monday.com logo
monday logo
Learning Resources by monday.com
Help Center
Tutorials and how-to guides for using monday.com
Academy
Interactive courses and webinars that will make you an expert
What’s new
Latest feature releases, improvements, and updates
Video Tutorials
Manage and collaborate on
team projects and tasks from
one place
API Documentation
Technical documentation that gives you the control
Get expert help
Hire a monday.com expert to optimize your workflows
Community
Become part of our community
Community forum
Learn with fellow monday.com enthusiasts
Local Facebook communities
Join a community to find monday.com members near you
Global Facebook community
Join our most active community, the global monday Facebook group
Developer community
Share thoughts and questions with like-minded professionals who speak your language
Nonprofit community
Join our exclusive group for NGOs and nonprofits using monday.com
Support
Contact sales
Get started
How can we help you?
  1. Support
  2. Connect & automate
  3. Apps

Understanding monday marketplace security

3 min read
Feature

 

The monday marketplace features ready-made, easy-to-use apps that build upon monday's capabilities and fit the unique needs of your business’s workflows, processes, and projects.

As always, with great power comes great responsibility. Here are some privacy tips to keep in mind when you're installing apps by external partners in the apps marketplace.Screenshot 2024-11-11 at 11.42.26 1.png

 

Who can install external apps

Only account admins can install monday apps. If a non-admin wants to install an app, they can request that an admin install the app for them by clicking Request to add on the specific app's page in the marketplace:Group 64 - 2024-11-11T114709.898.png

 

The admin will then receive a notification with the approval request.

 

 

Explore the apps in the apps marketplace

Selected apps can be found in the apps marketplace for you to explore and install. Apps that were built by external partners will have the name of the app partner on the right side of the app listing. If the app is recognized for its commitment to data protection, a green shield badge will be displayed next to its name.  Each partner has an email contact for support, installation, and sales queries.Group 64 - 2024-11-11T114924.041.png

 

Certain partners also submit detailed information about their security and privacy practices. If the app has submitted this information, it will be linked here on the description page:Group 64 - 2024-11-11T115048.925.png

 

Review the app's security & compliance

Apps that meet our specific data protection and security standards criteria will feature a green shield badge:Group 64 - 2024-11-11T115253.755.png

 

This means that the app is either:

  • hosted on monday code, which is our secure hosting infrastructure, and the partner has confirmed that no data is shared outside of monday.com
  • OR the app is certified for SOC 2 and attests to GDPR, ensuring alignment with global data security standards. 

However, it is still important for you to review the app and ensure that it meets your specific data privacy and security requirements beyond the scope of the ones mentioned above.

 

To get the full picture of an app's security, click on the Security & Compliance tab:Group 64 - 2024-11-11T115722.821.png

 

Here, you'll find a list of questions and answers provided by the app partner regarding various aspects of an app's security, privacy, and more. If you still don't feel confident and have all the information you need prior to adding the app to your account, you can contact the partner directly.

 

Note: If an app's security questionnaire is not filled out, it does not mean that app is not secured. It means that the app partner did not share that specific data with us. You can reach out to the partner directly to ask for more information.

 

Approve the app's permissions

Every app requires specific permissions from your monday.com account. Each of the app's permissions (or scopes) are specific to one part of the platform (for example, boards, or updates, or teams) and can be categorized as either read access or write access. When an admin installs an app, they will see a list of the permissions that the desired app is requesting and be able to approve (or cancel) the installation.Untitled design (90).gif

 

Define your organization's approach

Build an approach or policy for installing apps based on your organization's data management practices. Some factors to consider include: 

  • Which teams will benefit most from the app? 
  • Does your IT or legal team need to approve this app before you start using it? 
  • Does the app have additional licensing costs? Do you have to assign a budget for them? 

Keeping all these factors in mind when considering which apps to download will ensure that your organization manages its data securely. 

 

Tip: Learn more about how to install or build monday apps.

 

Reach out to the app partner

If you have any questions about an app or want to learn more about its data management policies, contact the partner. They can clarify any specific questions you might have about their app. 

The partner's website and the option to contact their support are located on the righthand side of the app page or at the bottom.Group 64 - 2024-11-11T120746.543.png

Note: Ourteam reviews all apps in our marketplace for functionality and basic security; however, we do not endorse or certify any apps. The information below is provided by the app partner to better understand this app's security and compliance and was not verified by monday.com.

 

Review the security standards of our apps marketplace

To be included in our marketplace, all apps must comply with a basic set of security standards. To learn more about our relationships with our marketplace partners, you can read our Privacy and security policy as well as our Marketplace Partner Agreement here

Our security standards include the following:
  • The application must use TLS 1.2 or higher to encrypt all of its traffic.
  • HSTS must be enabled with a minimum age of at least one year.
  • The application must authenticate and authorize all requests.
  • The application must not collect user credentials.
  • Your app must store API tokens securely. They should never be logged, stored in client-side code and public repositories, or made accessible to end-users.
  • Request only the OAuth scopes needed for the documented use of the app.
  • Do not fetch or store data not needed for the publicly documented use of the app.
  • Tracking (and similar) cookies that will track users outside the scope of the app should require user consent.
  • HTTPS certificates must be valid and have an expiration date of at least 1 year from app submission date.
  • You must own the domain name that you use for your app, app’s privacy policy, support, and landing page URLs, or get the appropriate permission from the domain name owner.

 

 

If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.

Last modified on

Still have questions?
We can help.

Contact support

Get in touch with our support team for any questions, concerns or inquiries.

Community forum

Learn, share ideas and connect with other monday.com customers.

Expert help

Hire a monday.com expert to optimize your workflows.

On this page