Security and Privacy
Passkey: Frequently Asked Questions
Question Answer Can I use a passkey instead of 2FA? If you choose to use a passkey, you won't be prompted to set up 2FA – irrespective of whether or not it is mandatory in your Organisation. Also, if you have 2FA already enabled and then set up a ...
How to set up / delete a passkey
A passkey is a new type of authentication method that aims to replace passwords. It uses a combination of hardware and software to create a secure and more user-friendly login experience. Passkeys rely on strong cryptographic methods and biometric ...
Do I need to activate 2FA if I use a passkey?
If you choose to use a passkey, you won't be prompted to set up two-factor authentication (2FA) – irrespective of whether or not 2FA is mandatory in your Organisation. Also, if you have 2FA already enabled and then set up a passkey, you won't have to ...
What is a passkey?
A passkey is a new type of authentication method that aims to replace passwords. It uses a combination of hardware and software to create a secure and more user-friendly login experience. Here's a breakdown: How it works: Device-specific: passkeys ...
How to generate backup codes for 2FA?
As a backup method for Two-Factor Authentication (2FA), ApprovalMax provides the ability to generate backup codes. These backup codes serve as a reliable and secure method to access your account in case you cannot use the primary 2FA method, such as ...
Troubleshooting: Error during enabling 2FA using the Microsoft Authenticator app
When you encounter an issue while setting up a new access to 2FA using the same email address, the error can occur: Please note that this is a bug on Microsoft's end, as explained in this source. To overcome this issue, a workaround is available. ...
What is "Trust this device" feature?
The "Trust this device" feature is a functionality that allows users to designate a specific device as trusted during the login process. When enabled, this feature provides the user with the convenience of bypassing the usual two-factor ...
Support of a 24-hour token expiration
A 24-hour token expiration refers to a security mechanism where authentication tokens, which are generated after successful login or authentication, have a limited lifespan of 24 hours. Once this period elapses, the token becomes invalid and cannot ...
How does 2FA work on mobile devices?
2FA is mandatory only for Xero users as per Xero restrictions, while Pin/Face ID is mandatory for all users. If you have enabled both Pin/Face ID and 2FA, you'll have to use both for authentication when you log into the system. You won't have to ...
2FA: Frequently Asked Questions
Question Answer What happens if I just don't enable 2FA? If it's Soft Enforcement, you'll see a pop-up prompting you to set up 2FA with every page refresh. However, you can skip it until the next refresh. If it’s Hard Enforcement, you'll be ...
2FA enforcement
Using 2FA protects from unauthorised access to a person's account and increases data security. Due to Xero requirements, ApprovalMax enforces 2FA for all users that access Xero-connected Organisations. ApprovalMax is now offering two types of 2FA ...
Why my Google Authenticator code for 2FA doesn't work?
Google Authenticator code may not work because the time isn’t correctly synced on your Google Authenticator app. To set the correct time: On your Android device, go to the main menu of the Google Authenticator app. Tap More Settings Time correction ...
Secure development
ApprovalMax develops security best practices and frameworks according to OWASP Top 10 and SANS Top 25. To ensure the highest security in our software, we use the following best practices: Developers participate in regular security training to learn ...
Employee access
Our strict internal procedure prevents any employee or administrator from gaining access to user data. Limited exceptions can be made for our Customer Support team. All our employees sign a Non-Disclosure and Confidentiality Agreement when joining ...
Business continuity
We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted. For questions related to information security, please refer to our Security Portal.
Dedicated Security Team
The ApprovalMax Security Team is comprised of security experts dedicated to improving the security of our organisation. Our employees are trained on security incident response and are on call 24/7. For questions related to information security, ...
DDoS protection
We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution. For questions related to information security, please refer to our Security Portal.
Network-level security
The ApprovalMax network security architecture consists of multiple security zones. We monitor and protect our network to make sure no unauthorised access is performed using: A virtual private cloud (VPC), a bastion host, or VPN with network access ...
Infrastructure
All ApprovalMax services run in the cloud. ApprovalMax doesn't host or run own routers, load balancers, DNS servers, or physical servers. Our service is built on Azure Cloud Services. They provide strong security measures to protect our ...
App security protection
ApprovalMax uses security headers to protect our users from attacks. We use security automation capabilities that automatically detect and respond to threats targeting our apps. For questions related to information security, please refer to our ...
App security monitoring
ApprovalMax uses a security-monitoring solution to get visibility into our application security, identify attacks, and respond quickly to a data breach. We use technologies to monitor exceptions and logs, and detect anomalies in our applications. We ...
Payment information
All payment instrument processing is safely outsourced to a third-party payments provider, who is certified as a PCI Level 1 Service Provider. We don't collect any payment information and, therefore, are not subject to PCI obligations. For questions ...
Data encryption
Encryption in transit All data sent to or from our infrastructure is encrypted in transit via industry best practices using Transport Layer Security (TLS 1.2). Encryption at rest All our user data (including passwords) is encrypted using ...
Account protection
2-factor authentication ApprovalMax provides a 2-factor authentication mechanism to protect users from account takeover attacks. Account takeover protection ApprovalMax protects our users against data breaches by monitoring and blocking brute force ...
Logout on inactivity
To increase security, ApprovalMax supports a system logout if a user has been inactive for 15 minutes. You can enable this feature in "My profile" under the Avatar: Just toggle the status by clicking on . Consequently, the button turns green and the ...
What happens to the emails sent to orders@approvalmax.com?
Such emails go to a dead-end mailbox, which gets cleaned up. We are not monitoring such emails. The security rules applicable to the customer data itself are also applied here. For questions related to information security, please refer to our ...
Does ApprovalMax have an incident response procedure?
Yes, we do have a standard incident response plan, it is covered in our “ApprovalMax Data Security Management Policy” that can be shared when an NDA has been signed. For questions related to information security, please refer to our Security Portal.
Does the uploaded information get backed up? Are there clear procedures in place in case we need to obtain a backup?
All information you upload in our app is stored in a database in a secure data centre of Microsoft Azure in Ireland (EU), with a backup site in the Netherlands (EU). ApprovalMax utilises the built-in Microsoft Azure backup service and performs two ...
Are the activities performed by users logged and are they accessible if necessary?
We do have logs, but we do not share them with our customers. For questions related to information security, please refer to our Security Portal.
Does ApprovalMax perform regular self-assessments based on international security practices?
We do go through 3rd party penetration testing every year, and perform regular internal self-assessment in addition to the external penetration testing. For questions related to information security, please refer to our Security Portal.
Does ApprovalMax have security and privacy accreditation? (SOC Type2, ISO27001, etc.)
Yes, ApprovalMax has ISO 27001:2022 certification. For questions related to information security, please refer to our Security Portal.
Does ApprovalMax support 2FA?
ApprovalMax supports 2FA via TOTP standard. The solution is optional for all users, except Australian and Xero-connected. Here you can see how to enable/disable 2FA and how 2FA can be enforced. For questions related to information security, please ...
Does ApprovalMax support SAML?
Currently, ApprovalMax does not support SAML. However, we'll consider this for future enhancements. For questions related to information security, please refer to our Security Portal.
ApprovalMax policies and safety measures for data security
See here where you’ll find the information most frequently asked regarding how ApprovalMax ensures the security and recovery of your data, login and authorisation options as well as some of the ApprovalMax policies. All the policies and documents ...
Data Protection and Data Recovery
Data Protection ApprovalMax processes personal data as both a Data Controller and Data Processor, as defined in the Directive and the General Data Protection Regulation (GDPR). We are a Data Controller with regard to the client information we process ...
Supported browsers
ApprovalMax supports the following browsers: Chrome (the latest two versions) Firefox (the latest two versions) Safari (11 or later) Microsoft Edge (the latest two versions) Opera (the latest two versions) As the major functionality updates for ...
Restrictions for file upload
During the creation of requests in ApprovalMax, you can attach files to a request or in comment section. However, some technical limitations do apply. Below are supported file extensions, size and number of files that can be attached: Here are the ...
Does ApprovalMax support SSO?
At the moment, ApprovalMax supports Google, Microsoft, Xero, Intuit Single Sign-On. For questions related to information security, please refer to our Security Portal.
What data will ApprovalMax keep after the termination of a trial or a contract?
Upon termination, all of Your Data retained by ApprovalMax in the system database files shall be made available to you for a period of one year after the date of termination. Thereafter, all of Your Data retained by ApprovalMax in the system database ...
What happens to the customer-owned data?
You are the owner of all data input provided by you and all your output (collectively “Your Data”). ApprovalMax does make backup copies of Your Data. ApprovalMax may store and maintain Your Data for such period of time as it deems necessary. You ...
Next page