Digital Operational Resilience Act (DORA)

At monday.com, we are committed to maintaining effective and up-to-date standards of security and data privacy. The introduction of the Digital Operational Resilience Act (DORA) regulation serves as an opportunity to demonstrate how monday.com’s processes are aligned with the required key provisions, particularly as a service provider for customers who are directly impacted by DORA. We continue to evaluate DORA impact on our services and operations to ensure that our processes are consistent with industry standards and support our customers in their own compliance efforts.

DORA is a new EU regulation designed to enhance the operational resilience of EU financial entities (such as banks, investment firms, insurance companies, payment service providers,) against cyber threats and other operational risks. DORA aims to enhance the ability of EU financial entities to withstand, respond to, and recover from risks related to certain Information and Communication Technology (ICT) systems and service providers, thereby supporting the stability of the entire financial eco-system.

monday.com is not directly subject to DORA as the act is specifically aimed at financial entities. We do recognize that our financial sector customers may rely on third party service providers such as monday.com and we are therefore making sure that our practices are able to assist our customers in their alignment with DORA. Requirements under DORA that may pertain to your organization are already generally addressed through our established practices and documentation.

To support your efforts in addressing DORA requirements, we have created this resource which provides both practical information and references to our established documentation that applies to your DORA-related commitments.

The key pillars of DORA are addressed through the following measures which include security features of our SaaS application and operational security measures we take as a company, and help you with your DORA compliance efforts.

Data security and privacy obligations are addressed in our Data Processing Addendum (DPA). For a full overview of monday.com’s security and privacy practices, please refer to the monday.com White Paper, available at our Trust Center.

Data is encrypted in traffic using TLS 1.3 with a modern cipher suite, supporting TLS 1.2 at minimum. User data is encrypted at rest across our infrastructure using AES-256 or better. We also offer Bring Your Own Key (BYOK) and Tenant Level Encryption (TLE) as part of our Guardian add-on to gain even more control over your data.

As part of the platform and offerings, we offer various governance features for companies to have full abilities to own and manage their data. Amongst that, we offer logging tools on the item, board, and account level. These logs can be exported and integrated into your existing monitoring tools.

Admins can set up account restrictions such as IP restrictions, and customize user management and permissions. Take control of Access Control for your monday.com instance by integrating with your IdP for SSO and setting up 2FA .

To achieve high availability and resiliency, our service is hosted on Amazon Web Services (AWS), with the ability to host in EU, US or AUS regions. We employ a microservices architecture to ensure minimal impact on system health in the case of failure of one or more components. Multiple Availability Zones are used to provide further redundancy.

monday.com is the data processor (or service provider) of personal data that its customers and users submit to the platform (into their boards and items within their monday.com account), and processes this data solely on its customers’, the data controller (or business) behalf.

monday.com customers retain full control of their uploaded data and may modify, delete or export it at all times using the means available through the service's user interface. Upon termination of the contract, customers can request deletion of their data as part of the account closure procedure. All customer data will then be deleted within 90 days, which includes a 30-day period to allow for rollback, and additional 60 days to delete the data from our databases and our sub-processors databases.

monday.com holds and maintains an Risk Management Policy that is designed to provide an understanding of the risks to which information and information assets are exposed and to provide a framework for the mitigation steps of perceived risks. As a part of the risk assessment process, threats to system security are identified and evaluated and the risk from these threats is formally assessed. We undergo a risk assessment as part of our ISO 27001 certificate and SOC 2 Type 2 audit, which is conducted annually.

Our Information Security & Data Incident Response Procedure sets forth guidelines for detecting incidents, escalating them to the relevant personnel, communication (internal and external), mitigation, and post-mortem analysis. In case of such an incident, monday.com will notify affected customers without undue delay after becoming aware of it.

monday.com maintains a Business Continuity Plan (BCP) for operational resilience for dealing with disasters affecting its normal operational environment, focusing on a disaster that has to do with monday.com employees, offices and facilities. In addition, we maintain a Disaster Recovery Plan (DRP) for dealing with disasters affecting our production environment, which includes the restoration of the service's core functionalities from our dedicated DR location.

When implementing a third party solution, security measures are taken in order to ensure that the third party does not negatively impact monday.com’s risk level. For this purpose, we hold our third parties to industry standards with respect to data security and privacy and consider both areas as critical in our vendor selection process.

Among others, we have ensured that Data Processing Addendums (DPAs) and other relevant documentation are in place with all of our sub-processors which contain the same or materially similar data protection obligations as set out in the customer DPA. We perform privacy and security assessments and questionnaire-based audits, review SOC reports and PT executive summaries if applicable.

monday.com takes part in and subscribes to professional forums, groups, conferences, etc. to receive automated intelligence feeds on threats, and vulnerabilities, and compromised companies in the industry.

The company has automation tools that scan for the existence of these threats and assess their impact and relevance to us. The areas we monitor for threat intelligence include our endpoints, IT systems environment, and vulnerabilities within our cloud infrastructure, as well as compromised companies.

For more information on how we are preparing for DORA and what it means for you, please feel free to reach out to our Support Team.