Security and Privacy
Secure development
ApprovalMax develops security best practices and frameworks according to OWASP Top 10 and SANS Top 25. To ensure the highest security in our software, we use the following best practices: Developers participate in regular security training to learn ...
Employee access
Our strict internal procedure prevents any employee or administrator from gaining access to user data. Limited exceptions can be made for our Customer Support team. All our employees sign a Non-Disclosure and Confidentiality Agreement when joining ...
Business continuity
We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted. For questions related to information security, please refer to our Security Portal.
Dedicated Security Team
The ApprovalMax Security Team is comprised of security experts dedicated to improving the security of our organisation. Our employees are trained on security incident response and are on call 24/7. For questions related to information security, ...
DDoS protection
We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution. For questions related to information security, please refer to our Security Portal.
Network-level security
The ApprovalMax network security architecture consists of multiple security zones. We monitor and protect our network to make sure no unauthorised access is performed using: A virtual private cloud (VPC), a bastion host, or VPN with network access ...
Infrastructure
All ApprovalMax services run in the cloud. ApprovalMax doesn't host or run own routers, load balancers, DNS servers, or physical servers. Our service is built on Azure Cloud Services. They provide strong security measures to protect our ...
App security protection
ApprovalMax uses security headers to protect our users from attacks. We use security automation capabilities that automatically detect and respond to threats targeting our apps. For questions related to information security, please refer to our ...
App security monitoring
ApprovalMax uses a security-monitoring solution to get visibility into our application security, identify attacks, and respond quickly to a data breach. We use technologies to monitor exceptions and logs, and detect anomalies in our applications. We ...
Payment information
All payment instrument processing is safely outsourced to a third-party payments provider, who is certified as a PCI Level 1 Service Provider. We don't collect any payment information and, therefore, are not subject to PCI obligations. For questions ...
Data encryption
Encryption in transit All data sent to or from our infrastructure is encrypted in transit via industry best practices using Transport Layer Security (TLS 1.2). Encryption at rest All our user data (including passwords) is encrypted using ...
Account protection
2-factor authentication ApprovalMax provides a 2-factor authentication mechanism to protect users from account takeover attacks. Account takeover protection ApprovalMax protects our users against data breaches by monitoring and blocking brute force ...
Logout on inactivity
To increase security, ApprovalMax supports a system logout if a user has been inactive for 15 minutes. You can enable this feature in "My profile" under the Avatar: Just toggle the status by clicking on . Consequently, the button turns green and the ...
What happens to the emails sent to orders@approvalmax.com?
Such emails go to a dead-end mailbox, which gets cleaned up. We are not monitoring such emails. The security rules applicable to the customer data itself are also applied here. For questions related to information security, please refer to our ...
Does ApprovalMax have an incident response procedure?
Yes, we do have a standard incident response plan, it is covered in our “ApprovalMax Data Security Management Policy” that can be shared when an NDA has been signed. For questions related to information security, please refer to our Security Portal.
Does the uploaded information get backed up? Are there clear procedures in place in case we need to obtain a backup?
All information you upload in our app is stored in a database in a secure data centre of Microsoft Azure in Ireland (EU), with a backup site in the Netherlands (EU). ApprovalMax utilises the built-in Microsoft Azure backup service and performs two ...
Are the activities performed by users logged and are they accessible if necessary?
We do have logs, but we do not share them with our customers. For questions related to information security, please refer to our Security Portal.
Does ApprovalMax perform regular self-assessments based on international security practices?
We do go through 3rd party penetration testing every year, and perform regular internal self-assessment in addition to the external penetration testing. For questions related to information security, please refer to our Security Portal.
Does ApprovalMax have security and privacy accreditation? (SOC Type2, ISO27001, etc.)
We do not have any such certifications (SOC Type2, ISO27001 and the likes) at the moment. However, we do go through a 3rd party penetration testing every year. For questions related to information security, please refer to our Security Portal.
Does ApprovalMax support 2FA?
ApprovalMax supports 2FA via TOTP standard. The solution is optional for all users, except Australian. Here you can see how to enable/disable 2FA. For questions related to information security, please refer to our Security Portal.
Does ApprovalMax support SAML?
Currently, ApprovalMax does not support SAML. However, we'll consider this for future enhancements. For questions related to information security, please refer to our Security Portal.
Security - most frequently asked questions
Below, you'll find the answers to the most frequently asked security-related questions: ApprovalMax is GDPR compliant ApprovalMax supports Xero SSO, QuickBooks Online SSO, Google SSO ApprovalMax supports Xero OAuth 2.0 ApprovalMax supports QuickBooks ...
Data Protection and Data Recovery
Data Protection ApprovalMax processes personal data as both a Data Controller and Data Processor, as defined in the Directive and the General Data Protection Regulation (GDPR). We are a Data Controller with regard to the client information we process ...
Supported browsers
ApprovalMax supports the following browsers: Chrome (the latest two versions) Firefox (the latest two versions) Safari (11 or later) Microsoft Edge (the latest two versions) Opera (the latest two versions) As the major functionality updates for ...
Restrictions for file upload
There are some restrictions in place for adding attachments to comments. Here are the basic rules for attaching documents in the comment section of a request: · File extensions: any - except .exe, .com, .iso, .dex, .crx, .dmg, .ps1, .msi, ...
Does ApprovalMax support SSO?
At the moment, we only support Google, Xero and Intuit Single Sign-On. We currently do not support Okta, Azure or Office365 SSO. However, we are considering Okta and Azure SSO for development but cannot commit to a time frame right ...
What data will ApprovalMax keep after the termination of a trial or a contract?
Upon termination, all of Your Data retained by ApprovalMax in the system database files shall be made available to you for a period of one year after the date of termination. Thereafter, all of Your Data retained by ApprovalMax in the system database ...
What happens to the customer-owned data?
You are the owner of all data input provided by you and all your output (collectively “Your Data”). ApprovalMax does make backup copies of Your Data. ApprovalMax may store and maintain Your Data for such period of time as it deems necessary. You ...
User login lockout policy
Users are locked out if they make multiple (6) failed login attempts. This is done to prevent the brute forcing of user passwords. Users will be able to retry logging in after 30 minutes. Other sessions (in the mobile app) will not be interrupted. ...
Password policy
Having a strong password is an important part of protecting your information. Use 8 or more characters Use upper and lower case letters (e.g. Aa) Use a number (e.g. 1234) Use a special character/symbol (e.g. !@#$) Different from your other passwords ...
Where is the data stored?
With due respect to the fact that our clients use ApprovalMax for handling their core finance information, we consider the privacy of our clients' data as one of our top priorities. All processing of customer data takes place in EU-based Microsoft ...
SSL usage
All data is transferred via a TLS-secure channel. SSL is used for both the web app and API. For questions related to information security, please refer to our Security Portal.
Who has access to approval requests?
The security logics in ApprovalMax restrict the access to approval requests. Any particular request can only be seen by: The Requester (the person who created the request) The Approvers who make an approval decision for the request The Organisation's ...