API DocsCommunityAPI Playground

Your app must meet the following security and privacy requirements to receive approval for the app marketplace:

  1. If your app sends requests to third-party domains, list all of its front and backend domains and explain why you use them.

  2. Any tracing done outside the scope of the app must be clearly described and comply with cookies and other privacy legislation. You must explicitly obtain the user's consent to do so.

  3. Avoid collecting and storing the PII of the user, except when required for the app's core functionality. Use the user and account IDs to track information about the user.

    Please provide evidence that supports your responses to the following questions:

    • Are you storing any user data in the app database?

    • What user data is stored in the app database?

    • What is the usage of the stored user data?

  4. Only keep the personal data you collect for as long as required. When monday.com or an end user deactivates, deauthorizes, uninstalls, or otherwise terminates an app, you must do one of the following:

    • Permanently delete all end-user data and any metadata that was collected, transmitted, created, or received by the app within ten days 

 OR 


    • Obtain written consent from the end user to retain their data for longer than ten days, provided such consent is clear and explicit. Refer to the developer <a href="https://monday.com/l/legal/developer-terms/" target="_blank">terms</a> for more information.

  5. Describe and demonstrate how data is encrypted at rest. List the encryption algorithms that you use.

  6. Retain relevant logs for at least two months, and share them with users when requested. This may include audit logs, activity logs, user actions, IP addresses, and access logs. Please describe what data you are logging and how long you will retain these logs.

    **Note:** These logs may be helpful while investigating an incident. For example, you can use audit and activity logs to verify whether or not a bad actor accessed a customer’s account.

  7. Authenticate and authorize all requests to secure user data.

    We recommend using the session token if the app has a front end. You can read more about it <a href="https://developer.monday.com/apps/docs/api-reference#session-token" target="_blank">here</a>.

  8. Use known modules to protect against SQL injection. For implementation, include code treatment with SQL infection prevention.

  9. Describe the input validation that the app performs on all user-supplied data. Your app should include a sanitization method of removing scripts and dangerous HTML tags and use known modules that protect against HTML injection attacks.

  10. Do not log or store secrets in client-side code, public repositories, or anywhere accessible to end users. Describe how the app stores secrets and specify whether or not the secrets are stored on the code repository.

  11. Use industry-standard solutions to secure monday.com user access tokens. Describe and demonstrate what security controls you use to protect the monday.com access token.

  12. Only request scopes that your app requires to function. Do not request scopes solely for communication purposes; ensure that you list all of your scopes and explain the usage of each.

  13. Share where you host the backend and its fully qualified name, if applicable.

  14. Explain where you host the front end and its fully qualified name, if applicable.

  15. Use TLS 1.2 or higher to encrypt all traffic.

  16. You must enable HSTS for each request your app sends to your server, the server hosting your iframe, and the services used by your application. The minimum age for all resources should be at least one year.

  17. Ensure that your HTTPS certificates are valid.

  18. Resolve all of the issues identified in the Burp security scan.

  19. Only use a domain name you own or get permission from the domain owner for your app, the app’s privacy policy, support, and landing URLs. - Make sure to include the app clientID. Add the file to your domain and share it with us using this location: _https://your_domain/monday-app-association.json_

    The support email that you provide should match the domain name. Please provide evidence by creating a public JSON file with this payload. 


Join our developer community!
We've created a <a href="https://community.monday.com/c/developers/8" target="_blank"> community</a> specifically for our devs where you can search through previous topics to find solutions, ask new questions, hear about new features and updates, and learn tips and tricks from other devs. Come join in on the fun! 😎