monday.com logo
monday logo
monday work management
monday CRM
monday dev
monday service
WorkCanvas
WorkForms
Platform
Getting started
Reporting
Connect & automate
Plans & billing
Profile & administration
Data, infra & security
Academy
Community
Video Tutorial
What’s new
Developer documentation
Expert
Support
How can we help you?

monday.com secure configuration checklist

Data, infra & security
3 min read

 

monday.com is committed to high standards of security and data protection. For a full review of the security program, including operational security measures and relevant certifications, visit the monday.com Trust Center. Securing your monday.com environment requires both the right platform features and responsible configuration.

monday.com offers a comprehensive set of enterprise-grade security capabilities. Under the shared responsibility model, customers are responsible for configuring security controls in their account, including managing access and governing the data their organization uploads. This guide helps you review and implement monday.com security features in your account.

 

1 Review your hosting and account setup

Hosting region

monday.com offers customers the ability to host their data in the EU, the US, or APAC regions. It is important to understand any relevant geographic laws and regulations and to select the appropriate hosting region accordingly.

Account setup

Initial setup of your account should be performed only by an authorized member of the association or organization.

Authorized domain

Admins can set up a specific domain from which users can sign in to the account and prevent users from creating new monday.com accounts in their email domain.

Admin section

The admin has complete control over the account. Ensure you limit the number of admins in the account to the absolute minimum required.

 

2 Configure authentication and access controls

Governing how you access your account is crucial in ensuring secure access.

SSO

Integration with your Identity Provider (IdP) for SSO allows customers to set up SAML 2.0 for Single Sign On (SSO).

2 Factor Authentication (2FA)

Add an extra layer of protection by enabling 2FA via a text message (SMS) or through an authenticator app.

IP restrictions

Restrict access to your account to a defined list of pre-approved IP addresses.

SCIM

SCIM is a protocol for user management across multiple applications, which allows you to easily provision (add), de-provision (deactivate), and update user and team data across multiple applications at once.

Panic Button

With the Panic Button, dmins can lock down the entire account if suspicious activity is detected, blocking all access until recovery is approved.

Session duration

Define an automatic log out for your account members at certain intervals to ensure access is secured according to any internal policies you might have.

 

3 Set role-based permissions

Access should be based on role, need-to-know, and least privilege principles.

Account permissions

Control who can see and change work across your account.

Custom account roles

Define account-level roles that reflect a team member’s responsibilities.

Workspace permissions

Control who can do what inside a workspace.

Board permissions

Decide who can view or change content on a specific board, including items, columns, and structure.

Column permissions

Control which columns can be viewed or edited.

 

4 Review logging and monitoring

The ability to monitor user activity is important for account admins. monday.com offers various means for account admins to continuously log and monitor user activity within their monday account.

Audit log

Provides account admins with a detailed report of all account security-related activities.

Activity log

Shows all of a board's past activity in one list, including changed dates, statuses, movement between groups, automations, and permissions. The activity log can also be queried via the API.

Audit Log API

The Audit log records are accessible via an API, allowing for further integration into your overall security monitoring, including integrating with your internal SIEM.

 

5 Review data governance and backups

monday.com customers retain full control of their submitted data, and may modify, export, or delete it at all times using the means available through the service's user interface.

Export Data

The account admin can download and export the entire account's data. You can also set up custom exports using the API.

 

6 Apply network and compliance controls

Tenant level restrictions

Limit access only to specific monday.com accounts within their network.

HIPAA compliance

monday.com offers HIPAA-compliant plans so that you can trust that your sensitive healthcare data is safe and secure in your monday.com account. Interested customers can review and sign the HIPAA Business Associate Agreement (BAA).

 

7 Review Guardian add-on protections

The Guardian Add-on enhances data protection, helps ensure compliance with security policies, and supports complete control over access management.

Tenant-Level Encryption (TLE)

Each account has its own exclusive encryption key, stored separately and periodically rotated to minimize potential risks.

Bring Your Own Key (BYOK)

Manage the entire key lifecycle, and grant or revoke access as needed.

Data Leak Prevention (DLP)

Define scanning parameters to monitor updates and uploaded files, helping ensure compliance with company policies.

Multi-SSO

Configure multiple SSO vendors within the same account.

 

8 Review security feature governance

Review and understand the security governance of monday.com’s advanced features.

Integrations

Integrations are optional and can be disabled through the admin section. Using roles and permissions, you should also ensure that only those with business needs can set up integrations with third parties.

AI

Understand monday.com’s data security practices surrounding AI and how to use AI in a secure way.

API

Ensure permissions are provisioned correctly.

 

9 Configure AI permissions

Account permissions

As an account admin, you can choose to disable AI capabilities on the account via the Administration section. This is not recommended.

Workspace level

If you are concerned with categories of sensitive data that are processed and want to exclude the possibility of this data being processed by AI, you can turn off AI on the workspace level using workspace permissions.

User level

Using custom roles, you can define which users based on role based access can utilize which AI features. This allows account admins, on a granular level, to control users’ access to monday AI features.

 

If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.

Last modified on

Still have questions?
We can help.

Chat support

Get in touch with our support team through our chat for any questions, concerns, or inquiries.

Community forum

Learn, share ideas and connect with other monday.com customers.

Expert help

Hire a monday.com expert to optimize your workflows.

Is this article helpful?
Help us improve our articles.
On this page