The monday.com Work OS enables teams to develop customised solutions for their work requirements. With over 125,000 customers, data protection takes centre stage. In addition to a regular encrypted backup of all data, monday.com also tracks the latest results of the security community. They update their services to fix vulnerabilities and constantly ensure that they are using the latest technologies available.
In this blog post, we provide you with detailed information about monday.com’s data security policies and practices.
monday.com has summarised all information regarding security, data protection and certifications in one place.
Does monday.com comply with worldwide data protection laws?
monday.com’s global data protection programme is generally based on the most comprehensive and advanced data protection regulations in the world.
You can find more information about how monday.com complies with worldwide data protection laws on the following page:
Compliance with the GDPR (DSGVO)
mondays.com fulfils the requirements of the EU Data Protection Act. The legal and data protection teams regularly monitor and review monday.com’s practices to ensure continuous and full compliance with the GDPR (DSGVO)
- They consistently secure their customers’ data. Critical data is backed up every 5 minutes (this includes all customer data), non-critical data daily.
- All attachments in your account are encrypted and delivered with per-user access control.
- All data shared on monday.com is private and confidential. monday.com has strict controls over their employees’ access to internal data and they are committed to ensuring that your data is never seen by anyone who should not see it.
Nevertheless, the operation of monday.com would not be possible if some members did not have access to the databases in order to optimise performance and storage space; This team is prohibited from using these authorisations to view customer data without the express written permission of the user.
If you would like to read more about monday.com and the GDPR, you can find another article at the following link:
Can I sign a data processing addendum (DPA)?
Yes, monday.com also offers a DPA as a supplement. This can be signed here. For larger enterprise customers, monday.com sometimes also signs a DPA that is provided by the customer. If you are interested, you are welcome to contact us.
Is the data of monday.com customers encrypted? Which methods are used to encrypt the data?
Yes monday.com uses the following methods to encrypt customer data:
- Data at rest is encrypted with AES-256.
- Data is encrypted with TLS 1.3 (at least TLS 1.2) when transmitted via open networks.
- User passwords are hashed and encrypted with a secret key (‘hashed and salted’).
Which regulations, standards and certifications in connection with security and data protection are currently adhered to by monday.com?
monday.com has the following certifications, reporting and compliance programmes:
- ISO 27001, ISO 27017, ISO 27018, ISO 27032, ISO 27701
- HIPAA
- SOC 1 Type II, SOC 2 Type II, SOC 3
- GDPR
- CCPA
monday.com works closely with industry leaders in web application and infrastructure security who conduct penetration tests and audits of monday.com. They automatically monitor the product for security vulnerabilities while the product continues to grow.
monday.com has summarised all information regarding security, data protection and certifications in one place.
Where are my files hosted?
monday.com is a fully cloud-based service. The service is hosted on the Amazon Web Services infrastructure in Northern Virginia across multiple availability zones and with a DR site in another region. Certain backup data is stored on the Google Cloud platform (USA, various regions) These data centres use modern physical and environmental security measures so that the infrastructure is extremely fail-safe.
More information about the security practices is available here:
Until now, monday.com had its data centres in the USA. To ensure even greater security, monday.com has set up new data centres since January 2021, including one in Frankfurt. This allows customers to store their data in Germany and benefit from faster access to the platform. Since 2023, there has also been the option of storing the data in AWS in Australia.
What is a data region?
A data region refers to a geographical area in which customer contributions, photos and files are stored. Customer data and backup copies are stored in the region you have selected and are never transferred across borders by monday.com.
Which data regions does monday.com support?
By default, the data region is located in the USA. In January 2021, monday.com launched the first data region in the EU, which is based in Germany. Australia followed as the third region in 2023. monday.com is currently evaluating further data regions.
How can I select a data region?
By default, monday.com stores the data of US customers in the USA – EU customers in the EU (since the beginning of 2023, previously USA). Corporate customers who require the EU region should contact their partner or account manager. They will then help you set up a new account in the EU data centre. Once established in the EU centre, customer data remains exclusively secured there.
Where can I see in which region my data is located?
To do this, go to the administration area (admin area) and then to “General” and switch to the “Profile” tab. The “Data residence” is displayed at the bottom.
Can I change the data region?
Unfortunately, it is not possible to change the data region at the touch of a button. However, as an official partner, we are authorised to carry out such a migration; Please contact us if you are interested.
Will all the data in my account be stored in the selected data region?
All data you upload to the platform will be stored in the data region you specify*. Data under monday.com’s control, such as user login data, profiles and usage statistics, as well as metadata from automations, integrations and apps, is stored in monday.com’s main data region, the USA.
For detailed information on the data that monday.com processes and controls, see their privacy policy:
*Since the main location of monday.com is in Israel, data processing also takes place in Israel. The European Commission considers Israel to be an “adequate” country in terms of data protection.
When do I agree to the privacy policy at monday.com?
Monday.com attaches great importance to data protection and ensures that customers give their consent when they open an account; When opening an account, users automatically sign a data processing agreement that sets out the conditions for the processing of personal data; This is an essential step to ensure compliance with data protection regulations and to handle user data securely. However, if customers want additional security, they have the option of requesting an additional contract. The monday.com data processing agreement is accessible to all users and can be viewed online so that customers can inform themselves in advance about the conditions under which their data will be processed.
Conclusion
monday.com places the highest value on data protection and data security. With advanced encryption methods, compliance with global data protection standards and the option for EU customers to store data in a German data centre, the company demonstrates its commitment to the secure handling of customer data. When opening an account, customers automatically agree to an order processing contract, but can request additional security in the form of an additional contract.
Would you like to learn more about monday.com’s data protection measures and assure yourself of the integrity of your data? Take a look at the Trust Centre of monday.com. If you have any questions about your data region or are interested in migrating your data from the USA to the EU, we are at your side as an official monday.com partner. Contact us – we are here for you!
Source: monday.com