Privacy is more than just a policy

My monday.com journey started years ago, back when it was called ‘dapulse’ and I was working for one of its very first customers. Then, in early 2018— with over a decade of privacy work under my belt— I had the fortune of being appointed as the Data Protection Officer at monday.com.

Together with monday.com’s privacy, security and legal teams, as well as numerous champions and countless allies across the organization, we set out to build and lead our privacy program to new heights. We continue to empower our customers who trust us with their data, and protect the privacy of those millions of individuals whose data we process.

A lot has changed over the years at monday.com as it became one of the fastest growing and most innovative SaaS providers in the world. Yet monday.com’s privacy principles and commitment remain the same:

Customer data belongs to the customer. Your personal data is yours. We’re here to secure that. To honor your trust in us and ensure that your privacy and rights are protected.

This is not one of those lip service commitments you’re used to seeing at the top of every other privacy policy. This is also not something we simply say for mere legal compliance. We genuinely care about your privacy, and hope that through this page and the resources we publish, we will be able to demonstrate to you our ongoing commitment.

If you have read through everything and still haven’t found what you were looking for; or if you have any suggestions on how we can improve, please drop us a line at dpo@monday.com.

We appreciate any and all feedback received, as we look to do our best by you and your data.

Yours,

Aner Rabinovitz – Data Protection Officer at monday.com

Our global privacy program is generally based on the most comprehensive and advanced data protection regulations in the world, with the EU GDPR serving as our “north star” for doing privacy the right way.

In the event that any particular and special requirements would directly apply to us under a local law or regulation, in our capacity as our customer’s data processor, we would address those requirements in accordance with our obligations under law and our Data Processing Addendum with such customer.

Interested in how we’re addressing privacy laws or regulations around the world? Read more below:

Some privacy and data protection laws, including the GDPR and CCPA, distinguish between two primary roles when it comes to collecting and processing personal data: data controllers and data processors. Under the CCPA, these are referred to as businesses and service providers.

A data controller (or business) determines the means and purposes for processing personal data, while a data processor (or service provider) is a party that processes data on behalf of the controller.

monday.com is the data controller (or business) of personal data relating to its customers, users, and website visitors. This is further explained in our Privacy Policy.

monday.com is the data processor (or service provider) of personal data that its customers and users submit to the platform (into their boards and items within their monday.com account), and processes this data solely on its customers’ behalf. We do so in accordance with the Data Processing Addendum entered into with our customer. The third parties we use to help us process this data are our “sub-processors”.

Yes. We provide all our customers with the opportunity to enter a Data Processing Addendum (DPA), for ensuring the protection and proper processing of personal data that we process on their behalf. By using the Services, you agree to enter into our DPA. If you would like to execute our DPA online, you can do so here.

Yes. We engage selected third party vendors to help us process our customers’ data on their behalf. A list of our sub-processors can be found here.

We hold our sub-processors to high industry standards with respect to data security and privacy, and consider both areas as critical in our vendor selection process. Among others, we have ensured that Data Processing Addendums and other relevant documentation are in place with all of our sub-processors, and perform privacy and security assessments and questionnaire-based audits, all in accordance with regulatory requirements.

Yes. monday.com is headquartered in Israel, with offices located in the US, UK, Australia, Poland, Singapore, Brazil and Japan, and support teams in the Philippines and Guatemala. Our sub-processors are also situated in various countries, as detailed on our sub-processors page.

monday.com ensures that any transfers of personal data originating in the EEA, UK or Switzerland, to a country that was not recognised by the European Commission, the UK Secretary of State, or the Swiss Federal Data Protection and Information Commissioner (as applicable), as affording an “adequate” level of data protection to personal data, is governed by appropriate contractual safeguards. In such circumstances, we rely on, and build into our relevant agreements, the EU Standard Contractual Clauses (SCCs), which can be found here and here.

In addition to the protections provided by the SCCs, we supplement our contractual obligations with additional safeguards aimed at strengthening the rights and freedoms of data subjects beyond those granted by the SCCs, and have additional clauses in our contracts with customers that aim to protect customer personal data from being transferred in the event of governmental requests to surveil or otherwise gain access to such data.

As of 2024, monday.com offers multi-region capabilities, allowing our customers the choice of having their data hosted either in the USA, EU (Germany) or APAC regions.

Yes. monday.com has designated VeraSafe as its EU Representative under Article 27 of the EU GDPR; and monday.com UK 2020 Limited as its UK Representative under Article 27 of the UK GDPR.

Our EU Representative VeraSafe may be contacted only on matters related to the processing of personal data of EU citizens, through this contact form.

Our UK Representative monday.com UK 2020 Limited may be contacted via email, at ukgdpr-rep@monday.com.

Our customers, as the controllers of such data, should maintain a comprehensive and detailed record for their own purposes and compliance posture, including with respect to the personal data they have processed via monday.com, and the data subjects to whom such data relates. monday.com, as a data processor, maintains a general record of its processing activities. However, we do not monitor the specific data that is being processed on behalf of our customers, and therefore the records we maintain will not address those.

monday.com does not permit governmental authorities unfettered access to customers’ data held with us. We very rarely receive any requests from authorities (in the US or otherwise) to disclose customer data, and in the rare instances in which we have received such requests, these were limited in scope, and addressed very legitimate grounds for requesting such data (e.g. suspected illegal activity related to that particular account).

In any event, disclosure would be limited only to such data which is strictly necessary under law or a legal compulsion, after the request has been rigorously reviewed by our Legal and Privacy teams to ensure it is valid and warranted. We use our best efforts to notify our customers before we make such disclosure, unless we are prohibited from doing so. More information can be found in section 4 (“Data Sharing”) to our Privacy Policy.