemented to ensure the protection of Customer Data in networks and the corresponding information processing systems, including proper segmentation to ensure the physical or logical separation of
Customer Data from Partner’s and any other third-party’s data.

10.   Data Leakage Policy. Partner shall implement and maintain Data Leakage Prevention tools and processes designed to monitor and prevent data exfiltration and leakage.

11.       Secure Development.

11.1.      S-SDLC. Partner shall agree to implement and maintain monday.com’s secure software development lifecycle requirements which will be available here and shall ensure that Partner’s Project Personnel complete the monday.com provided secure code training before assigning any Projects to Partner and its Partner Project Personnel and on an annual basis thereafter.

11.2.      Production. Unless otherwise instructed by monday.com, only monday.com will be able to push any code into monday.com’s development environment.

11.3.    Secure Storage. Partner shall establish a policy for the secure storage and/or hashing of any applicable secrets related to the Project Professional Services, using industry standards like passwords and encryption. Secrets such as credentials, API tokens or encryption keys should not be in the code and/or hard coded.