Security and compliance

App security and compliance are essential in helping customers build trust and confidence in an app - ultimately leading to more app installations and subscriptions.

Users want to know things like what data they must share, how it is stored, and how apps are protected against data breaches and attacks. Many companies also abide by data and security policies that only allow them to use apps that meet specific requirements.

Sharing your app's security and compliance measures with users enables them to make better-informed decisions while reducing the time between initial app discovery in the marketplace and app installation.

To make this information as accessible as possible, we've created an optional security and compliance questionnaire where developers can share relevant information about their app. The answers to these questions will then be displayed on the Security & Compliance tab on the app's listing page for all users.


Submitting the security and compliance questionnaire is a straightforward process that can be completed anytime. For new apps, we recommend completing it while your app goes through the review process to ensure that the app listing page is up-to-date when your app is published.

Existing apps can resubmit the questionnaire anytime to answer new, additional questions. Any app that has not yet submitted a questionnaire will display No additional information was provided. in the Security & Compliance tab.

Once you're ready to submit the questionnaire:

  1. Access the form here.
  2. Answer as many questions as possible. Questions without answers will show XXXXXXX on the app listing page.
  3. The app listing page will be updated within 10 business days.


The following sections list every question on our data and security questionnaire. While you don't have to answer all the questions, we highly advise answering as many as possible to give users the answers they need!


  • Is customer data segregated from the data of other customers (e.g. logical/physical)?
  • Do you ensure logs do not contain secrets and PII?
  • Do you protect access to customer data from non-classified company employees?


  • Do you have a process for installing application-level updates and security patches for your service (e.g. software packages, databases)?
  • Do you have mechanisms to notify in case of a security breach?
  • Do you protect all state-changing actions against CSRF?
  • Do you perform XSS encoding and sanitization on all user-supplied parameters?
  • Does the app protect against mass parameter assignment attacks?
  • Does the app verify that redirects and forwards only allow destinations that appear on an allow list, or show a warning when redirecting to potentially untrusted content?


  • Do you enforce multi-factor authentication on employees' access to systems that may process customer data?


  • Are you compliant with the General Data Protection Regulation (GDPR)?

  • Are you certified with System and Organization Controls (SOC 1, SOC 2, SOC 3)?

  • Are you compliant with the Health Insurance Portability and Accountability Act (HIPAA)?

  • Do you have a dedicated security and privacy point of contact for such issues or questions?

  • Do you periodically perform penetration testing?

monday code

  • Where do you store your app data?
  • Where do you store logs data?