As users of our own product, we understand how important the security and privacy of your data is.
We are committed to providing our customers with a highly secure and reliable environment for its cloud-based application. We have therefore developed a security model that covers all aspects of cloud-based monday.com systems. The security model and controls are based on international protocols and standards and industry best practices.
As part of the company’s focus on security issues, the company security team performs on a regular basis:
Monitoring and analyzing the infrastructure for suspicious activities and potential threats.
Issuing periodic security internal review.
Dynamically updating the security model and addressing new security threats.
Systematically examining the organization's information security risks, taking into account threats and vulnerabilities.
Designing and implementing a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address the risks that are deemed unacceptable.
Adopting an overarching management process to ensure that the information security controls continue to meet the organization's evolving information security needs.
PROTECTING CUSTOMER DATA
Our systems are hosted on Amazon AWS infrastructure, located in Northern Virginia. They've devoted an entire portion of their site to explaining their security measures, which you can find here: https://aws.amazon.com/compliance and here: https://aws.amazon.com/security. No one other than our developers can access the data of clients and this is only done if it is necessary to solve client-related issues; for example, to restore or recover accidentally deleted data (pulses/groups/ boards).
Customer data is stored only in the production environment. Developers only have approval to access user data in order to solve client requests, issues or bugs. All logs of SSH connections to our production environment are saved and archived.
Attachments in your account are encrypted and delivered on a per-user-access controlled basis.
We know the data you share in monday.com is private and confidential. We have strict controls over our employees' access to internal data and we are committed to ensuring that your data is never seen by anyone who should not see it.
With that said, the operation of monday.com wouldn't be possible without a few members having access to our databases in order to optimize performance and storage. This team is prohibited from using these permissions to view customer data without explicit, written permission from the user.
SECURE SOFTWARE DESIGN
Any new feature or code that will be implemented into our system starts with an in-depth analysis of security and privacy risks. All code is saved into a git version control repository and evaluated in a test environment before deploying it into our production environment. All code is reviewed by a second developer to ensure code quality.
PHYSICAL SECURITY PROTOCOLS
Security controls at Amazon data centers are based on standard technologies and follow the industry’s best security practices. The physical security controls are constructed in such a way as to eliminate the effect of single points of failure and retain the resilience of the computing center.
A variety of environmental controls are implemented at the Amazon's data center facilities.
Servers are locked inside the infrastructure in a designated area.
The server area is cooled by a separate air conditioning system, which keeps the climate at the desired temperature to prevent service outage.
The facilities are protected by a fire suppression system, which protects the computing equipment and has built-in fire, water, and smoke detectors.
The facilities have on-site generators, which serve as an alternative power source.
There is 24-hour video surveillance of all entrances and exits, lobbies, and ancillary rooms. The videos are recorded and monitored, and retained for later use.
Firewalls: Applications in the hosting and cloud have firewalls installed to shield them from attack and prevent the loss of valuable customer data. The firewalls are configured to serve as perimeter firewalls to block ports and protocols.
DDoS mitigation and WAF: All application access, including direct application access and API access, are protected by a dedicated DDoS mitigation service, and an advanced WAF scans all traffic going in and out of the private application network, allowing monday.com to ensure high availability at all times, as well as prevent attacks and malicious activities.
All transmissions to and from monday.com, including sign-on, are encrypted at 256-bit and sent through TLS 1.2, adhering to the FIPS 140-2 certification standard. Our SSL implementation passes Qualys SSL Labs with very high score grades. We monitors the changing cryptographic landscape and upgrades the cipher suite choices as the landscape changes, while also balancing the need for compatibility with older clients.
EXTERNAL SECURITY AUDITS AND PENETRATION TESTS
We work closely with industry leaders in web app and infrastructure security who perform penetration tests and audits of monday.com. We monitor our product for security vulnerabilities automatically as the product grows.
SYSTEM MONITORING, LOGGING AND ALERTING
monday.com monitors servers to retain and analyze a comprehensive view of the security state of its production infrastructure. monday.com collects and stores production servers logs for analysis. Logs are stored and indexed in a separate network.
All of the data is backed up hourly to multiple disks. Backups are encrypted and distributed to various locations. Backups are saved for a period of 25 days.
To handle security incidents effectively, monday.com has constructed incident response and notification procedures. monday.com employs an Incident Handling team that responds to security incidents and mitigates risks. The team uses monitoring and tracking tools and performs real-time analysis. Additionally, the team has clear procedures in place for communicating the incidents to any involved party and for handling escalations. Every incident is forwarded to the security team leader for assessment and analysis.The level of severity is a measure of its impact on, or threat to, the operation or integrity of the institution and its information. It determines the priority for handling the incident, who manages the incident, and the timing and extent of the response.
monday.com realizes that the malicious activities of an insider could have an impact on the confidentiality, integrity, and availability of all types of data and has therefore formulated policies and procedures concerning the hiring of IT administrators or others with access to important and crucials systems. Monday has also formulated policies and procedures for the ongoing periodic evaluation of IT administrators or others with system access. User permissions are continuously updated and adjusted so when a user's job no longer involves infrastructure management, the user's console access rights are immediately revoked.
SECURITY AWARENESS AND TRAINING
In order to help ensure that Monday employees are aligned with the security practices and aware of their duties, monday.com conducts multiple information security awareness campaigns. In addition, the security obligations of users and the entity’s security commitments to users are communicated on an annual basis through the company policy and code of conduct document.
Our engineering and operation teams keep their skills up to date regarding security best practices. We have coded many different online systems and are experienced in infrastructure security and systems security.
SSAE16 SOC1 AND OTHER COMPLIANCE CERTIFICATIONS
Amazon's data centers have a SSAE16 SOC1 service auditor’s report as the result of an indepth audit of the centers’ control objectives and control activities, including controls over information technology and all other related processes. Please visit the following links: https://aws.amazon.com/security/, https://aws.amazon.com/compliance/
monday.com customer's data is stored on Amazon Servers (AWS) in USA. Amazon has already announced that AWS will comply with the GDPR when it becomes enforceable on May 25, 2018. You can learn more about Amazon and GDPR here: https://aws.amazon.com/blogs/security/aws-and-the-general-data-protection-regulation/.
From our end, we will ensure that all our activities meet the GDPR standards by May 25, 2018. Learn more
EU-U.S. PRIVACY SHIELD
monday.com customer's data is stored on Amazon Servers (AWS) in USA. AWS complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce permitting the collection, use, and retention of personal information transferred from the European Union to the United States. You can learn more about Amazon and EU-U.S Privacy Shield here: https://aws.amazon.com/compliance/eu-us-privacy-shield-faq
As for the transfer of data from the EU to monday.com Ltd the European Commission has previously approved Israel's status as a country that provides an "adequate level of protection" permitting the collection, use, and retention of personal information transferred from the European Union to Israel.
All information handled by monday.com is considered private and protected by a high level of security. Passwords are hashed and salted and never stored in their plain form. This means no one, not even our team, can see or decrypt it. No one in the company, besides developers, can access any data in the account without being invited by the admin of the account. This includes the entire sales and customer success departments. Each employee also signs an NDA during the hiring process which protects all client verbal communication.
Start using monday.com today
Start your free trial / No credit card needed
Start your free trial