Security and compliance

App security and compliance are essential in helping customers build trust and confidence in an app. Users want to know what data they must share, how it is stored, and how apps are protected against data breaches and attacks.

Many companies also abide by data and security policies that only allow them to use apps that meet specific requirements or are compliant with particular regulations (e.g., GDPR). Sharing your app's security and compliance measures with users enables them to make better-informed decisions while reducing the time between initial app discovery in the marketplace and app installation.

We've created a process that allows you to provide and update your app's security and compliance information at any time through the Developer Center. Our team then reviews this information and adds it the Security & Compliance section of your app's marketplace listing page.

When to submit a request

For new apps, we recommend submitting your initial request while you go through the review process to ensure that the app listing page is ready to go when your app is published. Existing apps can submit a request anytime to provide updated answers and information.

🚧

Providing this information is optional. If you don't, the listing will show No additional information was provided.

Submit a new request

Follow these steps to submit a new request:

  1. Open the Developer Center.

  2. Select your app from the list and click the Listing tab.

  3. Navigate to the Security & Compliance section.

  4. Click New request. This option will be grayed out if you already have a request pending.

  5. Provide the updated information in each section. Each section is optional, so you only need to complete the ones you want to update.

  6. Click Submit request.

  7. Our team will review your request within 10 business days. You can manually track the request status in the Listing tab to know what stage of the process it's in.

Manage your requests

The Listing tab lets you view and manage new and existing requests. You can access each request's name, requestor, submission date, ID, and status there. You can also click on a specific request to open it and see more information.

Request status

The request status tells you what stage of the process your request is in. Each request will always have one of four status labels:

LabelDescription
PendingThe pending label indicates that your request has been submitted and is pending review. If you have a request pending, you won't be able to create a new one until it is canceled, approved, or rejected.
ApprovedThe approved label indicates that your request was successfully approved, and the updates took immediate effect. A small green dot next to the label denotes current the live version.
CanceledThe canceled label indicates that your request was submitted and then canceled by you or another admin.
RejectedThe rejected label indicates that your request did not pass the review and the changes were rejected. You can read comments from our team in the request, make the suggested changes, and submit a new request.

Request versioning

New requests are pre-filled with the live app listing page content by default. If you want to create a new request based on a different version, follow these steps:

  1. Locate and open the request you want to version.
  2. Click New request from this version in the top-right corner. This will create a new request using the content from the requested version.
  3. Make your new updates and click Submit for review.

Cancel a request

You can cancel pending requests before they're approved or rejected by clicking the Cancel request button in the top-right corner of the request. Currently, you can't delete any requests through the UI.

Request questions

The following section lists all of the questions included in the request. You don't have to answer all of them, but we highly advise answering as many as possible to give users the answers they need!

Security

  • Does the developer periodically perform penetration testing?
  • Does the developer have a dedicated security and privacy point of contact for such issues or questions?
  • Does the app restrict redirects and forwards only to approved destinations, or show a warning when redirecting to potentially untrusted content?
  • Does the app protect against mass parameter assignment attacks?
  • Does the app perform encoding and sanitization on all user-supplied parameters to protect against Cross-Site Scripting?
  • Does the developer protect all state-changing actions against Cross-Site Request Forgery (CSRF)?
  • Does the developer have mechanisms to notify monday.com in case of a security breach?
  • Does this developer have a process for installing application-level updates and security patches for the service (such as software packages and databases)?

Privacy

  • Does the developer enforce multi-factor authentication on employees' access to systems that may process customer data?
  • Does the developer protect access to customer data based on the principle of least privilege?

Data

  • Where does the app store logs data?
  • Where does the app store the app data?
  • Does the developer ensure application logs do not contain secrets or personally identifiable information (PII)?
  • Is customer data segregated from the data of other customers (for example, logically or physically)?

Compliance

  • Is the app compliant with the Health Insurance Portability and Accountability Act (HIPAA)?

  • Is the app certified with System and Organization Controls (SOC 1, SOC 2, SOC 3)?

  • Is the app compliant with the General Data Protection Regulation (GDPR)?