Provider Data Processing Addendum
Please note: in case the Agreement (as defined below) was executed on or before May 18, 2022, and we did not yet update it – the previous version of the DPA applies. To request a copy thereof – please send an email to email@example.com.
This Data Processing Addendum (“DPA”) is entered into by you, the provider (“Provider”), and monday.com Ltd. (“monday.com”) to reflect the parties’ agreement with regard to the Processing of Personal Data by Provider on behalf of monday.com. Both parties shall be referred to as the “Parties” and each, a “Party”.
In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an Addendum integral to the applicable agreement established between monday.com and the Provider (“Agreement”). By engaging with monday.com in the framework of the Agreement, Provider accepts this DPA and represents and warrants that it has full authority to bind the Provider to this DPA.
Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data.
This DPA comprises the entire agreement between the Parties regarding the subject matter hereof and supersedes, merges, and replaces all prior understandings, oral and written, between the Parties relating to the subject matter of this DPA, which as of the date set out below shall be null and void with no further effect.
(a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
(b) “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq.
(c) The terms, “Controller“, “Member State“, “Processor“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR. The terms “Business”, “Business Purpose”, “Consumer” and “Service Provider” shall have the same meaning as in the CCPA.
(d) For the purpose of clarity, within this DPA “Controller” shall also mean “Business”, and “Processor” shall also mean “Service Provider”, to the extent that the CCPA applies.
(e) “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada, Israel and the United States of America, as applicable to the Processing of Personal Data under the Agreement including (without limitation) the GDPR, the UK GDPR, and the CCPA, as applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.
(f) “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
(g) “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(h) Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or Consumer, which is processed by Provider on behalf of monday.com, under this DPA and the Agreement.
(i) “Services” means the services provided to monday.com by Provider in accordance with the Agreement.
(j) “Security Documentation” means the security documentation applicable to the Services purchased by monday.com as provided to monday.com by Provider.
(k) “Standard Contractual Clauses” means (a) in respect of transfers subject to the GDPR, the Standard Contractual Clauses, specifically between controllers and processors, and between processors and processors as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including all Annexes I and II thereto (“EU SCCs”); (b) in respect of transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022, as set forth in Annex III of the Standard Contractual Clauses (UK Cross Border Transfers) (“UK Addendum”); or (c) in respect of transfers subject to the Federal Act on Data Protection (FADP – as revised as of 25 September 2020), the terms set forth in Annex IV of the Standard Contractual Clauses (Switzerland Cross Border Transfers) (“Switzerland Addendum”); all (a)-(c) are located at: Standard Contractual Clauses (Controller to Processor) (see link here) and Standard Contractual Clauses (Processor to Processor) (see link here), respectively.
(l) “Sub-processor” means any third party that Processes Personal Data under the instruction or supervision of Provider.
(m) “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
2. PROCESSING OF PERSONAL DATA
2.1 . Roles of the Parties. The Parties acknowledge and agree that with regard to Provider’s Processing of Personal Data on behalf of monday.com, (i) monday.com is the Controller of Personal Data, and (ii) Provider is the Processor of such Personal Data. The terms “Controller” and “Processor” below hereby signify monday.com and Provider, respectively.
2.2. Controller’s use of Personal Data. monday.com’s use of the Services and monday.com’s instructions to the Processor shall comply with Data Protection Laws.
2.3 . Processor’s Processing of Personal Data. When Processing on monday.com’s behalf under the Agreement, Provider shall Process Personal Data solely for the following purposes: (i) Processing in accordance with the Agreement and this DPA; (ii) Processing in accordance with monday.com’s documented instructions, where such instructions are consistent with the terms of the Agreement; (iii) Processing as required under Data Protection Laws applicable to Processor, provided that Processor shall inform monday.com of the legal requirement in advance, unless such law or order prohibit such information on important grounds of public interest.
Processor shall inform monday.com without undue delay if, in Processor’s opinion, an instruction for the Processing of Personal Data given by monday.com infringes applicable Data Protection Laws. In such event, Processor shall (a) inform monday.com, providing relevant details of the issue, (b) upon request of monday.com, temporarily cease all Processing of the affected Personal Data (other than securely storing such data), and (c) if the Parties do not agree on a resolution to the issue in question and the costs thereof, monday.com may terminate the Agreement and/or this DPA with respect to the affected Processing and, if applicable, shall be entitled to a refund of the pro rata portion of any prepaid fees for the remaining term.
2.4 Details of the Processing. The subject-matter of Processing of Personal Data by Processor is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of Processing) to this DPA.
2.5. CCPA Standard of Care; No Sale of Personal Information. Processor acknowledges and confirms that it does not receive or process any Personal Information as consideration for any services or other items that Processor provides to monday.com under the Agreement. Processor shall not have, derive, or exercise any rights or benefits regarding Personal Information Processed on monday.com’s behalf, and may use and disclose Personal Information solely for the purposes for which such Personal Information was provided to it, as stipulated in the Agreement and this DPA. Processor certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Personal Information Processed hereunder, nor taking any action that would cause any transfer of Personal Information to or from Processor under the Agreement or this DPA to qualify as “selling” such Personal Information under the CCPA.
3. DATA SUBJECT REQUESTS
Processor shall assist monday.com in responding to requests to exercise Data Subject rights or Consumer rights (including any complaints regarding the Processing of Personal Data) under Applicable Laws, including, without limitation, EU Data Protection Laws and the CCPA (“Data Subject Request(s)”). This includes Processor (i) promptly notifying monday.com if it receives a Data Subject Request in respect of Personal Data; (ii) providing full cooperation and assistance to monday.com in relation to any Data Subject Request; (iii) ensuring that it does not respond to Data Subject Requests except on the documented instructions of monday.com or as strictly required by Data Protection Laws to which the Processor is subject; and (iv) maintain electronic records of Data Subject Requests.
4. PROVIDER PERSONNEL
4.1 To the extent permissible under applicable law, Provider shall conduct an appropriate background investigation of all of Provider’s employees or contractors who may have access to Personal Data (“Provider Personnel”), prior to allowing them such access. If a background investigation reveals that an individual is not suited to access Personal Data, then Provider shall not provide such individual with access to Personal Data.
4.2 Provider shall ensure that all Provider Personnel: (i) has such access only as necessary for the purposes of providing monday.com with the Services and complying with Data Protection Laws; (ii) is contractually bound to confidentiality requirements no less onerous than in this DPA and the Agreement; (iii) is provided with appropriate privacy and security training, at least annually; (iv) is informed of the confidential nature of Personal Data, and required to keep it confidential; and (v) is aware of Provider’s duties and obligations under this DPA and the Agreement.
5.1 List of Current Sub-processors and Notification of New Sub-processors.
Processor shall not subcontract any Processing of Personal Data to any third party without prior written consent of monday.com for each such subcontracting activity and third party. Notwithstanding the foregoing, monday.com authorizes Processor to engage the Sub-Processors listed in Schedule 1 hereto which includes the identities of those Sub-processors, the Processing services they provide, and the entity’s country (“Sub-Processor List”) provided that, (i) such Sub-processors are only engaged in Processing Personal Data as strictly necessary for the fulfillment of Processor’s obligations under the Agreement and this DPA, (ii) Processor has conducted the level of due diligence necessary to ensure that such Sub-processor is capable of meeting the requirements of the Agreement, this DPA and Data Protection Laws, and (iii) the Processor and the Sub-processor have entered a written agreement binding on the Sub-processor containing data protection, security and privacy standards that are no less onerous than in the Agreement and this DPA.
5.2 Objection to New Sub-processors. Processor shall provide monday.com at least thirty (30) days prior written notice of its intention to engage or replace a Sub-Processor. Such notice shall be sent to firstname.lastname@example.org and must include at least: (i) the name of the proposed Sub-Processor; (ii) the type of Personal Data Processed by such Sub-Processor and for which purposes; (iii) description of the data subjects whose Personal Data shall be Processed by such Sub-Processor, and (iv) location of the Data Processing performed by such Sub-Processor. monday.com may object to the engagement of any Sub-Processor on any privacy, data protection or security grounds. In the event monday.com objects to a new Sub-processor Processor will use reasonable efforts to make available to monday.com a change in the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening monday.com. If Processor is unable to make available such change within thirty (30) days, monday.com may terminate the Agreement and/or this DPA and, if applicable, shall be entitled to a refund of the pro rata portion of any prepaid fees for the remaining term.
5.3 Agreements with Sub-processors. Processor represents and warrants that it has entered into a written agreement with each Sub-processor containing appropriate safeguards to the protection of Personal Data. Where Processor engages a Sub-processor for carrying out specific Processing activities on behalf of monday.com, the same or materially similar data protection obligations as set out in the Agreement and this DPA shall be imposed on such new Sub-processor by way of a contract, in particular obligations to implement appropriate technical and organizational measures for protection of Personal Data Processed hereunder and in such a manner that the Processing will meet the requirements of the GDPR. Where a Sub-processor fails to fulfil its data protection obligations concerning its Processing of Personal Data, Processor shall remain fully liable for the performance of the Sub-processor’s obligations. Processor shall review and validate at least annually, and certify to monday.com upon request, that each of its Sub-processors are able to fulfil its duties as applicable to its performance of its obligations hereunder. If any review reveals any compliance deficiencies by such Sub-processor, Processor shall promptly find a solution, mitigation and/or remedy such issue; however, if such is not possible, monday.com may instruct Processor to not continue using such Sub-processor and monday.com may terminate this DPA and/or the Agreement to the extent Processor can no longer provide the Services without use of such Sub-processor and, if applicable, shall be entitled to a refund of the pro rata portion of any prepaid fees for the remaining term.
6. SECURITY & AUDITS
6.1 Controls for the Protection of Personal Data. Processor represents and warrants that it has implemented and will maintain all appropriate technical and organizational measures for protection of Personal Data Processed hereunder (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data, confidentiality and integrity of Personal Data, including those measures set forth in the Security Documentation and the Agreement). Upon monday.com’s request, Processor shall assist monday.com, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.
6.2 Records of Processing. Processor shall keep records of its Processing activities performed on behalf of monday.com, which shall include at least: (i) the details of the Processor as Personal Data Processor, any representatives, Sub-Processors, data protection officers and Provider Personnel having access to Personal Data; (ii) the categories of Processing activities performed; (iii) information regarding Cross-Border Data Transfers, if any; and (iv) a description of the technical and organizational security measures implemented in respect of the Processed Personal Data. Without derogating from monday.com’s Audit Rights under Section 6.3 below, monday.com reserves the rights to inspect the records maintained by Processor under this Section 6.2 at any time.
6.3 Audits and Inspections. Upon prior written request, and subject to confidentiality undertakings by monday.com, Processor shall make available to monday.com (or monday.com’s independent third-party auditor subject to their confidentiality undertakings) all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by them. In the event of an audit or inspections as set forth above, monday.com shall take reasonable steps to avoid causing (or, if it cannot avoid, minimize) any disruption to Processor’s operations while conducting such audit or inspection.
7. DATA INCIDENT MANAGEMENT AND NOTIFICATION
Processor maintains security incident management policies and procedures and shall notify monday.com without undue delay (but in any event no later than forty-eight (48) hours) after becoming aware of:
(i) any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (a “Data Incident”). Processor shall provide monday.com with all information on the nature of the Data Incident, including the categories of Data Subjects concerned and the categories of Personal Data and data records concerned. Processor shall take all necessary steps to identify and take those steps necessary in order to remediate and/or mitigate the cause of such Data Incident as well as fully cooperate with monday.com in the investigation, mitigation, and remediation of a Data Incident. Upon request of monday.com, Processor shall provide monday.com with sufficient information to allow monday.com to meet any obligations under Data Protection Laws to report or inform Data Subjects or data protection authorities of the Data Incident.
(ii) any request for disclosure of Personal Data by a Supervisory Authority and/or any other law enforcement authority or court unless prohibited under criminal law specifically requiring Processor to preserve the confidentiality of a law enforcement investigation against monday.com.
Processor will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Data Incident or disclosure request which directly or indirectly identifies monday.com (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without monday.com’s prior written approval, unless, and solely to the extent that, Processor is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Processor shall provide monday.com with reasonable prior written notice to provide monday.com with the opportunity to object to such disclosure and in any case Processor shall limit the disclosure to the minimum scope required.
8. RETURN AND DELETION OF PERSONAL DATA
Without undue delay (and in any event within thirty (30) days) following termination of the Agreement, Processor shall, at the choice of monday.com, delete or return to monday.com all the Personal Data it Processes on behalf of monday.com, in the manner described in the Agreement or as otherwise reasonably request by monday.com. Notwithstanding the above, in any event Processor shall automatically permanently delete within sixty (60) days following termination or expiration of the Agreement and/or DPA any Personal Data including existing copies of such Personal Data unless Data Protection Laws require otherwise. Processor warrants that it will guarantee the confidentiality of Personal Data and will not actively Process Personal Data anymore and will guarantee the return and/or deletion of the Personal Data (at the choice of monday.com or automatically within sixty (60) days of termination or expiration) when the legal obligation to not return or delete the Personal Data has expired. Upon monday.com’s written request, the Processor’s Chief Privacy Officer (or equivalent) shall provide written certification to monday.com stating that Processor has fully complied with this section.
9.CROSS-BORDER DATA TRANSFERS
9.1 Transfers from the EEA, Switzerland and the United Kingdom to countries that offer adequate level or data protection. Personal Data may be transferred from EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), Switzerland and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland, and/or the UK as relevant (“Adequacy Decisions”), as applicable, without any further safeguard being necessary.
9.2 Transfers from the EEA, Switzerland and the United Kingdom to other countries. If the Processing of Personal Data by Processor includes a transfer (either directly or via onward transfer):
(i) from the EEA to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined in the GDPR) outside the EEA (“EEA Transfer”), the terms set forth in the EU SCCs shall apply;
(ii) from the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the UK GDPR) outside UK, the terms set forth in the UK Addendum shall apply;
(iii) from Switzerland to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined under the GDPR) outside Switzerland, the terms set forth in the Switzerland Addendum shall apply;
(iv) the terms set forth in Annex V of the Standard Contractual Clauses (Additional Safeguards) shall apply to any transfer where the Standard Contractual Clauses apply.
10. OTHER PROVISIONS
10.1 Data Protection Impact Assessment and Prior Consultation. Upon monday.com’s request, Processor shall provide monday.com with the cooperation and assistance needed to fulfil monday.com’s obligations under the GDPR or the UK GDPR (as applicable) to carry out a data protection impact assessment related to monday.com’s use of the Services. Processor shall provide the necessary assistance to monday.com in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 10.1, to the extent required under the GDPR or the UK GDPR, as applicable.
10.2 Indemnification. Processor shall indemnify, defend, and hold harmless monday.com, its Affiliates, and their respective officers, directors, and employees from and against all claims and proceedings and all liability, loss, costs, fines, and expenses (including reasonable legal fees) arising in connection with (i) Processor’s unlawful or unauthorized Processing, destruction of, or damage to any Personal Data; and/or (ii) Processor’s (including the Provider Personnel and Sub-Processors) failure to comply with its obligations under this DPA, the Agreement or any further written Processing instructions given by monday.com in accordance with this DPA.
10.3 Modifications. Each Party may by at least forty-five (45) calendar days prior written notice to the other Party, request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under Data Protection Laws, to allow Processing of monday.com Personal Data to be made (or continue to be made) without breach of those Data Protection Laws. The Parties shall make commercially reasonable efforts to accommodate such modification requested by monday.com or that Processor believes is necessary. The Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within thirty (30) days of such notice, then monday.com or Processor may, by written notice to the other Party, with immediate effect, terminate this DPA and the Agreement and, if applicable, in such event monday.com shall be entitled to a refund of the prorata portion of any prepaid fees for the remaining term.
SCHEDULE 1 – DETAILS OF THE PROCESSING
Nature and Purpose of Processing
1. Providing the Services to monday.com;
2. Performing the Agreement and this DPA;
3. Acting upon monday.com’s written instructions in accordance with the Agreement and the DPA;
4. Complying with applicable laws and regulations.
Duration of Processing
Processor will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing.
Type of Personal Data
monday.com may submit Personal Data to the Services or provide such Personal Data directly to the Provider, the extent of which is determined and controlled either by monday.com in its sole discretion or by agreement between the parties, and which may include, but is not limited to the following categories of Personal Data:
● First and last name
● Contact information (company, email, phone, physical business address)
● ID data
● Professional life data
● Personal life data
● Connection and usage data
● Localisation data
Categories of Data Subjects
monday.com may submit and users may submit on behalf of monday.com Personal Data to the Services or provide such Personal Data directly to the Provider, the extent of which is determined and controlled either by monday.com in its sole discretion or by agreement between the parties, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
● Prospects, customers, business partners and vendors of monday.com (who are natural persons)
● Employees or contact persons of monday.com’s prospects, customers, business partners and vendors
● Employees, agents, advisors, freelancers of monday.com (who are natural persons)
● monday.com’s users authorized by monday.com to use, or engage the Provider to provide, the Services
Processor may engage with the following Sub-Processors to provide the Services and such other Sub-Processors as set forth in the Agreement.
|Name of Sub-processor||Services Performed and Duration of Processing||Sub-processor Location||DPA/SCC in place with Sub-processor(yes or no)|
*Processor shall separately provide the aforesaid list of Sub-Processors to monday.com at email@example.com within 7 days of engagement between the Parties. In the event that no update to the Sub-Processors list has been provided by Processor, it shall be deemed by monday.com that Processor does not engage any Sub-Processors for the performance of its obligations under the applicable Agreement between the Parties.