Technical and Organizational Security Measures

The following are a description of the minimum industry-standard technical and organisational security measures designed and implemented by the Partner (and its Sub-Processors (as such term is defined under the DPA), if any) in accordance with the Terms, for the protection of monday.com’s Confidential Information, its confidentiality and integrity, as may be amended from time to time. These Technical and Organisation Security Measures shall also serve as Annex II of the Standard Contractual Clauses, containing the minimum technical and organisational security measures implemented by the data importer (additional technical and organisational security measures may be included)*:

1.       Definitions

All capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Standard Contractual Clauses or the Terms.

1.1  “Systems” means Partner’s information systems processing monday.com’s Confidential Information (e.g. email systems, file storage solutions).

1.2  “monday.com Systems” means monday.com’s information systems to which monday.com has granted Partner or Partner Personnel access.

1.3  “monday.com’s Confidential Information” means as defined under the Terms including Personal Data.”

1.4  “Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person (including monday.com employees and customers). Examples include names, locations, physical addresses, phone numbers, email addresses, IP addresses and any data uploaded to the monday.com Services by monday.com customers.

1.5  “Least Privilege” means the principle of giving a user account or process only those privileges which are essential to perform its intended function.

1.6  “Need to Know” means the principle of granting access only to the information which is necessary for one to conduct one’s official duties.

2.       Conducting with Confidential Information

2.1  Allowed Communications. Private communication channels, such as WhatsApp, iMessage, or WeTransfer, must not be used for processing  monday.com’s Confidential Information (e.g., transferring monday.com’s Confidential Information to a third party or among Partner’s Personnel). Only work-related communication channels, systems and services approved by Partner, such as Slack, monday.com or company email, shall be used for this purpose.

2.2  Physical Processing. Processing of monday.com’s Confidential Information in physical form (e.g. printed documents) is prohibited. 

2.3  Removable Media. Removable media such as hard-disks, USBs and thumb drives are prone to loss or theft. Another risk is the introduction of malware into the monday.com’s assets. Thus, Partner must not use removable media to store or transfer monday.com’s Confidential Information, and must not enter unfamiliar or suspicious removable media into the Systems. 

3.       Endpoints

3.1  Updates. All workstations must be running an OS (operating system) version at least to within the last two versions.

3.2  Encryption. All workstations must be encrypted in accordance with industry standards (e.g., using FileVault 2/BitLocker).

3.3  Anti-Malware. All workstations must be protected using a regularly updated anti-malware solution.

3.4  Screen Lock. All workstations must be configured with lock screen timeout of no more than ten (10) minutes and be password protected.

4.       Physical Protection

4.1  Device Physical Protection. Devices with access to monday.com’s Confidential Information (e.g., laptops and mobile devices), especially when taken out of Partner’s office premises, should be securely handled. Devices must not be left unattended in public areas or inside vehicles.

4.2  Clear Desk Policy. Workstations screens must not be left open while unattended, including in Partner’s offices. Workstations screens must be locked every time left unattended. 

4.3  Reporting of Loss or Theft. Partner must immediately, no later than within 24 hours from discovery, notify monday.com’s channel manager or security team regarding the loss or theft of devices which can be used to access Personal Data. The notification method is via the following email: security@monday.com.

5.       Access Control

5.1  Provisioning and Deprovisioning. Partner should implement an access management program that is designed to ensure that the access to Systems is granted based on  “need-to-know” and “least privilege” basis and is revoked promptly following termination of employment or change in employment of Partner Personnel. Access to the Systems should be reviewed at least twice a year to ensure that all existing access is appropriate.

5.2  Notification. Partner must promptly, no later than within 24 hours, notify in writing its channel manager following termination of employment of any of its Partner Personnel who had access to monday.com Systems or following a change in Partner Personnel’s role, due to which access to monday.com Systems is no longer required, in order to allow monday.com to revoke such access.

5.3  Credentials. Partner should enforce the following password policy on its personnel:

i. Complexity. Passwords shall be at least 12 characters in length and shall contain characters from no less than three of the following four categories: uppercase letters (ABC), lowercase letters (abc), numeric (0-9) and special (!@#$%^&*).

ii. Storage. Credentials must be stored in a secure manner, and not in insecure ways such asin the browser or in paper form.

iii. Rotation. Passwords must be changed at minimum once a year.

5.4  Multi-Factor Authentication (MFA). MFA should be enforced on the Systems.

5.5  Mobile devices. Smartphones that are used to access monday.com’s Confidential Information must be protected by a PIN code or a password.

6.       Human Resources

6.1  Confidentiality Undertakings. All of Partner’s Personnel should undertake a confidentiality obligation as part of their employment agreement.

6.2  Awareness and Education. Partner must periodically communicate to all of its Partner Personnel the security requirements set forth herein, at the minimum.

6.3  Termination. In case of termination of employment, Partner’s Personnel are responsible for returning all provided Partner’s assets, such as laptops.  

7.       Exceptions

Any activity that is not in alignment with the requirements set forth herein must be immediately communicated to monday.com’s channel manager or to the security team at security@monday.com.

*If Partner implements additional technical and organisational security measures, please provide further details to your channel manager.

Last update: January 10, 2024