Yes. Our security efforts are guided and managed by our Security Team and wider Security Forum, which is composed of representatives from Infrastructure, R&D, Operations, and IT Teams. The Security Team is led by our Chief Information Security Officer (CISO), and our Security Leadership has decades of cybersecurity experience. monday.com’s security program adheres to both local and international applicable laws, standards, and regulations applicable to monday.com, and defines the measures and controls that we have in place designed to protect the monday.com service and our customers’ data.

The program is based on ISO 27001, reviewed annually, and covers the entire monday.com organization, including subsidiaries, employees, contractors, subcontractors, partners, and anyone who creates, maintains, stores, accesses, processes, or transmits monday.com’s or its users’ information in connection with the service.

monday.com employees are required to complete formal training regarding the information security and privacy obligations they must fulfill.

Our security model and controls are based on international standards and industry best practices, such as ISO 27001, ISO 27018, SOC 2, and OWASP Top 10. For a full overview of monday.com's security and compliance, please visit our Trust Center.

Yes. monday.com's Information Security Risk Assessment Policy is designed to provide an understanding of the risks to which information and information assets are exposed and a framework for the mitigation steps for identified risks. As part of our ISO 27001 certification, we conduct an annual risk assessment. Threats to system security are identified and evaluated, and the risk from these threats is formally assessed. The process is documented and maintained, and all remediation activities must be approved by management.

Yes. Please review our Terms of Service and Data Processing Addendum.

monday.com is the “data controller” of personal data related to our users, as the purposes of processing this data, and the means by which we process it, are exclusively determined by us. You can find monday.com’s Privacy Policy here.

When creating a new account, we store personal data provided to us by users, such as the user's full name, email address, and phone number as part of the user profile. For more information on the data monday.com collects as the data controller, see our Privacy Policy.

For data submitted to the monday.com platform (i.e. in boards, items, docs, etc. (“Customer Data”)), monday.com acts as the “data processor”, and the customer is the “data controller”. Therefore, the customer determines the data types that are submitted to the monday.com platform.

As the data controller, customers decide which data will be uploaded to monday.com. monday.com does not know which data a customer will upload, so we classify all Customer Data as confidential. When you start using the monday.com service, the data stored by us will depend on your usage of the service and the type of data (such as text, files, etc.,) you and your authorized users who are signed into the service decide to submit and upload to monday.com.

We comply with PCI-DSS as a company when a customer makes a payment to us. However, the monday.com platform is not intended to process credit card data and is, therefore, not required to be PCI-DSS compliant.

Regarding payment, monday.com uses the services of a third-party PCI-DSS certified billing processor; therefore, any credit card payments processed through our billing processor are processed according to the PCI-DSS requirements. PCI-DSS data is not stored on our service.

Regarding uploading PCI-DSS data to the monday.com service: Please review Section 3.3 (“No Sensitive Data”) of our Terms of Service.

monday.com is a fully cloud-based service and does not offer an on-premises version. Our service is hosted on Amazon Web Services (AWS) infrastructure. We offer hosting in the US, EU, and AUS Data Regions. Our data center is hosted across multiple Availability Zones, with a disaster recovery (DR) site established in a different region. Please refer to this article for an overview of where data centers are located and where data is stored.

These data centers utilize advanced physical and environmental security measures, resulting in highly resilient infrastructure. More information about their security practices is available at: AWS security page.

monday.com customers retain full control over their uploaded data and may modify or delete it at all times during their subscription term, using the means available to them through monday.com's user interface.

Admins of the account can request deletion of the account data as part of the account closure procedure, which is handled through monday.com’s admin panel. All data submitted to the account will be deleted within 90 days. This includes a 30-day period to allow for rollback and an additional 60 days to delete the data from our databases and our sub-processors' databases.

Alternatively, admins may opt to keep account data even after they close their account and cancel the subscription, in which case our current policy is to retain the account data without commitment to a specific duration. In such cases, we may delete it with or without notice.

Please note that you can export data from your account at any time in two formats:

• Boards can be exported to Excel.
• Admins can export the entire account's data from the administrator panel into a zip archive containing Excel sheets and files uploaded to the account (admins only).

At the end of a contract, upon request for deletion, storage media decommissioning is performed by the aforementioned providers using the techniques detailed in NIST 800-88.

Yes. Access is granted based on role and the need-to-know and least-privilege principles, using an Identity Provider (IdP). User access is modified within 24 hours following a change in employment or termination (alongside the return of the company's equipment). Quarterly user access reviews are conducted to ensure the appropriateness of access privileges.

All Customer Data is classified as confidential, and is generally not accessed for the performance of our service. When necessary, access is granted based on the need-to-know and least-privilege principles for the performance of our service and the purposes as outlined under Section 3.1 (Customer Data) of our Terms of Service.

Our environment utilizes industry-standard multi-tenant architecture with logical separation between customers. Customer data is segregated at the application level using unique IDs that are the result of a combination of several parameters.

monday.com uses the following methods to encrypt customer data:

• Data at rest is encrypted using AES-256.
• Data in transit across open networks is encrypted using TLS 1.3 (at minimum TLS 1.2).
• A multi-round Bcrypt function is used to hash passwords, and they are salted as well.

We use OWASP Top 10 and Common Vulnerability Scoring System (CVSS) standards to build in security for our software development lifecycle. All code written by our developers is statically analyzed and peer reviewed to help ensure code quality and security before deployment. We continuously evaluate and monitor our application for vulnerabilities during and after deployment.

Third-party application penetration testing is performed on an annual basis by an independent third party, utilizing both manual and automatic testing methodologies.

In addition, our internal Application Security Team regularly performs security audits and penetration tests on various features that require a deep understanding of our internal security mechanisms and architecture.

Dynamic application security testing (DAST) is performed on at least a weekly basis.

Dynamic Application Security Testing (DAST) is a cybersecurity method that finds vulnerabilities by testing a running application from the outside in, simulating how a real-world attacker would try to break in.

As part of our external and internal penetration testing, network scanning tools are used against our production servers. We also maintain a managed Bug Bounty Program, allowing the public to report any findings. Security vulnerabilities can be reported to security@monday.com, or through our HackerOne vulnerability submission form.

Yes. monday.com offers a mobile application. The architecture and communication of the mobile application are the same as those of the web application. They have the same security and privacy configuration. However, there are minor differences, such as the cache. The mobile app caches board data from boards accessed during the user’s session on the device’s local database. It caches the data to speed up the mobile app on slower connections or when the user is offline. The cached data is inaccessible due to the native sandbox mechanism. The cached data is bundled with the app. When logging out or removing the app, all of the cached data is removed from the device.

Yes. We maintain a Disaster Recovery Plan (DRP) for dealing with disasters affecting our production environment, which includes restoring the service's core functionality from our dedicated DR location. Testing is conducted at least twice a year. DR tests may take the form of a walk-through, mock disaster, or component testing. The Disaster Recovery Plan is available in our Trust Center.

We employ a microservices architecture to ensure minimal impact on system health in the case of failure of one or more components. Multiple Availability Zones are utilized to provide additional resiliency, and we have alternative providers for some of the services we depend on.

Enterprise customers are provided with a 99.9% SLA, subject to the terms of the SLA.

Additionally, our service's availability can be monitored through our status page, where you can also subscribe to receive updates via email or text messages.

Yes. Our Incident Response Plan sets forth internal guidelines for detecting incidents, escalating them to the relevant personnel, communication (both internal and external), investigation, mitigation, and post-mortem analysis.

Further information can be found in Section 7 (Data Incident Management and Notification) of our DPA.