monday.com Enterprise security audit checklist for compliance teams
Our company is going through SOC 2 Type II audit and I need to document monday.com's security controls. What Enterprise security features should we be documenting? Specifically need info on: - SSO/SAML options - Data encryption at rest and in transit - Audit logs - User permissions granularity - Data residency options - Third-party penetration testing
2 Answers
I work in compliance and just completed a similar audit. Here's what you need: SSO/SAML: monday.com Enterprise supports Okta, Azure AD, OneLogin, Google Workspace SAML. Document which you're using. Encryption: TLS 1.3 for transit, AES-256 for at rest. monday.com hosts on AWS with SOC 2 Type II certified data centers. Audit Logs: Available in Enterprise - track all user actions, file access, data exports. Export capability is critical for auditors. Permissions: Document your permission groups structure. Key features: Board-level permissions, column permissions, item privacy, guest access controls. Data Residency: Available for EU and US data centers. If relevant, document your selection. Penetration Testing: monday.com publishes annual penetration test results. Request the latest report via your Customer Success Manager. Pro tip: Request the 'Security & Compliance' whitepaper from monday sales - it has all the language auditors need.
Don't forget to document your internal security policies for monday.com usage. Auditors will want to see: password policy enforcement, 2FA requirement, session timeout settings, data export approval workflow. We failed our first audit because we couldn't document our internal controls, even though monday.com's were fine.