Privacy is more than just a policy
My monday.com journey started years ago, back when it was called ‘dapulse’ and I was working for one of its very first customers. Then, in early 2018— with over a decade of privacy work under my belt— I had the fortune of being appointed as the Data Protection Officer at monday.com.
Together with monday.com’s privacy, security and legal teams, as well as numerous champions and countless allies across the organization, we set out to build and lead our privacy program to new heights. We continue to empower our customers who trust us with their data, and protect the privacy of those millions of individuals whose data we process.
A lot has changed over the years at monday.com as it became one of the fastest growing and most innovative SaaS providers in the world. Yet monday.com’s privacy principles and commitment remain the same:
Customer data belongs to the customer. Your personal data is yours. We’re here to secure that. To honor your trust in us and ensure that your privacy and rights are protected.
If you have read through everything and still haven’t found what you were looking for; or if you have any suggestions on how we can improve, please drop us a line at firstname.lastname@example.org.
We appreciate any and all feedback received, as we look to do our best by you and your data.
Aner Rabinovitz – Data Protection Officer at monday.com
Does monday.com comply with privacy legislation around the world?
Our global privacy program is generally based on the most comprehensive and advanced data protection regulations in the world, with the EU GDPR serving as our “north star” for doing privacy the right way.
In the event that any particular and special requirements would directly apply to us under a local law or regulation, in our capacity as our customer’s data processor, we would address those requirements in accordance with our obligations under law and our Data Processing Addendum with such customer.
Interested in how we’re addressing privacy laws or regulations around the world? Read more below:monday.com & the GDPR
monday.com & the CCPA
monday.com & the Australian Privacy Act and Principles
HIPAA Business Associate Agreement
monday.com & Canada’s PIPEDA
monday.com & Brazil’s LGPD
Controllers and Processors
The GDPR defines and distinguishes between two primary roles when it comes to collecting and processing personal data: data controllers and data processors.
A data controller determines the means and purposes for processing personal data, while a data processor is a party that processes data on behalf of the controller.
monday.com is the data processor of personal data that its customers and users submit to the platform (into their boards and items within their monday.com account), and processes this data on its customer’s behalf. We do so in accordance with the Data Processing Addendum entered into with our customer. The third party service providers we use to help us process this data are our “sub-processors”.
Does monday.com offer a Data Processing Addendum (DPA)?
Does monday.com engage with any sub-processors?
Yes - we engage selected third party service providers to help us process our customers’ data on their behalf. A list of our sub-processors can be found here.
We hold our sub-processors to high industry standards with respect to data security and privacy, and consider both areas as critical in our vendor selection process. Among others, we have ensured that Data Processing Addendums and other relevant documentation are in place with all of our sub-processors, and perform privacy and security assessments and questionnaire-based audits, all in accordance with regulatory requirements.
Does monday.com engage in cross-border transfers of personal data?
Yes. monday.com Ltd. is headquartered in Israel, with offices and teams located in the US, UK, Australia, the Ukraine and Guatemala. Our sub-processors are also situated in various countries, as detailed on our sub-processors page.
When we transfer personal data from the EU to other countries. We rely on the lawful transfer mechanisms in the GDPR, such as the “adequacy decisions” made by the European Commission (e.g. the decisions deeming the UK and Israel as providing an adequate level of protection to personal data originating from the EU), and the EU Standard Contractual Clauses.
As of January 2021, monday.com offers multi-region capabilities, allowing our customers the choice of having their data hosted either in the USA or Germany. For more information, please visit https://monday.com/blog/product/new-eu-data-region/
Has monday.com appointed a Data Protection Officer (DPO)?
Did monday.com designate EU and UK Representatives?
Yes. monday.com has designated VeraSafe as its EU Representative under Article 27 of the EU GDPR; and monday.com UK 2020 Limited as its UK Representative under Article 27 of the UK GDPR.
Our EU Representative VeraSafe may be contacted only on matters related to the processing of personal data, through this contact form.
Our UK Representative monday.com UK 2020 Limited may be contacted via email, at [email@example.com].
Does monday.com create and maintain Records of Processing Activities on behalf of its customers?
Our customers, as the controllers of such data, should maintain a comprehensive and detailed record for their own purposes and compliance posture, including with respect to the personal data they have processed via monday.com, and the data subjects to whom such data relates. monday.com, as a data processor, maintains a general record of its processing activities. However, we do not monitor the specific data that is being processed on behalf of our customers, and therefore the records we maintain will not address those.
Does monday.com permit governmental authorities access to its customers’ data?
monday.com does not permit governmental authorities free access to any customers’ data held with us. We very rarely receive any requests from authorities (in the US or otherwise) to disclose customer data, and in the rare few instances where we have received such requests in previous years— these were limited in scope, and addressed very legitimate grounds for requesting such data (e.g. suspected illegal activity related to that particular account).