Dear users,
I am shocked by what happened this week with Monday.com’s Workforms. I use Workforms extensively to collect consolidated — and often sensitive — data such as expense reports, benefit requests, and performance reviews (mid-year and end-of-year).
To my surprise, despite setting restrictions using the “People” column for my end-of-year review form, I discovered that when someone clicks Form → Results, they can see all responses and comments from every respondent — including those from other teams and containing highly confidential information.
In my case, employees completed their mid-year review. Everything appeared correct on the board, but as soon as you click “Results,” ANY user can view responses from anyone, including salary requests and other personal data.
How is this GDPR-compliant? This means employees can see private, identifiable data from their colleagues without authorization.
I consulted two monday consultants, both of whom confirmed this is highly irregular and likely a serious data protection breach. However, when I contacted Monday.com support, they told me this behavior is “normal,” cannot be disabled, and that I could only use a workaround.
If this is indeed the intended design, it raises serious concerns about trust in Monday.com as a platform for handling sensitive data.
