monday.com logo
monday logo
Learning Resources by monday.com
Help Center
Tutorials and how-to guides for using monday.com
Academy
Interactive courses and webinars that will make you an expert
What’s new
Latest feature releases, improvements, and updates
Video Tutorials
Manage and collaborate on
team projects and tasks from
one place
API Documentation
Technical documentation that gives you the control
Get expert help
Hire a monday.com expert to optimize your workflows
Community
Become part of our community
Community forum
Learn with fellow monday.com enthusiasts
Local facebook communities
Join this community to find monday.com members near you
Global facebook communities
Join one of your most active social communities - the global monday group
Developer community
Share thoughts and questions with like-minded professionals who speak your language
Non Profit community
Give back to the community by working with a NGO or non-profit. Join our exclusive program
Support
Contact sales
Get started
What can we help you with?
  1. Support
  2. Connect & Automate
  3. Apps
Understanding apps marketplace security
    Was this article helpful?

    Understanding apps marketplace security

    3 min read
    Feature

     

    The monday apps marketplace contains ready-made, easy-to-use apps to expand the capabilities of the monday.com platform and fit the unique needs of your business’s workflows, processes, and projects.

    But with great power comes great responsibility. Here are some privacy tips to keep in mind when you're installing apps by external developers on the apps marketplace.

    image 1 - 2024-02-13T164313.059.png

     

    Note: All apps in our marketplace are reviewed by our team for functionality and basic security, however, we do not endorse or certify any apps. As such, you should only install apps that you trust. When you install an app, you will see a list of permissions that the app will have access to. Read on to learn more.

     

    Understand who can install external apps

    Only account admins can install monday apps. If a non-admin wants to install an app, they can request that an admin install the app for them by clicking "Request to add" on the app page in the marketplace:

    Group 1 - 2024-02-13T163421.547.png

     

    The admin will then receive a notification in their bell notifications, such as the one below, as well as to their email inbox.

    image 1 - 2024-02-13T164128.604.png

     

    Explore the apps in the apps marketplace

    Selected apps can be found in the apps marketplace for you to explore and install. Apps will that were built by external developers will have the name of the app developer on the right side of the app description page. Each developer has an email contact for support, installation and sales queries.

    CPT2402131646-1250x703.gif

     

    Certain developers also submit detailed information about their security and privacy practices. If the app has submitted this information, it will be linked here on the description page as shown below:

    Group 1 - 2024-02-13T164856.189.png

     

    Review the app's security & compliance

    To get the full picture of an app's security and compliance, we recommend to view the security questionnaire within the app page! Here you'll find a list of questions and answers pertaining to various aspects of an app's security, privacy, and more so you can feel confident and have all the information you need prior to adding the app to your account. 🙌

    CPT2402141238-1157x702.gif

     

    Note: If an app's security questionnaire is not filled out, it does not mean that app is not secured, it just means that the app developer did not share that specific data with us. If this is the case, you can reach out to the developer directly to ask for more info!

     

    Approve the app's permissions

    Every app requires specific permissions from your monday.com account. Each of the app's permissions (or scopes) are specific to one part of the platform (for example, boards, or updates, or teams) and can be categorized as either read access or write access. When an admin installs an app, they will see a list of the permissions that the desired app is requesting and be able to approve (or cancel) the installation. CPT2402131714-1247x704.gif

     

    Define your organization's approach

    Build an approach or policy for installing apps based on your organization's data management practices. Some factors to consider include: 

    • Which teams will get the most benefit from the app? 
    • Does your IT or legal team need to approve this app before you start using it? 
    • Does the app have additional licensing costs? Do you have to assign a budget for them? 

    Keeping all these factors in mind when considering which apps to download will ensure that your organization manages its data securely. 

     

    Tip: To learn more about how to install or build monday apps, check out this article

     

    Reach out to the app developer to learn more

    If you have any questions about an app or want to learn more about its data management policies, reach out to the developer. They will be able to clarify any specific questions you might have about their app. 

    You can locate the developer's website and the option to contact their support either on the righthand side of the app page, or at the bottom.

    Group 1 - 2024-02-14T123338.907.png

     

    Review the security standards of our apps marketplace

    To be included in our marketplace, all apps must comply with a basic set of security standards. To learn more about our relationships with our marketplace partners, you can read our Marketplace Partner Agreement here. Our security standards include the following:

    • The application must use TLS 1.2 or higher to encrypt all of its traffic.
    • HSTS must be enabled with a minimum age of at least one year.
    • The application must authenticate and authorize all requests.
    • The application must not collect user credentials.
    • Your app must store API tokens securely. They should never be logged, stored in client-side code and public repositories, or made accessible to end-users.
    • Request only the OAuth scopes needed for the documented use of the app.
    • Do not fetch or store data not needed for the publicly documented use of the app.
    • Tracking (and similar) cookies that will track users outside the scope of the app should require user consent.
    • HTTPS certificates must be valid and have an expiration date of at least 1 year from app submission date.
    • You must own the domain name that you use for your app, app’s privacy policy, support, and landing page URLs, or get the appropriate permission from the domain name owner.

     

    Tip: Discover how to list your app in monday’s apps marketplace right here.

     

     

    If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.

    Jessica Cohen - Quality check

    Comments