Security and Privacy
Passkey: Frequently Asked Questions
Question Answer Can I use a passkey instead of 2FA? If you choose to use a passkey, you won't be prompted to set up 2FA – irrespective of whether or not it is mandatory in your Organisation. Also, if you have 2FA already enabled and then set up a ...
How to set up / delete a passkey
A passkey is a new type of authentication method that aims to replace passwords. It uses a combination of hardware and software to create a secure and more user-friendly login experience. Passkeys rely on strong cryptographic methods and biometric ...
Do I need to activate 2FA if I use a passkey?
If you choose to use a passkey, you won't be prompted to set up two-factor authentication (2FA) – irrespective of whether or not 2FA is mandatory in your Organisation. Also, if you have 2FA already enabled and then set up a passkey, you won't have to ...
What is a passkey?
A passkey is a new type of authentication method that aims to replace passwords. It uses a combination of hardware and software to create a secure and more user-friendly login experience. Here's a breakdown: How it works: Device-specific: passkeys ...
How to generate backup codes for 2FA?
As a backup method for Two-Factor Authentication (2FA), ApprovalMax provides the ability to generate backup codes. These backup codes serve as a reliable and secure method to access your account in case you cannot use the primary 2FA method, such as ...
Troubleshooting: error when enabling 2FA using the Microsoft Authenticator
When setting up a new access to 2FA using the same email address, this error can occur: Please note: This is a bug on the Microsoft side, as explained in this source. As a workaround, instead of using the QR code for installation, please follow these ...
What is "Trust this device" feature?
The "Trust this device" feature is a functionality that allows users to designate a specific device as trusted during the login process. When enabled, this feature provides the user with the convenience of bypassing the usual two-factor ...
Support of a 24-hour token expiration
A 24-hour token expiration refers to a security mechanism where authentication tokens, which are generated after successful login or authentication, have a limited lifespan of 24 hours. Once this period elapses, the token becomes invalid and cannot ...
2FA: Frequently Asked Questions
Question Answer What happens if I just don't enable 2FA? If it's Soft Enforcement, you'll see a pop-up prompting you to set up 2FA with every page refresh. However, you can skip it until the next refresh. If it’s Hard Enforcement, you'll be ...
Options to Enforce Two-Factor Authentication (2FA)
Using 2FA protects from unauthorised access to a person's account and increases data security. Due to Xero requirements, ApprovalMax enforces 2FA for all users that access Xero-connected Organisations. ApprovalMax is now offering two types of 2FA ...
The Google Authenticator code for 2FA is not working
If your 2FA code is not working, consider these possible reasons: Expired code: 2FA codes are time-sensitive. Ensure you are using the most recently generated code. Incorrect Authenticator: verify that you are using a code from the Authenticator app ...
How does ApprovalMax ensure security in software development
ApprovalMax develops security best practices and frameworks according to OWASP Top 10 and SANS Top 25. To ensure the highest security in our software, we use the following best practices: Developers participate in regular security training to learn ...
Do ApprovalMax employees have access to the customer data?
Our strict internal procedure prevents any employee or administrator from gaining access to user data. Limited exceptions can be made for our Customer Support team. All our employees sign a Non-Disclosure and Confidentiality Agreement when joining ...
Does ApprovalMax ensure uninterrupted business continuity?
We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted. For questions related to information security, please refer to our Security Portal.
Is a dedicated ApprovalMax Security team on call 24/7?
The ApprovalMax Security Team is comprised of security experts dedicated to improving the security of our organisation. Our employees are trained on security incident response and are on call 24/7. For questions related to information security, ...
Does ApprovalMax use Distributed Denial of Service protection
We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution. For questions related to information security, please refer to our Security Portal.
How is the ApprovalMax network security architecture built?
The ApprovalMax network security architecture consists of multiple security zones. We monitor and protect our network to make sure no unauthorised access is performed using: A virtual private cloud (VPC), a bastion host, or VPN with network access ...
Is the ApprovalMax infrastructure built on cloud services?
All ApprovalMax services run in the cloud. ApprovalMax doesn't host or run own routers, load balancers, DNS servers, or physical servers. Our service is built on Azure Cloud Services. They provide strong security measures to protect our ...
How does ApprovalMax ensure the app security protection?
ApprovalMax uses security headers to protect our users from attacks. We use security automation capabilities that automatically detect and respond to threats targeting our apps. For questions related to information security, please refer to our ...
Why and how ApprovalMax monitors the security of its apps
ApprovalMax uses a security-monitoring solution to get visibility into our application security, identify attacks, and respond quickly to a data breach. We use technologies to monitor exceptions and logs, and detect anomalies in our applications. We ...
Are payments processed by a PCI Level 1 service provider?
All payment instrument processing is safely outsourced to a third-party payments provider, who is certified as a PCI Level 1 Service Provider. We don't collect any payment information and, therefore, are not subject to PCI obligations. For questions ...
How is my data encrypted during transit and while at rest?
Encryption in transit All data sent to or from our infrastructure is encrypted in transit via industry best practices using Transport Layer Security (TLS 1.2). Encryption at rest All our user data (including passwords) is encrypted using ...
How does ApprovalMax ensure the protection of my account?
Two-Factor authentication ApprovalMax provides a two-factor authentication mechanism to protect users from account takeover attacks. Account takeover protection ApprovalMax protects our users against data breaches by monitoring and blocking brute ...
How can I activate "Logout on inactivity" in My Profile?
To increase security, ApprovalMax supports a system logout if a user has been inactive for 15 minutes. You can enable this feature in My profile under the Avatar: On the Security tab toggle the status by clicking on . Consequently, the button turns ...
What happens to the emails sent to orders@approvalmax.com?
Such emails go to a dead-end mailbox, which gets cleaned up. We are not monitoring such emails. The security rules applicable to the customer data itself are also applied here. For questions related to information security, please refer to our ...
Does ApprovalMax have an incident response procedure?
Yes, we do have a standard incident response plan, it is covered in our “ApprovalMax Data Security Management Policy” that can be shared when an NDA has been signed. For questions related to information security, please refer to our Security Portal.
Does uploaded information get backed up and how can we obtain a backup?
All information you upload in our app is stored in a database in a secure data centre of Microsoft Azure in Ireland (EU), with a backup site in the Netherlands (EU). ApprovalMax utilises the built-in Microsoft Azure backup service and performs two ...
Are the user activities logged, and accessible if necessary?
We do have logs but we do not share them with our customers. For questions related to information security, please refer to our Security Portal.
How does ApprovalMax practice international security self-assessments
We do go through 3rd party penetration testing every year, and perform regular internal self-assessment in addition to the external penetration testing. For questions related to information security, please refer to our Security Portal.
Does ApprovalMax have a security and privacy accreditation, e.g. SOC Type2, ISO27001?
Yes, ApprovalMax has ISO 27001:2022 certification. For questions related to information security, please refer to our Security Portal.
Does ApprovalMax support 2FA via TOTP?
ApprovalMax supports 2FA via TOTP standard. The solution is optional for all users, except Australian and Xero-connected. Here you can see how to enable/disable 2FA and how 2FA can be enforced. For questions related to information security, please ...
Does ApprovalMax support SAML?
Currently, ApprovalMax does not support SAML. However, we'll consider this for future enhancements. For questions related to information security, please refer to our Security Portal.
ApprovalMax policies and safety measures for data security
See here where you’ll find the information most frequently asked regarding how ApprovalMax ensures the security and recovery of your data, login and authorisation options as well as some of the ApprovalMax policies. All the policies and documents ...
Data Protection and Data Recovery
Data Protection ApprovalMax processes personal data as both a Data Controller and Data Processor, as defined in the Directive and the General Data Protection Regulation (GDPR). We are a Data Controller with regard to the client information we process ...
Which of the common browsers are supported by ApprovalMax?
ApprovalMax supports the following browsers: Chrome (the latest two versions) Firefox (the latest two versions) Safari (11 or later) Microsoft Edge (the latest two versions) Opera (the latest two versions) As the major functionality updates for ...
What are the restrictions for file upload?
During the creation of requests in ApprovalMax, you can attach files to a request or in comment section. However, some technical limitations do apply. Below are supported file extensions, size and number of files that can be attached: Here are the ...
The data ApprovalMax will keep after the termination of a trial or a contract
All of your data retained by ApprovalMax in the system database files will be available to you for a period of one year after the date of termination. Thereafter, it will only be available to you upon your remittance of a reasonable fee to ...
What happens to the customer-owned data?
You are the owner of all data input provided by you and all your output (collectively “Your Data”). ApprovalMax does make backup copies of Your Data. ApprovalMax may store and maintain Your Data for such period of time as it deems necessary. You ...
User login lockout policy
Users are locked out if they make multiple (6) failed login attempts. This is done to prevent the brute forcing of user passwords. Users will be able to retry logging in after 30 minutes. Other sessions (in the mobile app) will not be interrupted. ...
What requirements are in the ApprovalMax password policy?
Having a strong password is an important part of protecting your information. Use 8 or more characters Use upper and lower case letters (e.g. Aa) Use a number (e.g. 1234) Use a special character/symbol (e.g. !@#$) Different from your other passwords ...
Next page