Cross-Border Data Transfers

What it is

If you are in the EU, UK, or Switzerland, your personal data may be sent to and processed in the United States, where data protection rules differ from those in your home country, with Standard Contractual Clauses used as the legal transfer mechanism.

Why it matters (compliance & governance perspective)

Transferring personal data out of the EEA to the United States means your data is subject to US law, including potential government access requests, and the adequacy of the transfer mechanism may be subject to legal challenge.

Consumer impact (what this means for users)

EU, UK, and Swiss users' personal data is transferred to the United States under Standard Contractual Clauses, meaning the data leaves the jurisdiction where it receives the strongest legal protections, and users should be aware of ongoing legal uncertainty around such transfers.

What you can do

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V (transfers of personal data to third countries), the UK GDPR equivalent transfer restrictions, and the Swiss Federal Act on Data Protection. The relevant enforcement authorities are EU national supervisory authorities, the UK ICO, and the Swiss Federal Data Protection and Information Commissioner. The EU-US Data Privacy Framework may also be relevant as an adequacy mechanism, though its long-term stability has been subject to legal challenge and organizations should monitor its status. (2) GOVERNANCE EXPOSURE: High for EEA, UK, and Swiss-based organizations using monday.com. SCCs must be accompanied by a Transfer Impact Assessment (TIA) under GDPR guidance following the Schrems II ruling to evaluate whether US law provides equivalent protection. Failure to maintain current, valid transfer documentation creates regulatory exposure and may result in enforcement action by supervisory authorities. (3) JURISDICTION FLAGS: The highest exposure jurisdictions are Germany, France, Austria, and the Netherlands, whose data protection authorities have historically taken aggressive enforcement positions on US data transfers. UK organizations post-Brexit must evaluate whether International Data Transfer Agreements (IDTAs) rather than EU SCCs are appropriate. Swiss organizations must comply with the revised Swiss FADP transfer requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise contracts should include an up-to-date Data Processing Addendum that specifies current transfer mechanisms and includes the executed SCCs or IDTAs as exhibits. Procurement teams should confirm that monday.com's sub-processors in the United States are also covered by adequate transfer mechanisms in the DPA's sub-processor provisions. TIA documentation should be maintained and reviewed when the regulatory landscape changes. (5) COMPLIANCE CONSIDERATIONS: Organizations should request monday.com's current Transfer Impact Assessment documentation or perform their own TIA for the processing activities in scope. DPA review cycles should be triggered whenever transfer mechanism regulations change. RoPA entries for monday.com-related processing should document the transfer mechanism in use and the date it was last verified.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Data Collection Scope medium
• Third-Party Data Sharing and Advertising Partners medium
• Controller vs. Processor Distinction medium
• Cookies and Tracking Technologies medium
• User Rights and Data Access Requests medium
• AI Feature Data Processing medium

Related Analysis

• OpenAI Changed Its Privacy Policy 4 Times in One Week. Here Is What Actually Changed.

  Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.