Privacy

At monday.com, protecting the privacy of our customers, users, and website visitors is a core part of how we design, build, and operate our products. Our global privacy program is built on leading international standards - including the GDPR, UK GDPR, CCPA, Israeli PPL law, and other applicable privacy frameworks. This page provides a clear overview of how we handle personal data, the choices available to customers and users, and the controls built into our platform.

monday.com acts in two distinct privacy roles, depending on the type of data:

monday.com as Data Processor

For Customer Data (the content customers and their users choose to store in our products, e.g., in boards, items, docs, and automations), monday.com acts as a data processor/service provider. We process that data under our customers’ instructions, in accordance with our Terms of Service and our Data Processing Addendum (DPA).

monday.com as Data Controller

For User Data (e.g., profile details, login activity, security logs) and Prospect Data (e.g., website visitor analytics, marketing preferences), monday.com acts as a data controller/business. We explain our practices in our Privacy Policy.

monday.com’s AI capabilities are designed with privacy, transparency, and compliance at their core. We maintain strong safeguards to ensure that customers retain full control over their data.

How monday AI handles data

• Customer Data is not used to train AI models.
• Admins can choose whether AI features are enabled within their account.
• AI features do not override existing access permissions.

For a detailed breakdown of how monday.com AI works, including data handling, security, and third-party models, visit our full AI Frequently Asked Questions article.

We’re committed to meeting the privacy expectations of customers around the world. Explore how we align with key regulations and industry frameworks here:

• monday.com & the GDPR/UK GDPR
• monday.com & the CCPA
• monday.com & the Australian Privacy Act and Principles
• HIPAA Business Associate Agreement
• monday.com & Canada’s PIPEDA
• monday.com & Brazil’s LGPD
• monday.com & Japan’s APPI

These resources provide clear overviews of how monday.com’s privacy practices map to each regulatory environment - helping understand how we protect data globally.

monday.com operates three primary data regions for hosting customer accounts:

• United States
• European Union (Germany)
• Asia Pacific (Australia)

Customer Account Data is hosted in the region assigned to the account, with the same strong security and privacy protections applied across all regions.

EU Region (Enterprise):

Enterprise accounts hosted in the EU region benefit from region-bound residency, meaning Customer Data – including hosting by our sub-processors – remains within the EU. This is the only configuration with strict regional residency.

EU (non-Enterprise), US, and APAC Regions:

For accounts hosted in the EU (non-Enterprise), US, or APAC regions, Customer Account Data is hosted in the assigned region. To deliver a reliable global service, monday.com may also engage sub-processors that host data components outside the assigned region, as further outlined in our DPA and Sub-processors page.

monday.com operates globally, with teams and sub-processors located in several countries (as further described under our Sub-processors page). As a result, certain processing activities may involve cross-border transfers of personal data.

For data originating in the EEA, UK or Switzerland, monday.com supports compliant international transfers, as provided in Section 9 of our DPA:

• Adequacy decisions, where available (including Israel, the EU–US Data Privacy Framework, the UK Extension, and the Swiss–US Data Privacy Framework).
• Standard Contractual Clauses (SCCs), together with the UK Addendum and Swiss Addendum, for transfers to countries not deemed adequate.

In these cases, we incorporate the appropriate SCC modules into our agreements and apply additional safeguards designed to enhance the protection of personal data and uphold data subject rights.

We work with a number of trusted third-party providers (sub-processors) who help us deliver and support the monday.com platform. Each sub-processor must meet strict security and privacy requirements before we engage them.

Before onboarding any sub-processor, we:

• Perform a thorough privacy and security review of their controls.
• Enter into a Data Processing Agreement that includes the appropriate SCC modules and additional safeguards.
• Ensure they meet our confidentiality, security, and data protection standards.

We also conduct periodic reassessments to ensure continued compliance.

Customers can always view the current list of approved sub-processors on our Sub-processors page and can subscribe via that page to updates about any changes, as outlined in our DPA.

We do not provide government authorities with unrestricted access to customer data. Requests of this nature are rare, and in the few instances where we have received a lawful request, it was narrow in scope and related to clear, legitimate grounds (for example, suspected illegal activity involving a specific account).

If we ever receive such a request, our Legal and Privacy teams conduct a review to ensure it is valid, properly issued, and only requires disclosure of the minimum amount of data necessary. We also use our best efforts to notify the affected customer before any disclosure occurs, unless we are legally prohibited from doing so.

For the data we control, data subjects may request the following (to the extent available to them under applicable Data Protection Laws):

• Access
• Correction
• Deletion
• Portability
• Objection or restriction (where applicable)
• Opt-out of direct marketing
• Do not sell or share

Customers (as controllers of Customer Data) manage requests for data stored inside their monday.com account.

If you have questions about how monday.com processes personal data, or wish to exercise your privacy rights, you may contact:

• Our Data Protection Officer (DPO):
  Mr. Aner Rabinovitz, reachable at [email protected].
• Our EU Representative:
  VeraSafe, which may be contacted only for matters related to the processing of personal data of EU residents, through this contact form.
• Our UK Representative:
  monday.com UK 2020 Limited, reachable at [email protected].

You may also reach our general privacy team at [email protected].