Privacy @ monday.com is more than just a policy.

My monday.com journey started years ago, back when it was called ‘dapulse’ and I was working at one of its very first customers. Then, in early 2018 - with over a decade of privacy work under my belt - I had the fortune of being appointed as Data Protection Officer @ monday.com.

Together with monday.com’s privacy, security and legal teams, as well as numerous champions and countless allies across the organization, we set out to build and lead our privacy program to new heights - as we seek to empower our customers who trust us with their data, and protect the privacy of those many millions of data subjects whose data we process.

A lot has changed over the years at monday.com - as it became one of the fastest growing and most innovative SaaS providers in the world - yet the privacy principle and commitment at the core of our platform - and organization - remain the same:

Customer data belongs to our customer. Your personal data is yours. We’re here to secure that. To honor your trust in us and rights over your data, and ensure that your privacy is protected.

This is not one of those lip service commitments you’re used to seeing at the top of every other privacy policy you’ve ever read. This is also not something we simply say for mere legal compliance. We genuinely care for your privacy and hope that through this page and the various resources we publish here now and in the future - we will be able to demonstrate to you what that level of care actually means.

If you have read through everything and still couldn’t find what you were looking for; or if you have any suggestion on how we could do better - please drop us a line at dpo@monday.com. We appreciate any and all feedback received, as we look to do the best we can by you and your data.

Yours,

Aner Rabinovitz – Data Protection Officer @ monday.com

Our global privacy program is generally based on the most comprehensive and advanced data protection regulations in the world, with the EU GDPR serving as our “north star” for doing privacy right.

In the event that any particular and special requirements would directly apply to us under a local law or regulation, in our capacity as our customer’s data processor, we would address those requirements in accordance with our obligations under law and our Data Processing Addendum with such customer.

Interested in how we’re addressing particular privacy laws or regulations around the world? Read more below:

The GDPR defines and distinguishes between two primary roles when it comes to collecting and processing personal data: data controllers and data processors.

A data controller determines the means and purposes for processing personal data, while a data processor is a party that processes data on behalf of the controller.

monday.com is the data controller of personal data relating to its customers, users and website visitors. This is further explained in our Privacy Policy.

monday.com is the data processor of personal data that its customers and users submit to the platform (into their boards and items within their monday.com account), and processes this data on its customer’s behalf. We do so in accordance with the Data Processing Addendum entered into with our customer. The third party service providers we use to help us process this data are our “sub-processors”.

Yes. We provide all our customers with the opportunity to enter a Data Processing Addendum, for ensuring the protection and proper processing of personal data that we process on their behalf. You can view and execute our Data Processing Addendum (DPA) online.

Yes - we engage selected third party service providers to help us process our customers’ data on their behalf. A list of our sub-processors can be found here.

We hold our sub-processors to high industry standards with respect to data security and privacy, and consider both areas as critical in our vendor selection process. Among others, we have ensured that Data Processing Addendums and other relevant documentation are in place with all of our sub-processors, and perform privacy and security assessments and questionnaire-based audits, all in accordance with regulatory requirements.

Yes. monday.com Ltd. is headquartered in Israel, with offices and teams located in the US, UK, Australia, the Ukraine and Guatemala. Our sub-processors are also situated in various countries, as detailed on our sub-processors page.

The transfer of personal data originating from the EU to other countries is performed in reliance on the lawful transfer mechanisms afforded by the GDPR, such as the “adequacy decisions” made by the European Commission (e.g. the decisions deeming the UK and Israel as providing an adequate level of protection to personal data originating from the EU), and the EU Standard Contractual Clauses.

As of January 2021, monday.com offers multi-region capabilities, allowing our customers the choice of having their data hosted in either the USA or Germany. For more information, please click here

Yes. monday.com has designated VeraSafe as its EU Representative under Article 27 of the EU GDPR; and monday.com UK 2020 Limited as its UK Representative under Article 27 of the UK GDPR.

Our EU Representative VeraSafe may be contacted only on matters related to the processing of personal data, through this contact form.

Our UK Representative monday.com UK 2020 Limited may be contacted via email, at [ukgdpr-rep@monday.com].

monday.com, as a data processor, maintains a general record of its processing activities - however keeping in mind that such records does not contain the types of personal data or data subjects whose data is processed on behalf of our customers, as we do not monitor such data or review it. Our customers, as the controllers of such data, should maintain a more comprehensive and detailed record for their own purposes and compliance posture.

monday.com does not permit governmental authorities free access to any customers’ data held with us. We very rarely receives any requests from authorities (in the US or otherwise) to disclose customer data, and in the incredibly few instances where we have received such requests in previous years - these were limited in scope, and addressed very legitimate grounds for requesting such data (e.g. suspected illegal activity related to that particular account).

In any event, disclosure would be limited only to such data which is strictly necessary under law, after the request has been reviewed by our Legal and Privacy teams to ensure it is valid and warranted. We use our best efforts to notify our customers before we make such disclosure, unless we are prohibited from doing so or are unable due to a potential risk. More information can be found in section 4 (“Data Sharing”) to our Privacy Policy.