New Startup Workspaces: Risks & Alignment (2026-04-20)
Summary
The core decision: Harmony.ai and Charm.ai will operate as semi-autonomous startups under Monday’s legal entity — operationally separated (domain, Slack, G-Suite, AWS, GitHub) but retaining Monday’s compliance umbrella.
Key tensions:
- Operational autonomy vs. legal-compliance coupling: The teams want independent infra and fast decision-making, but Monday’s regulatory obligations (SOC 2, SEC/SOX, GDPR, ISO) apply regardless of the brand/legal separation chosen.
- Walking between drops: Using the same laptop for both Monday and Harmony work creates hybrid security challenges and potential data-leakage vectors.
- Unresolved: Whether the proposed technical separation (domains, SSO, AWS) suffices for SOC 2/ISO/GDPR compliance while preserving startup speed.
Timeline: May 1, 2026 formal launch of operations; early alpha users by early summer.
Decisions raised
- [DEC-004] Operational separation structure: separate domain, Slack workspace, G-Suite, AWS account, GitHub org, bank account, budget, Okta
- [DEC-005] Legal entity remains Monday.com; only brand and operations are separated
- [DEC-006] Both Harmony and Charm target SOC 2 compliance by September 2026; will receive separate SOC 2 report from Monday’s (not bundled into Monday’s audit)
- [DEC-007] Hire external SOC 2/compliance advisor to guide from design phase; avoid retrospective catch-up
- [DEC-008] Monday’s IT/Security retains monitoring and control; teams get fast-track access for approved vendors/infra but cannot freely add tools without security review
Action items raised
- [AI-018] Engage SOC 2/compliance advisor from day 1 (Harmony + Charm); ensure they map compliance gaps and advise on technical separation viability
- [AI-019] Legal + monday-ny (Nizan?): verify whether the proposed technical separation (independent ops, single legal entity) meets SOC 2/ISO/GDPR/SOX requirements; define “Powered by Monday.com” branding implications
- [AI-020] Define “Fast Track” process for IT/Security approvals: list of pre-approved vendors, criteria for exceptions, escalation path for novel tools
- [AI-021] Map Monday’s existing security controls that can be “injected” into Harmony/Charm infra (CloudGuard, GitHub scanning, DevSecOps) without blocking autonomy
- [AI-022] Document detailed tech-stack requirements (G-Suite, AWS, Anthropic, GitHub, Okta, new vendors) in a shared board/spreadsheet for Legal + Security intake
Open questions raised
- [OQ-020] Is the hybrid laptop scenario (Monday + Harmony work on the same machine) sustainable from a security/compliance perspective? Alternatives: dual laptops, virtualization, browser-profile isolation (Prism)
- [OQ-021] Can GlobalProtect, EDR, and DLP be flexibly applied to hybrid scenarios without creating excessive exceptions or blind spots?
- [OQ-022] Will independent Okta + AWS tenants be manageable by a small Harmony/Charm team, or does Monday IT need to retain ownership with limited delegation?
- [OQ-023] If a Harmony/Charm incident occurs (data breach, vulnerability), does Monday bear the regulatory liability (SEC filing, fines, PR impact)?
- [OQ-024] Can device-level separation (two machines, virtualization, dedicated machines) be deferred or is it mandatory from day 1?
Entities
- vitali — GM Harmony, proposed operational/technical lead
- saar-arbel — Head of Engineering
- nizan-shifman — Strategy lead; leading Charm product parallel track
- roiki — Charm product lead (parallel to Vitali’s Harmony track)
- lital — Mentioned; likely involved in data/analytics setup
- gil-lan — Legal advisor; raised risk around “walking between drops”
- barakle, barakka, ohadfri, liorbe, nitzanbu, liorza, danielli, gilla, amitle, leahgr — IT/Security/Legal/Finance team members
Concepts
- startup-within-monday — structural model (operationally autonomous, legally unified)
- security-vs-autonomy — core tension in this session
- soc-2-compliance — compliance target; separate report expected
- hybrid-work-laptop — security challenge (one machine, multiple identities)
Notable quotes
“We want to be autonomous, like a startup outside, but we’re still under Monday’s legal umbrella and obligations.” — Vitali
“You can’t have it both ways: either you’re fully separated (separate legal entity, your own compliance) or you’re under Monday (and all Monday’s obligations apply, including data-breach reporting, fines, PR impact).” — Gil Lan
“The real issue is not the tech separation — it’s understanding the legal/compliance implications. Once we know what’s possible, we can design the tech around it.” — Nizan / Gil Lan
“If we don’t hire a SOC 2 advisor now, we’ll suffer like Canvas did: gaps will emerge during the audit, and it’ll be expensive to retrofit.” — Multiple speakers
Decisions & action items by owner
| ID | Owner | Status | Due |
|---|---|---|---|
| AI-018 | Nizan / Gil Lan | PENDING | Advisor engagement in progress |
| AI-019 | Nizan / Legal | PENDING | Legal audit of separation model |
| AI-020 | Barak (IT) | PENDING | Fast Track process definition |
| AI-021 | Barak (IT) + DevSecOps | PENDING | Control-injection mapping |
| AI-022 | Vitali / Nizan | IN_PROGRESS | Tech-stack spreadsheet (partial) |