Online Provider Data Processing Addendum

Sign the online version

This Data Processing Addendum (“DPA”) is entered into by you, the provider (“Provider”), and monday.com Ltd. (“monday.com”) to reflect the parties’ agreement with regard to the Processing of Personal Data by Provider on behalf of monday.com. Both parties shall be referred to as the “Parties” and each, a “Party”.  

In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an Addendum integral to the applicable agreement established between monday.com and the Provider (“Agreement”). By engaging with monday.com in the framework of the Agreement, Provider accepts this DPA and represents and warrants that it has full authority to bind the Provider to this DPA.

In case you entered into an Agreement with monday.com on or before 30 January, 2024, which incorporates the online Provider DPA – the previous version of the DPA shall apply until the sales order (underlying the Agreement) renewal date, and remains available through the following link.

Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.

In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data.

1. DEFINITIONS

1. Definitions:

1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
2. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq, and its implementing regulations, as may be amended from time to time. 
3. The terms, “Controller“, “Member State“, “Processor“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR. The terms “Business”, “Business Purpose”, “Consumer” and “Service Provider” shall have the same meaning as in the CCPA.
4. “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada, Israel and the United States of America, as applicable to the Processing of Personal Data under the Agreement including (without limitation) the GDPR, the UK GDPR, and the CCPA, as applicable to the Processing of Personal Data hereunder and in effect at the time of Provider’s performance hereunder.
5. “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
6. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
7. “Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or Consumer, which is processed by Provider on behalf of monday.com, under this DPA and the Agreement.
8. “Services” means the services provided to monday.com by Provider in accordance with the Agreement.
9. “Security Documentation” means the security documentation applicable to the Services purchased by monday.com as provided to monday.com by Provider.
10. “Standard Contractual Clauses” means (a) in respect of transfers subject to the GDPR, the Standard Contractual Clauses between controllers and processors (located here), and between processors and processors (located here) as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including all Annexes I,  II and IV thereto (“EU SCCs”); (b) in respect of Personal Data transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022, incorporated into the EU SCCs through as Annex III  thereto (UK Cross Border Transfers) (“UK Addendum”); and (c) in respect of Personal Data transfers subject to the Federal Act on Data Protection ( as revised as of 25 September 2020), the terms set forth in Annex IV of the EU SCCs(“Switzerland Addendum”).
11. “Sub-processor” means any third party that Processes Personal Data under the instruction or supervision of Provider.
12. “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).

2. PROCESSING OF PERSONAL DATA

1. Roles of the Parties. The Parties acknowledge and agree that with regard to Provider’s Processing of Personal Data on behalf of monday.com, (i) monday.com is the Controller of Personal Data, and (ii) Provider is the Processor of such Personal Data. The terms “Controller” and “Processor” below hereby signify monday.com and Provider, respectively.
2. Controller’s use of Personal Data. monday.com’s use of the Services and monday.com’s instructions to the Provider shall comply with Data Protection Laws.
3. Providers Processing of Personal Data. When Processing on monday.com’s behalf under the Agreement, Provider shall Process Personal Data solely for the following purposes: (i) Processing in accordance with the Agreement and this DPA; (ii) Processing in accordance with monday.com’s documented instructions, where such instructions are consistent with the terms of the Agreement; (iii) Processing as required under Data Protection Laws applicable to Provider, provided that Provider shall inform monday.com of the legal requirement in advance, unless such law or order prohibit such information on important grounds of public interest.

In the event monday.com discloses or otherwise makes available to Vendor deidentified data (as defined by applicable Data Protection Laws), Provider shall (i) take reasonable measures to ensure such data cannot be associated with a natural person, and (ii) maintain and use such data without attempting to re-identify it.

Provider shall inform monday.com without undue delay if, in Provider’s opinion, an instruction for the Processing of Personal Data given by monday.com infringes applicable Data Protection Laws. In such event, Provider shall (a) inform monday.com, providing relevant details of the issue, (b) upon request of monday.com, temporarily cease all Processing of the affected Personal Data (other than securely storing such data), and (c) if the Parties do not agree on a resolution to the issue in question and the costs thereof, monday.com may terminate the Agreement and/or this DPA with respect to the affected Processing and, if applicable, shall be entitled to a refund of the pro rata portion of any prepaid fees for the remaining term.

4. Details of the Processing. The subject-matter of Processing of Personal Data by Provider is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of Processing) to this DPA.
5. CCPA Standard of Care; No Sale of Personal Information. If Provider Processes Personal Data that is subject to the CCPA, the terms set forth in Schedule 2 (CCPA Terms) of this DPA shall apply and bind the Parties with regard to such Personal Data and the Processing thereof. 

3. DATA SUBJECT REQUESTS

Provider shall assist monday.com in responding to requests to exercise Data Subject rights or Consumer rights (including any complaints regarding the Processing of Personal Data) under Applicable Laws, including, without limitation, EU Data Protection Laws and the CCPA (“Data Subject Request(s)”). This includes Provider (i) promptly notifying monday.com if it receives a Data Subject Request in respect of Personal Data; (ii) providing full cooperation and assistance to monday.com in relation to any Data Subject Request; (iii) ensuring that it does not respond to Data Subject Requests except on the documented instructions of monday.com or as strictly required by Data Protection Laws to which the Provider is subject; and (iv) maintain electronic records of Data Subject Requests.

4. PROVIDER PERSONNEL

1. To the extent permissible under applicable law, Provider shall conduct an appropriate background investigation of all of Provider’s employees or contractors who may have access to Personal Data (“Provider Personnel”), prior to allowing them such access. If a background investigation reveals that an individual is not suited to access Personal Data, then Provider shall not provide such individual with access to Personal Data.
2. Provider shall ensure that all Provider Personnel: (i) has such access only as necessary for the purposes of providing monday.com with the Services and complying with Data Protection Laws; (ii) is contractually bound to confidentiality requirements no less onerous than in this DPA and the Agreement; (iii) is provided with appropriate privacy and security training, at least annually; (iv) is informed of the confidential nature of Personal Data, and required to keep it confidential; and (v) is aware of Provider’s duties and obligations under this DPA and the Agreement.

5. SUB-PROCESSORS

1. List of Current Sub-processors and Notification of New Sub-processors.

Provider shall not subcontract any Processing of Personal Data to any third party without prior written consent of monday.com for each such subcontracting activity and third party. Notwithstanding the foregoing, monday.com authorizes Provider to engage the Sub-processors listed in Schedule 1 hereto which  includes the identities of those Sub-processors, the Processing services they provide, and the entity’s country (“Sub-processor List”) provided that, (i) such Sub-processors are only engaged in Processing Personal Data as strictly necessary for the fulfillment of Provider’s obligations under the Agreement and this DPA, (ii) Provider has conducted the level of due diligence necessary to ensure that such Sub-processor is capable of meeting the requirements of the Agreement, this DPA and Data Protection Laws, and (iii) the Provider and the Sub-processor have entered a written agreement binding on the Sub-processor containing data protection, security and privacy standards that are no less onerous than in the Agreement and this DPA.

2. Objection to New Sub-processors. Provider shall provide monday.com at least thirty (30) days’ prior written notice of its intention to engage or replace a Sub-processor. Such notice shall be sent to legal@monday.com and must include at least: (i) the name of the proposed Sub-processor; (ii) the type of Personal Data Processed by such Sub-processor and for which purposes; (iii) description of the data subjects whose Personal Data shall be Processed by such Sub-processor, and (iv) location of the Data Processing performed by such Sub-processor. monday.com may object to the engagement of any Sub-processor on any privacy, data protection or security grounds. In the event monday.com objects to a new Sub-processor, Provider will use reasonable efforts to make available to monday.com a change in the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening monday.com. If Provider is unable to make available such change within thirty (30) days, monday.com may terminate the Agreement and/or this DPA and, if applicable, shall be entitled to a refund of the pro rata portion of any prepaid fees for the remaining term.
   
3. Agreements with Sub-processors. Provider represents and warrants that it has entered into a written agreement with each Sub-processor containing appropriate safeguards to the protection of Personal Data. Where Provider  engages a Sub-processor for carrying out specific Processing activities on behalf of monday.com, the same or materially similar data protection obligations as set out in the Agreement and this DPA shall be imposed on such new Sub-processor by way of a contract, in particular obligations to implement appropriate technical and organizational measures for protection of Personal Data Processed hereunder and in such a manner that the Processing will meet the requirements of the GDPR. Where a Sub-processor fails to fulfil its data protection obligations concerning its Processing of Personal Data, Provider shall remain fully liable for the performance of the Sub-processor’s obligations. Provider shall review and validate at least annually, and certify to monday.com upon request, that each of its Sub-processors are able to fulfil its duties as applicable to its performance of its obligations hereunder. If any review reveals any compliance deficiencies by such Sub-processor, Provider shall promptly find a solution, mitigation and/or remedy for such issue; however, if such is not possible, monday.com may instruct Provider to not continue using such Sub-processor and monday.com may terminate this DPA and/or the Agreement to the extent Provider can no longer provide the Services without use of such Sub-processor and, if applicable, shall be entitled to a refund of the pro rata portion of any prepaid fees for the remaining term.

6. SECURITY & AUDITS

1. Controls for the Protection of Personal Data. Provider represents and warrants that it has implemented and will maintain all appropriate technical and organizational measures for protection of Personal Data Processed hereunder (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data, confidentiality and integrity of Personal Data, including those measures set forth in the Security Documentation and the Agreement). Upon monday.com’s request, Provider shall assist monday.com, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.
2. Records of Processing. Provider shall keep records of its Processing activities performed on behalf of monday.com, which shall include at least: (i) the details of the Provider as Personal Data Processor, any representatives, Sub-processors, data protection officers and Provider Personnel having access to Personal Data; (ii) the categories of Processing activities performed; (iii) information regarding Cross-Border Data Transfers, if any; and (iv) a description of the technical and organizational security measures implemented in respect of the Processed Personal Data. Without derogating from monday.com’s Audit Rights under Section 6.3 below, monday.com reserves the rights to inspect the records maintained by Provider under this Section 6.2 at any time.
3. Audits and Inspections. Upon prior written request, and subject to confidentiality undertakings by monday.com, Provider shall make available to monday.com (or monday.com’s independent third-party auditor subject to their confidentiality undertakings) all information necessary to demonstrate compliance with Data Protection Laws this DPA, and allow for and contribute to audits, including inspections, conducted by them. In the event of an audit or inspections as set forth above, monday.com shall take reasonable steps to avoid causing (or, if it cannot avoid, minimize) any disruption to Provider’s operations while conducting such audit or inspection.

7. DATA INCIDENT MANAGEMENT AND NOTIFICATION

Provider maintains security incident management policies and procedures and shall notify monday.com without undue delay (but in any event no later than forty-eight (48) hours) after becoming aware of:

1. any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (a “Data Incident”). Provider shall provide monday.com with all information on the nature of the Data Incident, including the categories of Data Subjects concerned and the categories of Personal Data and data records concerned. Provider shall take all necessary steps to identify and take those steps necessary in order to remediate and/or mitigate the cause of such Data Incident as well as fully cooperate with monday.com in the investigation, mitigation, and remediation of a Data Incident. Upon request of monday.com, Provider shall provide monday.com with sufficient information to allow monday.com to meet any obligations under Data Protection Laws to report or inform Data Subjects or data protection authorities of the Data Incident.
2. any request for disclosure of Personal Data by a Supervisory Authority and/or any other law enforcement authority or court unless prohibited under criminal law specifically requiring Provider to preserve the confidentiality of a law enforcement investigation against monday.com.

Provider will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Data Incident or disclosure request which directly or indirectly identifies monday.com (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without monday.com’s prior written approval, unless, and solely to the extent that, Provider is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Provider shall provide monday.com with reasonable prior written notice to provide monday.com with the opportunity to object to such disclosure and in any case Provider shall limit the disclosure to the minimum scope required.

8. RETURN AND DELETION OF PERSONAL DATA

Without undue delay (and in any event within thirty (30) days) following termination of the Agreement, Provider shall, at the choice of monday.com, delete or return to monday.com all the Personal Data it Processes on behalf of monday.com, in the manner described in the Agreement or as otherwise reasonably request by monday.com. Notwithstanding the above, in any event Provider shall automatically permanently delete within sixty (60) days following termination or expiration of the Agreement and/or DPA any Personal Data including existing copies of such Personal Data unless Data Protection Laws require otherwise. Provider warrants that it will guarantee the confidentiality of Personal Data and will not actively Process Personal Data anymore and will guarantee the return and/or deletion of the Personal Data (at the choice of monday.com or automatically within sixty (60) days of termination or expiration) when the legal obligation to not return or delete the Personal Data has expired. Upon monday.com’s written request, the Provider’s Chief Privacy Officer (or equivalent) shall provide written certification to monday.com stating that Provider has fully complied with this section.

9. CROSS-BORDER DATA TRANSFERS

1. Transfers from the EEA, Switzerland and the United Kingdom to countries that offer adequate level or data protection. Personal Data may be transferred from EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), Switzerland and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland, and/or the UK as relevant (“Adequacy Decisions”), as applicable, without any further safeguard being necessary. For the avoidance of doubt, “Adequacy Decisions” include the European Commission’s adequacy decision of 10 July 2023, establishing the EU-US Data Privacy Framework.
2. Transfers from the EEA, Switzerland and the United Kingdom to other countries. If the Processing of Personal Data by Provider includes a transfer (either directly or via onward transfer):

1. from the EEA to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Provider for the lawful transfer of personal data (as defined in the GDPR) outside the EEA, the terms set forth in the EU SCCs shall apply;
2. from the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized  compliance mechanism as may be adopted by Provider for the lawful transfer of personal data (as defined in the UK GDPR) outside UK, the terms set forth in the UK Addendum shall apply;
3. from Switzerland to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined under the GDPR) outside Switzerland, the terms set forth in the Switzerland Addendum shall apply;
4. the terms set forth in Annex V of the Standard Contractual Clauses (Additional Safeguards) shall apply to any transfer where the Standard Contractual Clauses apply.

1. Transfers from other countries: If the Processing of Personal Data by Provider includes a transfer of Personal Data by and/or mandated by monday.com to Provider from any other jurisdiction which mandates a particular compliance mechanism for the lawful transfer of such data be established, the Parties may seek to make any necessary amendments to this DPA in accordance with provisions of Section 10.3 below to ensure compliance with such requirements.

10. OTHER PROVISIONS

1. Data Protection Impact Assessment and Prior Consultation. Upon monday.com’s request, Provider shall provide monday.com with the cooperation and assistance needed to fulfil monday.com’s obligations under Data Protection Laws (as applicable) to carry out a data protection impact assessment or data protection assessment (as applicable) related to monday.com’s use of the Services. Provider shall provide the necessary assistance to monday.com in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 10.1, to the extent required under the GDPR or the UK GDPR, as applicable.
2. Indemnification. Provider shall indemnify, defend, and hold harmless monday.com, its Affiliates, and their respective officers, directors, and employees from and against all claims and proceedings and all liability, loss, costs, fines, and expenses (including reasonable legal fees) arising in connection with (i) Provider’s unlawful or unauthorized Processing, destruction of, or damage to any Personal Data; and/or (ii) Provider’s (including the Provider Personnel and Sub-processors) failure to comply with its obligations under this DPA, the Agreement or any further written Processing instructions given by monday.com in accordance with this DPA.
3. Modifications. Each Party may by at least forty-five (45) calendar days prior written notice to the other Party, request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under Data Protection Laws, to allow Processing of monday.com Personal Data to be made (or continue to be made) without breach of those Data Protection Laws. The Parties shall make commercially reasonable efforts to accommodate such modification requested by monday.com or that Provider believes is necessary. The Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within thirty (30) days of such notice, then monday.com or Provider may, by written notice to the other Party, with immediate effect, terminate this DPA and the Agreement and, if applicable, in such event monday.com shall be entitled to a refund of the prorata portion of any prepaid fees for the remaining term.

****

SCHEDULE 1 – DETAILS OF THE PROCESSING

Nature and Purpose of Processing

1. Providing the Services to monday.com;
2. Performing the Agreement and this DPA;
3. Acting upon monday.com’s written instructions in accordance with the Agreement and the DPA;
4. Complying with applicable laws and regulations.

Duration of Processing

Provider will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing.

Type of Personal Data

monday.com may submit Personal Data to the Services or provide such Personal Data directly to the Provider, the extent of which is determined and controlled either by monday.com in its sole discretion or by agreement between the parties, and which may include, but is not limited to the following categories of Personal Data:

● First and last name
● Title
● Position
● Employer
● Contact information (company, email, phone, physical business address)
● ID data
● Professional life data
● Personal life data
● Connection and usage data
● Localisation data

Categories of Data Subjects        

monday.com may submit and users may submit on behalf of monday.com Personal Data to the Services or provide such Personal Data directly to the Provider, the extent of which is determined and controlled either by monday.com in its sole discretion or by agreement between the parties, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

● Prospects, customers, business partners and vendors of monday.com (who are natural persons)
● Employees or contact persons of monday.com’s prospects, customers, business partners and vendors
● Employees, agents, advisors, freelancers of monday.com (who are natural persons)
● monday.com’s users authorized by monday.com to use, or engage the Provider to provide, the Services

Sub-Processors

Provider may engage with the following Sub-processors to provide the Services and such other Sub-processors as set forth in the Agreement.

 

Name of Sub-processor	Services Performed and Duration of Processing	Sub-processor Location	DPA/SCC in place with Sub-processor (yes or no)

---

SCHEDULE 2 – CCPA TERMS

1. SCOPE, APPLICATION & INTERPRETATION

1. This Schedule 2 shall apply and bind the Parties if and to the extent that Provider processes Personal Information (as defined below) that is subject to the CCPA in the course of providing the Services to monday.com pursuant to the Agreement.
2. This Schedule 2 prevails over any conflicting terms of the Agreement or the DPA but does not otherwise modify the Agreement or the DPA.
3. This Schedule 2 shall be interpreted in favor of the Parties’ intent to comply with the CCPA, and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with the CCPA.
4. Capitalized terms not specifically defined herein shall have the meanings ascribed to them in the DPA, as amended by this Schedule 2.

2. DEFINITIONS

For the purposes of this Schedule 2:

5. The terms “Business”, “Collects” (and “collected” and “collection”), “Consumer”, “Deidentified”, “Sell” (and “selling”, “sale”, and “sold”), “Share” (and “shared”, or “sharing”), and “Service Provider” shall each have the same meaning as in the CCPA.
6. “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable Consumer or household, which is processed by Provider solely on behalf of monday.com or any of its Affiliates under this Schedule 2 and the Agreement.

3. PROCESSING OF PERSONAL INFORMATION

1. monday.com hereby appoints Provider as a Service Provider to Process Personal Information on behalf of monday.com. monday.com, in its use of the Services, and monday.com’s instructions to Provider, shall comply with the CCPA.
2. Provider shall Process Personal Information solely for the purposes set forth in Section ‎2.3 of the DPA and as necessary to comply with this Schedule 2 and the CCPA (collectively: the “Permitted Purposes“).
3. Sections ‎3-‎8 and ‎10.2-‎10.3 of the DPA shall apply to the Processing of Personal Information hereunder and the following terms shall be replaced as follows: “Data Protection Laws” shall mean the CCPA; “DPA” shall mean this Schedule 2; “Personal Data” shall mean “Personal Information”; “Data Subject” shall mean “Consumer”; “Controller” shall mean “Business”; “Processor” shall mean “Service Provider”; and Sub-processor shall refer to the concept of Subcontractor engaged by Provider to Process Personal Information.
4. Provider shall Process Personal Information in accordance with the provisions of the CCPA, and in a manner that provides the same level of privacy protection to Personal Information as required by the CCPA. Provider certifies that it understands the rules, requirements, and definitions of the CCPA and this Schedule 2, and shall comply with them.
5. Provider acknowledges and confirms that it does not receive or process any Personal Information as consideration for any services or other items that Provider provides to monday.com under the Agreement. Provider agrees to refrain from Selling and/or Sharing any Personal Information Processed hereunder without monday.com’s prior written consent, nor taking any action that would cause any transfer of Personal Information to or from Provider under the Agreement or this Schedule 2 to qualify as Selling and/or Sharing such Personal Information. Provider shall not have, derive, or exercise any rights or benefits regarding the Personal Information, and shall not retain, use, or disclose any Personal Information (i) for any purpose other than the Permitted Purposes, and/or (ii) outside of its direct business relationship with monday.com.
6. Provider shall not combine Personal Information with any other data if and to the extent that this would be inconsistent with the limitations on Service Providers under the CCPA.
7. If Provider receives any Personal Information in Deidentified form, Vendor shall take reasonable measures to ensure that such Deidentified Personal Information cannot be associated with a Consumer or household.
8. Provider shall notify monday.com if Provider makes a determination that it can no longer meet its obligations under this Schedule 2 and/or the CCPA.