Is monday.com GDPR Compliant?
Whether your team is working in-person, fully remote, or somewhere in between, utilizing a project management platform can be key to being productive as a unit. Teams of all sizes are collaborating and ramping up their productivity with platforms like monday.com.
These platforms can end up having access to quite a bit of your data whether through the company’s IP or any personal data that you may store or upload within the platform itself.
This naturally raises concerns around security and privacy, especially when there are strict data regulations to follow. Due to this risk, it is key that all organizations that have to meet certain standards, only use a work management platform that meets their needed security requirements. Let’s see if monday.com can meet those standards!
What is monday.com?
monday.com is a work management platform for teams of all sizes, across all industries. It’s designed to be a flexible work operating system that can manage, plan, organize, track, and scale all your tasks and activities.
You can create custom apps and automated workflows with a visual drag-and-drop builder. Plus, monday.com integrates with hundreds of other tools like Slack, Microsoft Office Suite, Google Workplace products, and more, so you can plug those into your workflows.
It can be used for marketing, sales, IT, project management, software development, remote work, and more. It’s used by everyone from solo freelancers to enterprises like Uber and the National Hockey League (NHL).
But does this popular work tool meet the EU’s strict privacy laws?
What Makes an Email Provider GDPR Compliant?
In order to figure out whether monday.com is compliant with the General Data Protection Regulation (GDPR) and can be used by companies that need to abide by the law, let’s first look at what the law requires in the first place.
The European Union’s (EU) GDPR protects the personal data and privacy rights of EU citizens and anyone located within the EU. The EU considers data privacy to be a human right and along with this comes the right to be informed on what data is being held, to restrict the use of that data, and to request the correction or deletion of those records.
These laws apply to any organization handling, storing, or processing EU residents’ personal data, whether that organization is inside or outside the EU.
Any email provider, SaaS solution, or other organization handling personal data must gain clear, specific, and unambiguous consent before doing so. And be prepared to cease at any time. Personal data can only be collected, processed, and stored for a legitimate purpose and only for as long as necessary.
This data must be protected by design and default. The service provider needs to ensure that it’s confidential, secure, private, and handled with integrity.
GDPR extends beyond technical measures. Data handlers are also required to have administrative policies that maintain data privacy and security throughout the organization. A few of these include adequate employee training, thorough privacy policies, and restricting personnel access.
The EU holds organizations accountable for maintaining security. GDPR-compliance needs to be provable at any time. And if there’s a data breach, companies have up to 72 hours to notify affected data subjects.
Does monday.com Meet GDPR Compliant Standards?
Yes, monday.com is fully GDPR compliant. They’ve conducted their own risk assessments and data mapping to ensure that all personal data is handled according to GDPR standards.
They’ve also been audited by independent third parties and have several security certificates proving their GDPR-compliance. These include the SOC 2 Type II, SOC 3, ISO 27001 ISMS, and ISO 27018 certificates.
The Service Organization Control 2 Type II and 3 certificates are given by the American Institute of Certified Public Accountants (AICPA). These were given after accounting firm E&Y audited them and found monday.com to be fully compliant.
The company has its own EU representative and a Data Protection Officer who is dedicated to privacy compliance and open to answering questions.
How is monday.com GDPR Compliant?
monday.com is a data processor, meaning that its role is to store or process your organization’s data in a way that’s GDPR-compliant and to keep a record of all these activities.
monday.com implements GDPR-compliance measures in the platform’s infrastructure, in their organizational design and systems, and in their management policies.
The platform’s infrastructure has multiple security layers including multiple firewalls, DDoS mitigation, attack detection sensors, and network traffic recording.
Data being processed or stored is encrypted at all times, whether in transit or at rest. All their sub-processors are GDPR-compliant, and monday.com conducts regular assessments to ensure security and privacy.
Their data is stored outside the European Union, however, monday.com uses Amazon Web Service which is GDPR compliant. The AWS SOC reports are available for verification, but only accessible when signed-in to their cloud storage.
monday.com gives your organization the data administration controls needed for GDPR-compliance including the ability to delete user profiles, information, and accounts.
monday.com will destroy or anonymize user data after profiles are deleted while letting you keep impersonal posts, files, or data analytics. Plus, they’ve updated their Terms of Use and Privacy Policy to be GDPR-compliant.
You can enter into a GDPR-compliant data processing agreement with monday.com. Their DPA is available online, where you can sign it and send it to monday.com’s legal team. The company will countersign it and send it back to you. This ensures that both parties have agreed to comply with all aspects of GDPR and will accept liability for their processing and handling if any breach were to happen.
Conclusion
If you create, store, or process the personal data of any residents of the EU then every aspect of your work operations needs to be GDPR compliant, including your work management platform.
monday.com is a great option for people that need this security capability. It goes beyond just GDPR compliance, their team is dedicated to privacy enhancement and continually delivering better features to consistently enhance security.
But there are a few other issues to consider when it comes to GDPR compliance.
Does your team restrict customer data only to those who need it or is it generally accessible? Are workstations kept secure or are they shared? Do you know how to audit your security status? How will you handle a data or privacy breach?
You only qualify as GDPR-compliant when every measure is in place. If the EU’s regulations are tripping you up, Accountable is here to help clear up some of the confusion and set you up for success in compliance.