// Trust & Security Report

    monday.com logo

    monday.com

    monday.com Work OS / AI Work Platform (Work Management, CRM, Dev, Service) + monday AI, AI Agents, and MCP Server

    Certifications held

    12

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    We undergo annual external audits for SOC 2 Type II security certification from the American Institute of Certified Public Accountants (AICPA), ISO 27001 ISMS (information security management system) and ISO 27018 (for protecting personal data in the cloud).

    Verify on monday.com
    SOC 1 Type II
    HELD

    Compliance/Certifications: SOC 1 Type II Report, SOC 2 Type II Report, SOC 3 Report

    Verify on monday.com
    SOC 3
    HELD

    Compliance/Certifications: SOC 1 Type II Report, SOC 2 Type II Report, SOC 3 Report

    Verify on monday.com
    ISO/IEC 27001:2022
    HELD

    ISO/IEC 27001:2022 - The most rigorous global security standard for Information Security Management Systems (ISMS)

    Verify on monday.com
    ISO/IEC 27018:2019
    HELD

    ISO/IEC 27018:2019 - Establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII)

    Verify on monday.com
    ISO/IEC 27017:2015
    HELD

    ISO/IEC 27017:2015 - Provides controls and implementation guidance for both cloud service providers and cloud service customers.

    Verify on monday.com
    ISO/IEC 27032:2023
    HELD

    ISO/IEC 27032:2023 - Provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains

    Verify on monday.com
    ISO/IEC 27701:2019
    HELD

    ISO/IEC 27701:2019 - Specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS)

    Verify on monday.com
    CSA STAR
    HELD

    Compliance/Certifications: ... ISO/IEC 27701:2019, CSA Star, TX RAMP

    Verify on monday.com
    TX-RAMP
    HELD

    Compliance/Certifications: ... CSA Star, TX RAMP

    Verify on monday.com
    HIPAA (Business Associate Agreement available)
    HELD

    Privacy Programs: ... HIPAA Business Associate Agreement

    Verify on monday.com
    EU-US Data Privacy Framework
    HELD

    monday.com's US subsidiary, monday.com, Inc., has been certified under the US Department of Commerce's Data Privacy Framework (DPF) to receive data transfers from the EEA, UK or Switzerland to the US.

    Verify on monday.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Customer-selectable AWS regions: US, EU, and AUS (Australia). EU region provides EU data residency.

    monday.com states it does not use customer data to train or enhance its AI models and does not allow its providers to do so. AI model providers (including OpenAI and Anthropic) operate under Zero Data Retention commitments, and monday.com's agreements explicitly prohibit using customer data for model training. Where models are hosted on monday.com-controlled infrastructure (AWS Bedrock, Azure AI, Vertex), the model providers have no access to customer data. Verified via monday AI Security & Privacy FAQ / AI FAQs.

    // Security controls

    Encryption in transit

    TLS 1.3 with modern cipher suite (TLS 1.2 minimum)

    monday.com

    Encryption at rest

    AES-256 or better across infrastructure

    monday.com

    Penetration testing

    Annual third-party pen tests (application + infrastructure) by independent auditors using manual and automated methods; weekly DAST; internal AppSec team conducts ongoing tests

    monday.com

    Bug bounty

    Managed bug bounty program run on HackerOne; vulnerabilities reportable to security@monday.com

    monday.com

    SDLC security

    OWASP Top 10 + CVSS; static analysis and peer review of all code before deployment

    hackerone.com

    Enterprise governance add-on

    Guardian add-on for enhanced enterprise data protection, secure access, and governance

    monday.com

    Uptime / reliability

    Multi-region AWS hosting with disaster recovery site in a separate AWS region; dedicated Uptime & Reliability trust center section

    monday.com

    // Products & data scope

    monday work managementProject & work management (Work OS)

    data: Customer business data on boards, workdocs, dashboards. monday.com acts as Data Processor; customer is Controller. Covered by DPA, SOC 2, ISO 27001.

    Core platform. Free, paid team tiers, and Enterprise plans.

    monday CRMCRM

    data: Customer/prospect contact and pipeline data as CRM items; processed as Processor under DPA.

    AI-first CRM with deal insights, AI notetaker, email generation.

    monday devProduct/engineering management

    data: Sprint, roadmap, and bug-tracking data; same processor/DPA scope.

    For software teams.

    monday serviceIT service / support management

    data: Ticketing and service request data; same processor/DPA scope.

    ITSM/support product.

    monday AI (assistant, AI agents, AI blocks)AI assistant / agents

    data: Sends customer prompts/board context to model providers (OpenAI, Anthropic) under Zero Data Retention; no training on customer data; providers on monday-controlled infra (Bedrock/Azure/Vertex) get no data access.

    Distinct AI Security & Privacy FAQ and AI Governance trust section. Some agent features in Early Access.

    monday MCP ServerAI agent integration (Model Context Protocol)

    data: Lets external AI agents/copilots (Copilot, Claude, ChatGPT, Cursor, custom) access and act on monday.com data via standardized protocol; dedicated MCP security overview with shared-responsibility model.

    Buyer should review the MCP security overview when permitting third-party agents to act on their data.

    Guardian (security & governance add-on)Enterprise security add-on

    data: Adds enhanced data protection, secure access controls, and governance over enterprise account data.

    Paid enterprise add-on, not in base plans.

    // What to watch

    • MCP Server lets third-party AI agents act on monday.com data: buyers permitting external agents should review the dedicated MCP security overview and shared-responsibility model.
    • Some AI agent capabilities are in Early Access / Request Early Access, so AI feature maturity varies by plan.
    • HIPAA support is via BAA only (availability/plan-gated), not a blanket certification.

    // At a glance

    Pricing model

    Freemium SaaS: Free plan plus tiered paid plans (Basic/Standard/Pro) and Enterprise; per-seat pricing. AI and Guardian as add-ons.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on monday.com's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    monday.com

    > Browse all vendor trust reports