Security and privacy FAQ

How does monday.com secure its users’ access into the monday.com service?

Access into monday.com is performed via the following authentication methods:

  • Credentials: username (usually your email address) and password;
  • We also support the use of external identity providers, such as Google SSO (for Pro & Enterprise plan only) and Okta,
    OneLogin and custom SAML 2.0 (for Enterprise plan only);
  • In addition, two-factor authentication (2FA) via a text message or through an authenticator app can be optionally enabled by the account administrators.

Does monday.com support the configuration of password policies?

We provide administrators with a choice of two passwords strength settings for their account:

  • 8 characters minimum with no repeating or consecutive characters allowed; or
  • 8 characters minimum with no repeating or consecutive characters allowed and an inclusion of at least one digit (123),
    one lowercase letter (abc) and one uppercase letter (ABC).

Is monday.com customers’ data encrypted? What methodologies are used to encrypt data?

Yes, monday.com uses the following methods to encrypt customer data:

  • Data at rest is encrypted using AES-256.
  • Data in transit across open networks is encrypted using TLS 1.3 (at minimum TLS 1.2).
  • User passwords are hashed and salted.

Where are monday.com’s data centers located?

monday.com is a fully cloud-based service. Our service is hosted on Amazon Web Services infrastructure in Northern Virginia
across multiple Availability Zones, with a DR site established in a different region. Certain backup data is stored on Google Cloud Platform
(US, multi-region). These data centers employ leading physical and environmental security measures, resulting in highly resilient infrastructure.
More information about their security practices is available at:
AWS security page
GCP security page

How do you ensure your service’s availability?

We employ a microservices architecture to ensure minimal impact on system health in the case of failure of one or more components.
Multiple Availability Zones are used to provide further redundancy and we have alternative providers for some of the services we rely on.
Enterprise customers are provided with a 99.9% SLA, subject to terms of the SLA. Additionally, our service's availability can be monitored
through our status page, where you can also subscribe to receive updates via email or text messages.

Which Security and Privacy related regulations, standards and certifications does monday.com comply with as of the date hereof?

We have the following certifications, reports and compliance programs:
ISO 27001, ISO 27017, ISO 27018, ISO 27032, ISO 27701
HIPAA
SOC 1 Type II, SOC 2 Type II, SOC 3
GDPR
CCPA
You can find all of our certificates here.

Is monday.com PCI-DSS compliant?

monday.com uses the services of a third party PCI-DSS certified billing processor; thus ,any credit card payments paid through
our billing processor are processed according to the PCI-DSS requirements. Therefore, PCI-DSS data is not stored on our service
and we are not required to be PCI-DSS certified.

Does monday.com have dedicated Security personnel?

Yes. Our security efforts are guided and monitored by our Security Team and wider Security Forum,
which is composed of representatives from Infrastructure, R&D, Operations and IT Teams.

For more FAQs read here