// Trust & Security Report
monday.com
monday.com Work OS / AI Work Platform (Work Management, CRM, Dev, Service) + monday AI, AI Agents, and MCP Server
Certifications held
12
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on monday.com“We undergo annual external audits for SOC 2 Type II security certification from the American Institute of Certified Public Accountants (AICPA), ISO 27001 ISMS (information security management system) and ISO 27018 (for protecting personal data in the cloud).”
Verify on monday.com“Compliance/Certifications: SOC 1 Type II Report, SOC 2 Type II Report, SOC 3 Report”
Verify on monday.com“Compliance/Certifications: SOC 1 Type II Report, SOC 2 Type II Report, SOC 3 Report”
Verify on monday.com“ISO/IEC 27001:2022 - The most rigorous global security standard for Information Security Management Systems (ISMS)”
Verify on monday.com“ISO/IEC 27018:2019 - Establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII)”
Verify on monday.com“ISO/IEC 27017:2015 - Provides controls and implementation guidance for both cloud service providers and cloud service customers.”
Verify on monday.com“ISO/IEC 27032:2023 - Provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains”
Verify on monday.com“ISO/IEC 27701:2019 - Specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS)”
Verify on monday.com“Compliance/Certifications: ... ISO/IEC 27701:2019, CSA Star, TX RAMP”
Verify on monday.com“Privacy Programs: ... HIPAA Business Associate Agreement”
Verify on monday.com“monday.com's US subsidiary, monday.com, Inc., has been certified under the US Department of Commerce's Data Privacy Framework (DPF) to receive data transfers from the EEA, UK or Switzerland to the US.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Customer-selectable AWS regions: US, EU, and AUS (Australia). EU region provides EU data residency.
monday.com states it does not use customer data to train or enhance its AI models and does not allow its providers to do so. AI model providers (including OpenAI and Anthropic) operate under Zero Data Retention commitments, and monday.com's agreements explicitly prohibit using customer data for model training. Where models are hosted on monday.com-controlled infrastructure (AWS Bedrock, Azure AI, Vertex), the model providers have no access to customer data. Verified via monday AI Security & Privacy FAQ / AI FAQs.
// Security controls
Penetration testing
Annual third-party pen tests (application + infrastructure) by independent auditors using manual and automated methods; weekly DAST; internal AppSec team conducts ongoing tests
monday.comBug bounty
Managed bug bounty program run on HackerOne; vulnerabilities reportable to security@monday.com
monday.comSDLC security
OWASP Top 10 + CVSS; static analysis and peer review of all code before deployment
hackerone.comEnterprise governance add-on
Guardian add-on for enhanced enterprise data protection, secure access, and governance
monday.comUptime / reliability
Multi-region AWS hosting with disaster recovery site in a separate AWS region; dedicated Uptime & Reliability trust center section
monday.com// Products & data scope
data: Customer business data on boards, workdocs, dashboards. monday.com acts as Data Processor; customer is Controller. Covered by DPA, SOC 2, ISO 27001.
Core platform. Free, paid team tiers, and Enterprise plans.
data: Customer/prospect contact and pipeline data as CRM items; processed as Processor under DPA.
AI-first CRM with deal insights, AI notetaker, email generation.
data: Sprint, roadmap, and bug-tracking data; same processor/DPA scope.
For software teams.
data: Ticketing and service request data; same processor/DPA scope.
ITSM/support product.
data: Sends customer prompts/board context to model providers (OpenAI, Anthropic) under Zero Data Retention; no training on customer data; providers on monday-controlled infra (Bedrock/Azure/Vertex) get no data access.
Distinct AI Security & Privacy FAQ and AI Governance trust section. Some agent features in Early Access.
data: Lets external AI agents/copilots (Copilot, Claude, ChatGPT, Cursor, custom) access and act on monday.com data via standardized protocol; dedicated MCP security overview with shared-responsibility model.
Buyer should review the MCP security overview when permitting third-party agents to act on their data.
data: Adds enhanced data protection, secure access controls, and governance over enterprise account data.
Paid enterprise add-on, not in base plans.
// What to watch
- MCP Server lets third-party AI agents act on monday.com data: buyers permitting external agents should review the dedicated MCP security overview and shared-responsibility model.
- Some AI agent capabilities are in Early Access / Request Early Access, so AI feature maturity varies by plan.
- HIPAA support is via BAA only (availability/plan-gated), not a blanket certification.
// At a glance
Pricing model
Freemium SaaS: Free plan plus tiered paid plans (Basic/Standard/Pro) and Enterprise; per-seat pricing. AI and Guardian as add-ons.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on monday.com's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
monday.com