So welcome to tonight's webinar, which is co-hosted between Omnitas Consulting and monday.com, all about security and EU service. So there's going to be a good law of GDPR. Schrems two, and a lot of that good stuff to trying to make you as secure as you can be. A disclaimer here from the start, we are not a legal or solicitors firm. So this is not legal advice. It's just advice. Uh, please contact your solicitor for proper advice, but this will hopefully give you a pointing in the good, uh, good direction for where you're headed for tonight. We are in the middle of the introduction already, and then we're going to get into what's GDPR and what is data residency and why? Why does it matter? How did Schrems to change the game and what is it even maybe you've heard of it not knowing what it is. We'll get into that as well. And then we're going to answer the time long question. Can I, as a European, actually use anything other than the EU serve? Then we're actually going to take a look into, uh, with the help of Matias here from monday.com into the enterprise security package, which can really help you up your GDPR and your security scheme. And then also take a look on if you're on a US server right now, how do you migrate to an EU server? Then we're going to end off with a Q&A. And as per usual, only two standard questions are welcome throughout the webinar. And if they fit, we're going to get to them right away. And if we feel that this could probably, probably wait till the Q&A, then we'll save them. But we will make a note of them and we will go through them. So don't worry. So here with me tonight I'm Fredrik Kastenholm, I'm the CRO at Omnitas, uh, your common host to these, uh, events with me here today. I have these two gents want to say hi yourselves, guys. Yes, definitely I can start. Thank you. Fredrik. Um. And thank you, everyone, for for joining. I am Matthias, omnichannel product manager for the Nordics by monday.com, so I'm really excited to join this webinar. Security is one of the main areas we see not only for our customers, but in software and in the world in general. That is increasing in importance. Um, so really excited to put some of our insights forward to, uh, to you and also answer any questions that you might have. Yeah. And I'm Thomas, I think most of you have have seen me and, uh, heard of me before. So I hope the rest of you can be more a bit more attentive than it took basically seven minutes of a security webinar and she fell asleep. I'm impressed. You stayed awake for seven minutes. Yeah, we we barely made it through the agenda. So I hope the rest of -you will find this more interesting. -Hopefully. And, uh, let's everyone help to get it as interesting as we can to keep those, uh, questions coming. Um, we'll try to get to them -as best as we can. -So I will be monitoring the -chat. -Let's get into the first topic of today, then GDPR. The big thing we all heard about everyone has been afraid of. And then it came out and some have seen it wasn't that bad. Some have been like, oh no, I can't do anything anymore. And where's the truth? Yeah, it's somewhere in the middle, actually, uh, as per usual. So GDPR, as we all know, stands for the General Data Protection Regulation is the European Union's legal framework handling any type of personal data. And it is applicable to all European Union countries and the UK because since Brexit, as most of you here know today, uh, you basically copied what you had since you had GDPR and put a UK GDPR. It's actually called UK GDPR. So it's the same, but it is its own legal framework today since Brexit. That's basically what GDPR is. So and that leads us into the more interesting question of personal data. What is personal data. Because that's really what we're talking about here. It's rather easy. Personal data is any piece of data that refers so either directly or indirectly to a natural person. And when I say natural person, it's a physical person I'm talking about -here. -So not a real person. Yeah. Yeah. And actually they have to be alive. Otherwise GDPR don't take into immense dead people a alive person. That's what we're talking about. Or and it's also any other type of information that can help you identify such a person. So we're talking about of course like we see here in my list, it's names, addresses, Social Security numbers or your national equivalent of that, uh, email addresses. And that's. Basically the list for a CRM system. And then we got into employment records, health care data. And we're going to get back to that one IP addresses, which is yes, it is personal data. A picture of a person is personal data, video and sound recording. So when you are recording your meetings today through some meets or um, Google Meet or teams or zoom or whatever, yeah, that's personal data and it's actually personal data for several people, so congrats. Uh, you actually need to store that correctly. And of course economic data and so much more. But and this is sometimes gathered under the umbrella PII personal identification information as well. So you see the that acronym somewhere that it more or less applies to this. I think something worth mentioning is GDPR doesn't really care about who the data like the data belongs to a person, no matter the umbrella. So I have a personal email address, obviously, that my personal email address is really easy to identify me with, but I also have an omnibus email address which is equally easy to identify me with. Yeah, you can't go and say, yeah, but it's a company address, so it's really the company. It's now because it's still identifies you. So sorry. Uh, you can't claiming we're having a CRM and we don't really need to adhere to GDPR because we only store stuff that, uh, adheres to companies. Yeah, sure you do. Not according to the European Union. And I promised I was going to get back to health healthcare data. And it's actually a few more stuff like political affiliation, race, gender, um, trade union membership. These are examples of things that are highly restricted data. So you just went up a level when you are starting to store those. So you actually need even better reasons to even be able to store it. And there are much more stricter rules on how you need to use and make access to your users to that data. Uh, I've seen some examples of that in our travels through different clients. It is special data and, uh, profiling data as well. So, uh, for example, if you as an organization, uh, use uh, any kind of personality tests or stuff like that, that would go straight into more kind of restrictive data, actually. So and a good. Example of that is the very commonly highly debated disk model of all the four different colors. Just stated that someone is green actually is, -uh, enough. -Yeah. Saying I met this person. She's really red. Yeah. You're into deep water now. Because now. Now you got another level of strictness to how you need to store that data, and you actually need to explain why you need to have that data. We have already started talking about rules. So what are the rules? This is not in any way a complete list, but it's an amalgamation of some of the top level one. The most important rules that the Tldr, the total regulation documentation is rather a bit longer than one slide. One of the main rules is basically, you may only store data you actually need, and you basically have to, in your process, go through why you need it and only for as long as you need. So personal data shall or should be deleted once you don't need it, and it's up to you to do that. And of course you need legal grounds for storage or use, uh, use, uh, personal data. Uh, what is legal grounds? There's actually a set of legal grounds set within the GDPR. And they include such things that you need the information to be able to make good on a contract. Uh, you need it for sales purposes. Yes. Sales and marketing is actually included here. So all the things. Oh, no, I can't send a cold email anymore. Yes you can. Uh, and it's actually taken care of within the GDPR. You can do that. What you can't do is arbitrarily add someone to a list, an email list. Then you need that consent to do that. And consent happens to be one, uh, other of the legal grounds to have the consent of the person to use their data. There's a few more. Uh, I would urge you to actually read up on these, because you need to cover them, and you actually need to document what type of, uh, legal ground you have for storage. The main part of GDPR is, of course, for us as companies or data handlers, collectors or processors, to basically respect personal integrity and to give a bit a bit of a back flash. We had a bit of a trouble back in like, say, in the 40s in Europe, and we learned a good lesson from that one, uh, where we found out that personal integrity is actually rather good and basically and it's all of these things that have come into law later on. And one of the main driving forces behind the GDPR have actually been Germany. To respect personal integrity includes we need to see that the person we collect data back has the right, uh, of the information that we are collecting the data. So adding someone into your your CRM system, you actually need to tell them I have done so. We need to give them the right to correct any faulty entries from our end, the right to be deleted and forgotten. So please delete us the right of access so they can actually access their data and the right of limitation. So basically they can tell us you may use this data for these purposes, but not for these other purposes. And also the right of portability, which basically means if you have someone in your CRM and they say, well, let's let's pretend you're a bank, that's easy. You're a bank. One of your clients say, yeah, but I want to use this app. Then you actually have to provide your information to that app if if they say so, and if it's not a big technical hassle for you and all that. Yes, of course, but, uh, mainly you actually have to give out that data on them saying so you also need to report any information breaches within 72 hours, and it's not actually within 72 hours of it's occurred. But from when you found out that it had occurred. And yes, that includes weakens GDPR. Don't take any kind of height for it being a Saturday or Christmas. -You have 72 hours on. -On the prospect for personal integrity. I think they also it's like there's obviously a a corporate responsibility on how you maintain and how you protect this information as well. Right. Uh, even if it's not explicit in this list, meaning sorry. Go ahead. Uh, yeah. Uh, but basically you need to have a privacy policy set in order, uh, which basically states which show you stuff can access what data at what times, under what circumstances. And you basically need to have what's called a data protection, uh, uh, assessment, uh, or impact assessment, actually a DPA, uh, for short, -uh, which includes all of these. -And it's big and small, right. I think the I would argue that one of the biggest oversteps in regards to GDPR. Is bloated, mailing list or bloated like to send copies. Uh, I don't know how many of you guys have received emails where there's 200 people in that the emails is sent to, and every recipient can see the other person in that email. That's not really protecting -anybody's. -No, that's a clear breach. Uh, because you have your spread all of those email addresses to all of those people. So that's a breach and needs to be reported. And who do you report to? You report your local authority. So for us here in Sweden, it's, uh m e m y or in the UK it's ICAO, for example. And then so every country have their own organization, but they all adhere to these, uh, this network. But if you don't want to go that far, there's also like data privacy officers and a lot of the companies where you can notify and say, hey guys, I don't appreciate this. I think everybody should use that right as well. Obviously, Matthias, I know monday.com has, uh, a data privacy -officer, right? -Yeah. Of course. Yeah. And and that's actually one of the rules. All companies with 250 or more employees actually have to have one, and it might actually come earlier, but then it's dependent on what kind of data you use and how much of it and stuff like that. So it's a more, more, more of a gray area. But if you're more than 250 employees, which monday.com, that's some years ago, uh, you need to have one. Uh, and it doesn't need to be, uh, a staff member. So, uh, an employee, it can be someone from outside the company. Uh, that's completely up to you, but you should have one. And what happens if you don't follow GDPR? Well, you will get fined if you're in breach. Uh, and we will get in later on to how bad that can be. But as a worst case scenario, it's 4% of your global revenue. And what does global revenue mean? Well, if you are a company included in a large group of companies, then it's 4% of all of those revenues that's going to be counted. Congrats. And the minimum amount is €20 million. It's whichever one is the highest of those that actually gets into effect. Then of course it can be less than that. But yeah. Um, I'm sorry, I actually have some teeth, but let's put it like -that. -Yeah, I actually, you know, we jump once. I just want to highlight that what we mean with that GDPR holds you responsible for your suppliers. Yeah. It means that you can't blame your suppliers. Well, if I have a privacy policy that doesn't state that we're transferring data to third country, but I'm using HubSpot, I cannot when this becomes a legal matter, say, but it's Hubspot's fault they don't have EU servers. -Uh, no. -And and they still don't. By -the way. -Exactly. And if HubSpot changes anything, even if it's without. Out the scope of your contract, it's still your fault. You're going to be fined. You can then, of course, uh, put claims towards HubSpot for breaking your contract, but still, it's your fault because you shouldn't be on top of that. So GDPR is strict and you will always be the one to blame. Then you can try to push blame later on. And then completely different court case, but it is strict. Um, and. In monday.com's case they have actually made a huge effort to be GDPR compliant as well. So you can never transfer blame over to Monday if you don't live up to the regulations -now. -Yeah, you're right Thomas. And I think it's a really good point. And and it's at the end of the day it's if it's Monday or whoever your supplier is or whatever case, it's it's always the your responsibility. But what we do at monday.com is try and and make sure that our customers have the options to make decisions to, to be as compliant as possible, which is why we provide many different things that we will we would touch upon today. And I think one, uh, one other unfortunate cost with, with GDPR, um, is one thing is the financial impact, which is obviously horrendous in itself, but it's also, you know, the, the trust and, uh, the, the goodwill that has been built with one's customers that is truly broken and in truth and fairness, a lot harder to replace. And at get back, um, it's another huge, huge cost. So especially we want to mitigate any and all of those, uh, -those side effects. Yeah. -Yeah. And, and just to I think it was actually you must stop putting this way um, bit back in an earlier webinar. But GDPR is not just a legal framework. It's a way of doing business. And and that's that's quite true because because it should affect how we think and how we take care of actually some of our customers who contacts most highly valued and treasure, which is their data, their personal data, uh, and you are entrusted with that, so you should take care of it. What's rather special with GDPR is that it's global. It doesn't care from where you are. If you operate with any kind of European data, you can be sitting in the middle of Texas, you're applicable to GDPR. And guess what? EU has contracts with most other nations, so they will put and put you in court as well. So if you by happenstance, actually if you're a company in Houston and you have a website and you store cookies and you have people from Europe coming to your website visiting and you're putting cookies on them, congrats. You are just now storing personal data from Europe. You're applicable to GDPR. If you don't want that hassle, you better block any IP address from Europe. Yeah, but otherwise your game. Uh, so it is harsh and it's a cover all kind of tactic you have gone with uh, which in itself is a bit of a political statement actually. Uh, so, uh, what holds up in court? Yeah. We'll see, uh, when the cases start rolling out. But some have and seems to work. Uh, but then the question of data is why is this important? Well, uh, data residency is actually at the core of GDPR because one of the triggering events that really pushed GDPR or fast track GDPR, which is so order in the books, was actually some intelligence activity from certain states, which basically handled a bit too much private information and didn't really take care of foreign information in a way that EU could regard as meaningful. So things were put in place kind of quickly. Uh, and the state I'm talking about is, of course, one with the flag in the picture, you may guess which what is basically said within the GDPR is that personal information may not leave the European Union's borders or your national borders, which in our case is the European Union in any circumstance except for three and it's the three listed one. So it's when the Commission have stated that a country has adequacy, which basically means we have checked their rules and regulations and they're at least as strict as we are. This is a rather short list, but countries who find her is Israel. So monday.com, from a GDPR standpoint as an Israeli company, is actually GDPR safe because they are within our framework. The European Commission have said so. You find a few other nations here as well. The UK. So recently. So basically they were without for a bit just after Brexit. But they they are adequate now. So and you have like Argentina, Canada in some cases uh New Zealand, Uruguay and a couple of other countries. There's a list on the European Commission, uh, homesite a website, so you can check that there. That that's the top one. So if they've said so, it's GDPR says it's just handle it as any other European country basically. Or if you impose strict security measures after a rather strict analysis it might be okay. And what we're talking about here. Yes. I'm going to let you in a second. What we're talking here about here is, uh, so-called standard contractual clauses or binding contractual clauses. And this is actually how monday.com handles the EU US kind of trade off here. Uh, so that may be done in certain cases. But just because monday.com have done that doesn't mean you don't have to. Sorry. You need to do that yourself. So when you sign on monday.com you actually are entering into their SEC as it's called, but you still need that rather strict analysis. And then it's in single occurrences when stuff just happens one time, that might be okay, but. In the second bullet, I really want to stress the fact that it says strict. I have consulted that companies where they say, oh, they're running, uh, the data is encrypted, so it's safe. I have made analysis. Let's approve, uh, all our data going to, uh, to the US. Uh, that's not what the second bullet is trying to accommodate at all. It's actually not not close to. So. So data analysis is not done by just a, uh, a speedy CEO, right? Uh, no. And you should if you're not, uh, up to speed with, uh, uh, legal framework, you should probably have someone help you with that. Yeah. Uh, and one thing that it's not okay to just do it once, so you can't say, well, I've done this for Monday, for example. So now I can start using MailChimp as well. No, it requires its own exactly the same detailed oriented, detailed level analysis. Again succinctly. So you need it for every single new technology you're implementing. And if you don't have that, you are not going to have a fun day when the authorities are looking into if you've done things correctly. Because this is basically what will protect you even if something goes wrong. It's to having that documentation. I have really, really tried to be, uh, compliant to the -legal network. -Mathias. Is there anything from a monday.com perspective you would like to add on this slide? Yeah. So one of the things that we also have some customers asking about, and the thing is in general, not just with monday.com, but it's it's also the, the origins of the company that you are dealing with. Um, so monday.com is a good example of an Israeli company that then, for example, went public a few months ago in on Nasdaq, which resides in the US. Yes, it's a big A and it's we're really happy. But we went public in Nasdaq, uh, which resides in the US. So some customers asked, well what does that mean? In some cases that means that a, a company chooses to actually become American. And that is true in some cases. But for monday.com actually kept being an Israeli company even though its pub is traded on Nasdaq, which means we actually avoid a lot of the issues regarding third party, uh, processes and hosting through third party American companies. We see in some of the more recent security sort of frameworks being put out. So it's a -really positive thing in this case. -And without going into American law, I think we can summarize it by saying American law only applies to American companies, correct? Yeah, or mainly so. So, uh, like the FBI can't come knocking on monday.com's. Don't say hi. We want all your data. No go to target. -And so that will be a. -That will be a for foreign -affair. -Uh -I think um. -So we got a question in the chat. How can small organizations manage this? Uh, if, if I do the very un legal easy answer to that question is make sure your data is in the EU. And then we have some a few more slides. So but especially data residency if you're a small organization and you're worried it's also that the fine it's going to be more feeling like if you're a big organization, even if you get $20 million or euros in a fund, it might be okay. But if someone were to find me 4% of Omnitas revenue, uh, that would be a disaster, right? And we're still a ten main company. So it actually becomes even more important when you're a small actor to make sure that you're -not playing loose with the rules. -Yeah. And I would say, Sarah, to your question here is the main thing is have a proper privacy policy. How do you, as a company handle personal data, educate your staff in how you do that and set up permissions. Since you're using monday.com, you have a really good toolbox that can help you and to make your life easier. Have a think. If you're not already on an EU server, have a think about actually doing that because the strict part actually vanishes when you don't, uh, trying to move data across borders, because then you need an analysis and then it can basically say, yeah, it's encrypted, it's nice, it's within the EU won't, um, uh, be propagated. And we have our privacy policy here, which takes care of how we use that data. But, uh, that was very simplified. But, uh, we are approximating truth. I think this. Is a good segway to continue because the the big answer is actually covered in the, in the coming slides, like, how do we protect -ourselves? -Yeah. Uh, one thing we just wanted to make a note of here. There is such a thing called the Five Eyes Alliance, which includes the US, New Zealand, Australia, Canada and the UK. If any of these are included with your data transfers, you actually want to step up your analysis game a bit, and it's actually required in some of the judging. And that's because this is an intelligence network and they do share intelligence with especially this, the top flag, uh, which is a not too trusting party, uh, when it comes to European, the European Union. So that's why otherwise the UK and Canada and New Zealand have adequacy. Uh, but you still need to up your game somewhat and, and make sure that your analysis is spot on when those countries come into effect. So we actually have a few rulings and they are starting to rule out these are a few, one we thought were kind of fun. One, because they're Swedes. So are we. And uh, one, that's the company that most of you probably have heard about. So the first one was actually hospital here in Stockholm where we and some is actually sitting right now. They were fined approximately, uh, 2% of their annual revenue for that year. Yeah. So they didn't get the full force of the fine, but they got halfway there. Well, because they had no adequate risk assessment and they lacked control of what doctor? Could access more medical data in this case. So basically non dependent on which kind of department you were staffed at. You could still go in and read someone's journal. And then the authority said no we're not going to have that. You're fined. Um, and and this if we roll this back to a monday.com perspective, just to give you this is obviously a hospital. This is highly sensitive data because it's medical records, but it's the equivalent of running a monday.com Pro account with everything in the main workspace and all the -boards as main boards. -That's a great idea. -Yeah. -So so what we're talking about here is that we want, uh, if we have information that is covered by the GDPR, we need to also look at how how do we restrict it in, in our work operating systems as well, not only for medical records. Yeah. And and the reason why they got to that 2% level is just because it was medical data, because now they were in a stricter territory and the fine will be upped. And it was the other company which was British Airways, got fined €22 million, the initial estimate from the ICO, the UK uh authorities were actually around 300 million because they wanted to squeeze them for the full shebang, but they ended up not, uh. And why not? Well, because it was less protected data, so to speak. But what happened here? Well, they had a breach. They had a hacking attack. And the hacking attack in itself was not the problem here, but it was that it had been easily protectable. They hadn't. Taking any security measures like two factor verification was, which was actually, uh, one specific, uh, specified, uh, such measure, uh, in the ruling. And they hadn't used any like permission settings or anything like that. So basically everything was open to everyone. And you basically needed an email address to log in. And that was it. monday.com Single sign on would have been enough. Yeah. To prevent it the the fine because they were not fine because they were hacked. They were fine because they hadn't even tried to prevent any hacking. No. Their privacy policy and the measurements from that hadn't been enough. They had slacked on the job and they got -fined for it. -Yeah. And also just just to add to British Airways is a good example of obviously a lot of money. Um, but also, you know, the, the cost of people not booking a flight with these guys maybe for a week and maybe two weeks would probably multiply this to a lot higher cost for the -company. -Um, yeah. Someone going like, yeah, I'm going to go Lufthansa instead. That's terrible for them, of course. So so let me let me fall back a little on the chat, please, gentlemen. So we had a follow up here. So it's a concern when we, we use a lot of these platforms like MailChimp, SurveyMonkey, etc.. And that's actually a very valid concern. And it's something that we need to start looking at when we select a software. Do they provide a service in the EU or not? MailChimp is a really good example of a market dominating service that still has opted to only run American servers, meaning that they actually are seeing, uh, clients leave them for alternatives like mail light. It's a it's basically same functionality, but it they have everything hosted with the EU. So we're actually getting at a point where you more time you have the American version and the European version of more or less the same service. Sapir and Integra is a good example as well. Sapir and Integromat on a surface level provide basically the same service. You can have different opinions on which one is easier to use, which is more connectable. But Sapir if you use it, all your data goes to the US no matter which services you're using it to connect with Integromat, your data stays in the EU. So shopping for a software today you need to actually look at do they have EU servers and if you're active client you should demand it. I mean why should I stay with you guys if you're not helping me protect B be compliant? Yeah, if you make my life less easy in that regard. However ease you make it. In other regards, what's it worth to me? Basically, that's the question you need to to, to put yourself uh, and to then we actually could move into Lucy's questionnaire. So within mandate of would be best to have individual workspaces per client to create shareable boards and dashboards. Well, no, actually not because uh, they are already private. So they are using permission. So you have already put an already put up those, uh, gaps or those airtight kind of procedures just by having those shareable boards because they can't -access anything else. -The shareable board is invite only, right. Including your internally in your own organization. So that's actually good enough to protect. Yeah. And it work, uh, kind of nicely. So you don't need need to do that. Uh, otherwise you're just going to end up with a ton of workspaces that you don't need. And obviously we got a follow up question saying like so. So to be clear, we can't use a US based service like Zapier. Or are they just additional steps you need to take if you can, stuff like that? Okay, I'll give you an example. You are a company selling in the UK. You, uh, you manage clients all over Europe and you're using MailChimp or Sapir. If to start with it is need to start being compliant in any way. You need to have a privacy policy stating that all our sales contacts, personal identification information is being transferred to third country. If you don't want to put that in your privacy policy, that's like the big first breaking point. And then obviously you still need to make the reviews of all these services secure enough. Do we have everything in place? But we're not saying that a service that's located in the US is a big red X. No, no. We're saying that it requires very extensive documentation. And we do have a good comment from our our good friend, uh, Paul, that there are companies that are putting together all the policy documents and trainings to make sure that companies are GDPR compliant. And he mentioned. An example of one of those. So make that's also something that you can do. So don't go from here thinking that as soon as it's a service located in the US, it's a big no no, but you need to have your documentation in line to support the fact that you're using a -service outside of the EU. -So it's a question of taking more steps, having a deep review fact already changing legal work that you need to. Which actually brings us to Schrems, uh, as it's I think it's pronounced uh or scams, uh, as we say here in Spain, which actually rather funny because that word from that, if we pronounce it as a Swede, would it would be scams. And that means to be frightened. Uh, basically. Uh, and that's actually what that ruling has managed to do for a lot of people. Schrems is basically the court case between Facebook and a guy called Maximilian Schrems. I guess he's German in in rather short terms, this is what ended the US Privacy and Privacy Shield and safe harbor. The EU court said those regulations are not sufficient for us to say that we can transport data into, uh, the US. So if you are using a US based service today that are reliant on privacy shield or safe harbor, then it's time to do your homework a bit because, no, you can't do that anymore. Uh, that's in clear violation, uh, of the GDPR. So we got a. Really good like, uh, hint in the chat. Yes, we are aiming to get this done in the next 15 minutes, but it also means that Fredrik needs to speed up some of the less important slides. Yeah. So that's Schrems two. So when you hear about it it's a court ruling. That's what it is. Your question here uh, from earlier sir I think we answered this one. No. You can use, uh, software from third country. But you need to do more administration to do it. -That's it. -And, uh, I haven't seen any numbers, but I, we know of, uh, being management consultants, we have insight in a lot of companies. And I would argue that it's actually a very small part of all the companies that have every single documentation they need, because they might not even know that they're using a service in the US, because some companies don't even have a centralized IT department. Knowing exactly what systems are being used for, what kind of information. Companies tend not to use permissions for um, for who can integrate with what software and stuff like that. And all of a sudden some nice part of the marketing team is using a completely new software, which they integrate into the CRM system just because it's fun and they can. And then then all of a sudden your data ends up where you don't have made that review or anything. So and that's why you need your policy and what you need to educate your staff. Everyone needs to know about it. Let's move into monday.com territory. What have monday.com done to make our life easier? And that is the million dollar question. I'm happy to shed some light on that. So, um, let's go on to the next slide and we can see, um, obviously this is a really important area for, uh, for monday.com. Um, I spoke about wanting to ask anything on monday.com, empower the customers to make the right decisions and and set everything up the way they want to and to be compliant as one of those things. So the obvious one is EU data residency. We've mentioned that many times. I'll mention it again now. And if you call me tomorrow, I'll mention it again. This is a very, very important, easiest step to make a big leap into being compliant. This is, um, just a very easy way of doing a lot of the stuff that you want to, uh, that you need to do. Yeah. -Thomas, last time. -When we talked about this, we actually got a question. How can I see if my monday.com account is in order for, uh, in US or EU? Since then, there's actually been added a feature to the admin page. So if you go to that account it says Data Regency EU, if it's in the EU, if it doesn't say -anything it's in the US. -Um, if you don't know where you are we can kind of blank it, say then you're on the US server because it is a special thing to get into the EU server still. So if you don't know that you have specifically ordered an EU -account, then you're on the US plan. -And also I just want to pick up a question from William here, which is a really good question in the chat, which is my understanding, is companies have to pay for the premium account with money to be able to get their data stored in, located within the EU. And as we mentioned, we don't you don't need to have in the EU to be compliant. There is ways around it, but a lot of the features that we mentioned here is enterprise features. That makes it a lot easier for you to be compliant, reduces the amount of management you have to do what you have to do. Uh, uh, the headaches that you will have. So that is from the enterprise account, which also obviously has many, many other benefits that the I'm sure the guys at omniscience are happy to to go through with you and should that be needed. Um, one of those things is the activity log, right? I come from a actually a security background. And one thing that you also need to remember to present is what have happened within the software and who have made those actions. Uh, so this is a traceable back to, to five years, which is a usually what the auditors will require. Also, we talked about the permissions both in terms of boards, workspaces and item levels. But equally important is actually the more technical side, which is integrations, because we are not helping anyone if we are managing what's happening within our platform. But then we're sending it to somewhere in in another continent, then we're basically just making up the issue for ourselves. So it's also about managing what systems is talking to what systems. And that's not just for monday.com. That's across any solution you're working with within your business. We could put in on on the second bullet there that uh, for the pro account, for example, it's a one year activity log that's being kept. Yeah. Yeah. So I run a big step up and you will fly straight in through the audit companies and say, yeah, -we're good. -Exactly, exactly. So it's a very important feature as well. Equally goes for managing the sessions and panic mode, which is the one shot breached. You can shut down everyone, uh, lock everyone out and find the culprit. Or find the entry of culprit within your your monday.com platform. So that's also a huge security check to have that in place. We talk more about permissions. The more granularity you have, the more control you have, and the more security you can propose to anyone who -dares audit you. -We could probably say that an enterprise can slice and dice the permissions however we see fit. Tracks. Exactly. It's it's the building blocks the monday.com provide within the security part of monday.com, if you want. You know, in a wedding, we know um, what's really interesting is also the accounts insights like so understanding which bots are private, which are not, you know, having having that whole granularity. You can imagine once your use of monday.com grows hopefully to uh to to a massive amount, then having that kind of clarity across easy visibility really makes a life a lot easier for an admin as well. There's a lot of a lot of things that we we want to put in your hands here. We've got a question in chat here. So, uh, let's let's kind of put this straight. Uh. Only enterprise level accounts can be on the European service. How to get, uh, your European residency? Well, give us a call and we'll help you out, but we're going to need to upgrade you if you're not already on an enterprise account, because that's the only ticket in to to that kind of service. So it's an enterprise feature to -be able to have it. -Is there anything in the roadmap around this as well, Matthias, that you can share? We're just going to save that -for a future teaser. -What we say for um for data residency, that's not but this is monday.com is releasing new features on a weekly basis within security. We we have, you know, over 130,000 customers from the smallest ones to the, uh, conglomerates. So this is a very, very important area for us both to answer the questions earlier, both for small businesses and also for larger businesses to have faith and be, uh, be compliant, which you can be now and also in the future. So if anything, stay on the edge of your seat and keep keep following all of our releases. We, uh, we're only going to introduce more, more features within -this. Cool. Yeah. -And we can say, uh, I'm sure you have seen more than me and Thomas, but me and Thomas have seen our fair share of what's in the roadmap, and it's a crazy year ahead of us with that. So how do we migrate an account if we have a US based account and we want to migrate from great land to the EU service, how do we do that? Well, -I think this is your. Yeah. -So so first of all, uh, there's no way without talking to anybody at Monday or a partner to get an EU account. So that's that's the first thing, right? If you have a partner, if you have an account manager at monday.com, reach out and say, hey, I want to be upgraded to an EU account. That's the first thing. Right? And then they will open the EU account for you. But monday.com takes secure I mean Matthias basically should be saying this, but I'll take it for you that monday.com takes the security so seriously. So they have purposefully restricted the data access between the two data regions, meaning there's no way in the back end for monday.com to move the data between EU and US. And that's a clear, distinct security measure that means. But it could be a little tedious to move. Either you choose to start blank on your EU account, which might actually be a good cleanse, because then you make sure that you don't have old residue CRM data or or stuff that you really shouldn't be keeping anyways, or you have to export and import it. There's a bit of a hassle to it. We at Omnitas, we have developed a script where we can actually migrate, uh, 98% of everything more or less automatically, which is super helpful from a time saving -perspective. -Yeah. And it's uh, we've been basically it's been tried and tested, let's say, like that since the EU servers opened up. But we basically done like to migrations per week since this summer, just to give some examples. And also I'm going to fire off some questions from the chat if, -if I may. -Yeah I can take Anna's there for example. So Anna asked if I operate in the UK and the US, should I have my data stored in the EU or the US? You should have it stored in the EU, preferably because it's much stricter regulation set, uh, which you are going to have to adhere to anyhow. So I would opt in for EU all the way because if you, if you comply to the EU regulation, you are way above what the Americans would have of you. So go for it. Yeah. And I think the next slide is actually our Q&A slide. Right. So we can just as well move to that because we're going to be covering the chat. Now I'll keep firing some questions. Uh things like IP restriction or basic security access control. It's a shame that it's not a it's not available to pro accounts. I don't agree that it's actually basic security access protocols to have IP blocking and IP restriction. If you actually look at the market, it is an enterprise feature. So I, I would have to disagree. Uh, so if you move across the enterprise level, do we have to create all new templates etc.. Again uh, yes. If you're using custom templates they will not carry over your you need to recreate them on your servers. That's how rigid the system is I agree. We have a Pro account and we'll need to upgrade to enterprise just to get the EU features. Yeah there's all sorts to that. One is initially if that's the you think that's the only feature you'll get from enterprise. That's one thing. But actually having a conversation with your contact about the full value of the enterprise, you'll see there's a lot more as we spoke about it's not just being in the EU that doesn't just make you compliant. There's a lot more that you can do and that will be possible through that. Yeah. No, no, no. Let's be rather clear about that. Just moving your server to EU won't just magically solve anything. You still have to do all of the privacy. Yes, you still need to do some analysis and do that, and you still need to set your permissions. But there's a lot of things you will do. But stuff will be much easier because it's not as strict when working within the European Union as it is when starting to transfer in data. Yeah. Uh, but it's like easier. But there are still work to do. It's like any tiering system, right? If you want to get the formula column, you have to take the Pro account. But you also get all these other features that will enhance your your monday.com usage. So really reach out to to monday.com CSM or to to one of the partners in the monday.com Partner network. So when you do the upgrade make sure that you leverage all the additional features you're getting as well. So you're not only upgrade for the server location, but also you get to use the added features and functionality. Uh, exactly. And there's a lot of things you can do, and you actually get more out of everything, because one thing you might want to leverage actually to be compliant is automations. Do you remember the first point on the rules? Right. You can only store data as long as you need it, and that you actually have to have a new privacy policy. How long do we have data, for example, in a CRM system, kind of usually if we haven't had contact with this contact for a year, we should delete it. And how do you monitor that? Well, in monday.com with automations of course. And then you're going to run a heck of a lot of automations all of a sudden. And then you might need them to price anyway for that. So there's a lot of things that you actually get from a beneficial standpoint from the enterprise. And then of course it's actually getting all of monday.com So we have a good clarification question in the chat. So just to clarify, one thing, if I have a pro account that that means that my data is held outside of the EU and yes, that that is the case because monday.com's offering EU servers for enterprise accounts only. Yeah. So basic standard and pro always US based enterprise accounts can be US or EU based. We have covered everything we need. Obviously I, I hope that you don't go uh away and be super scared, but know that GDPR is something that needs to be respected and it needs to be managed. You can find help. Yeah, like like Paul mentioned, there are companies that are specialized in, uh, in helping to make sure that your policies are up to date, that you're conducting yourself accordingly. And then there's like easy solutions to use a bit of permissions, make sure you know where your data is located, where it's being processed, and so on. Right. If you made a big point of keeping all your data into you, maybe you shouldn't use MailChimp, uh, as the only, uh, service outside of the EU. Uh, and so on and so forth. So there's a few questions to consider. You're always, of course, welcome to contact us. Like Fredrik stated, we're not lawyers, we are management consultants. So we deal with this on a daily basis. But we also, when in doubt, consult real legal experts. Yes. Uh, we have a few of them in, uh, in our network. So we, -we reach out. -I think it's, uh, it's just super important to know that you have a lot of things you can do. So even if you think, uh, there might be some red flags or small alarms going off, just know there's a lot of things you can do to to help yourself and your organization and just get in touch with your your main contact. We are we are happy to help you here at the -Omnitas and and monday.com -So now it's that time of the day. So uh guys, if you appreciate this webinar, please be sure to sign up to either our uh, newsletter, uh, and or our YouTube channel. Because if you have our YouTube channel, you will get all future webinars, at least after the fact. We will see them. And in the near future, we will also be starting with other video content in regards to, uh, monday.com, not at least. So, um, be sure to, uh, find us on YouTube, uh, and subscribe if you want to contact us at Omni and have a discussion with us. Uh, further, uh, about your situation, find out details at Omnitas.com we know it's a Swedish domain, but the site is all in English, so you won't be confused. Contact information and you can book a meeting with us straight away from the website. So, uh, feel free to reach out and we'll help you -as best as we can. -So someone realized. -That the webinar was. -Over and woke. Up.