The monday.com Work OS enables teams to develop individual solutions for their work requirements. Data protection is paramount for over 125,000 customers. In addition to regular encrypted backups of all data, monday.com also keeps track of the latest results from the security community. They update their services to fix vulnerabilities and constantly ensure that they use the latest available technologies.
In this blog post, we'll explain detailed information about monday.com's data security policies and practices.
Does monday.com comply with global data protection laws?
monday.com's global privacy program is generally based on the most comprehensive and advanced privacy regulations in the world.
For more information about how monday.com complies with global data protection laws, visit the following page:
GDPR (GDPR) compliance
mondays.com meets the requirements of EU data protection law. The legal and privacy teams regularly monitor and review monday.com's practices to ensure continuous and full compliance with the GDPR (GDPR).
- They consistently back up their customers' data. Critical data is backed up every 5 minutes (this includes all customer data), non-critical data is backed up every day.
- All attachments in your account are encrypted and delivered with access control per user.
- All data shared on monday.com is private and confidential. monday.com has strict controls over their employees' access to internal data, and they are committed to ensuring that your data is never seen by anyone who shouldn't see it.
However, monday.com wouldn't be able to operate without some members having access to the databases to optimize performance and storage space. This team is prohibited from using these permissions to view customer data without the user's express, written permission.
If you want to read more about monday.com and the GDPR, you can find another article at the following link:
Can I sign a Data Processing Addendum (DPA)?
Yes, monday.com also offers a DPA as an addendum. This can here be signed. For larger enterprise customers, monday.com sometimes also signs a DPA that is provided by the customer. If you are interested, feel free to contact us.
Is monday.com customer data encrypted? What methods are used to encrypt the data?
Yes, monday.com uses the following methods to encrypt customer data:
- Data at rest is encrypted using AES-256.
- When transmitted over open networks, data is encrypted using TLS 1.3 (at least TLS 1.2).
- User passwords are hashed and encrypted with a secret key (“hashed and saved”).
What regulations, standards, and certifications related to security and privacy does monday.com currently comply with?
monday.com has the following certifications, reporting, and compliance programs:
- ISO 27001, ISO 27017, ISO 27018, ISO 27032, ISO 27701
- HIPAA
- SOC 1 Type II, SOC 2 Type II, SOC 3
- GDPR
- CCPA
monday.com works closely with industry leaders in web application and infrastructure security, who conduct penetration tests and audits of monday.com. They automatically monitor the product for security vulnerabilities as the product continues to grow.
Where are my files hosted?
monday.com is a completely cloud-based service. The service is hosted on Amazon Web Services infrastructure in Northern Virginia across multiple Availability Zones and with a DR location in another region. Certain backup data is stored on the Google Cloud platform (USA, various regions). These data centers use modern physical and environmental security measures, making the infrastructure extremely fail-safe.
More information about security practices is available here:
Until now, monday.com had their data centers in the USA. To ensure even more security, monday.com has set up new data centers since January 2021, including one in Frankfurt. This allows customers to store their data in Germany and benefit from faster access to the platform. Since 2023, it has also been possible to store the data on AWS in Australia.
What is a data region?
A data region describes a geographical area in which contributions, photos and files from customers are stored. Customer data and backup copies are stored in the region you have selected and are never moved across borders by monday.com.
Which data regions does monday.com support?
By default, the data region is in the USA. In January 2021, monday.com launched the first data region in the EU based in Germany. Australia followed in 2023 as the third region. monday.com is currently evaluating further data regions.
How can I select a data region?
By default, monday.com stores data in the USA from USA customers — EU customers in EU (since the beginning of 2023, previously USA). Corporate customers who want the EU region should contact their partner or account manager. They then help you set up a new account in the EU data center. Once defined at the EU Center, customer data is only stored there.
Where can I see which region my data is in?
To do this, go to the administration area (admin area) and then to “General” and switch to the “Profile” tab. The “data residence” is shown at the very bottom.
Can I change the data region?
Unfortunately, it is not possible to change the data region at the push of a button. As an official partner, however, we are authorized to carry out such a migration. Please get in touch with us if you are interested.
Is all data in my account stored in the selected data region?
All data that you upload to the platform is stored in the data region you design*. Data that is under the supervision of monday.com, such as user login details, profiles and usage statistics, as well as metadata from automations, integrations, and apps, is stored in the monday.com main data region, the USA.
For detailed information about the data that monday.com processes and controls, see their privacy policy:
*Since the main location of monday.com is in Israel, data processing is also carried out in Israel. The European Commission regards Israel as an “adequate” country in terms of data protection.
When do I agree to monday.com's privacy policy?
monday.com places great value on privacy and ensures that when customers open an account, they provide appropriate consents. When opening an account, users automatically sign an order processing contract, which sets out the conditions for processing personal data. This is an essential step to ensure compliance with data protection regulations and to handle user data securely. However, if customers want additional security, they have the option to request an additional contract. The monday.com order processing contract is accessible to all users and can be viewed online so that customers can find out in advance about the conditions under which their data is processed.
Conclusion
monday.com places the highest value on data protection and data security. With advanced encryption methods, compliance with global data protection standards, and the ability for EU customers to store data in a German data center, the company is showing its commitment to securely handling customer data. When opening an account, customers automatically agree to an order processing contract, but can request additional security in the form of an additional contract.
Would you like to learn more about monday.com's privacy practices and be convinced of the integrity of your data? Check out the monday.com Trust Center If you have any questions about your data region or are interested in data migration from the USA to the EU, we are here to help you as an official monday.com partner. Contact us, we're here for you!
.svg)