ApprovalMax | Security And Privacy

Security and Privacy
How to generate backup codes for 2FA?
As a backup method for Two-Factor Authentication (2FA), ApprovalMax provides the ability to generate backup codes. These backup codes serve as a reliable and secure method to access your account in case you cannot use the primary 2FA method, such as ...
Troubleshooting: Error during enabling 2FA using the Microsoft Authenticator app
When you encounter an issue while setting up a new access to 2FA using the same email address, the error can occur: Please note that this is a bug on Microsoft's end, as explained in this source. To overcome this issue, a workaround is available. ...
What is "Trust this device" feature?
The "Trust this device" feature is a functionality that allows users to designate a specific device as trusted during the login process. When enabled, this feature provides the user with the convenience of bypassing the usual two-factor ...
Support of a 24-hour token expiration
A 24-hour token expiration refers to a security mechanism where authentication tokens, which are generated after successful login or authentication, have a limited lifespan of 24 hours. Once this period elapses, the token becomes invalid and cannot ...
How does 2FA work on mobile devices?
2FA is mandatory only for Xero users as per Xero restrictions, while Pin/Face ID is mandatory for all users. If you have enabled both Pin/Face ID and 2FA, you'll have to use both for authentication when you log into the system. You won't have to ...
2FA: Frequently Asked Questions
Question Answer What happens if I just don't enable 2FA? If it's Soft Enforcement, you'll see a pop-up prompting you to set up 2FA with every page refresh. However, you can skip it until the next refresh. If it’s Hard Enforcement, you'll be ...
2FA enforcement
Using 2FA protects from unauthorised access to a person's account and increases data security. Due to Xero requirements, ApprovalMax enforces 2FA for all users that access Xero-connected Organisations. ApprovalMax is now offering two types of 2FA ...
Why my Google Authenticator code for 2FA doesn't work?
Google Authenticator code may not work because the time isn’t correctly synced on your Google Authenticator app. To set the correct time: On your Android device, go to the main menu of the Google Authenticator app. Tap More Settings Time ...
Secure development
ApprovalMax develops security best practices and frameworks according to OWASP Top 10 and SANS Top 25. To ensure the highest security in our software, we use the following best practices: Developers participate in regular security training to learn ...
Employee access
Our strict internal procedure prevents any employee or administrator from gaining access to user data. Limited exceptions can be made for our Customer Support team. All our employees sign a Non-Disclosure and Confidentiality Agreement when joining ...
Business continuity
We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted. For questions related to information security, please refer to our Security Portal.
Dedicated Security Team
The ApprovalMax Security Team is comprised of security experts dedicated to improving the security of our organisation. Our employees are trained on security incident response and are on call 24/7. For questions related to information security, ...
DDoS protection
We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution. For questions related to information security, please refer to our Security Portal.
Network-level security
The ApprovalMax network security architecture consists of multiple security zones. We monitor and protect our network to make sure no unauthorised access is performed using: A virtual private cloud (VPC), a bastion host, or VPN with network access ...
Infrastructure
All ApprovalMax services run in the cloud. ApprovalMax doesn't host or run own routers, load balancers, DNS servers, or physical servers. Our service is built on Azure Cloud Services. They provide strong security measures to protect our ...
App security protection
ApprovalMax uses security headers to protect our users from attacks. We use security automation capabilities that automatically detect and respond to threats targeting our apps. For questions related to information security, please refer to our ...
App security monitoring
ApprovalMax uses a security-monitoring solution to get visibility into our application security, identify attacks, and respond quickly to a data breach. We use technologies to monitor exceptions and logs, and detect anomalies in our applications. We ...
Payment information
All payment instrument processing is safely outsourced to a third-party payments provider, who is certified as a PCI Level 1 Service Provider. We don't collect any payment information and, therefore, are not subject to PCI obligations. For questions ...
Data encryption
Encryption in transit All data sent to or from our infrastructure is encrypted in transit via industry best practices using Transport Layer Security (TLS 1.2). Encryption at rest All our user data (including passwords) is encrypted using ...
Account protection
2-factor authentication ApprovalMax provides a 2-factor authentication mechanism to protect users from account takeover attacks. Account takeover protection ApprovalMax protects our users against data breaches by monitoring and blocking brute force ...
Logout on inactivity
To increase security, ApprovalMax supports a system logout if a user has been inactive for 15 minutes. You can enable this feature in "My profile" under the Avatar: Just toggle the status by clicking on . Consequently, the button turns green and the ...
What happens to the emails sent to orders@approvalmax.com?
Such emails go to a dead-end mailbox, which gets cleaned up. We are not monitoring such emails. The security rules applicable to the customer data itself are also applied here. For questions related to information security, please refer to our ...
Does ApprovalMax have an incident response procedure?
Yes, we do have a standard incident response plan, it is covered in our “ApprovalMax Data Security Management Policy” that can be shared when an NDA has been signed. For questions related to information security, please refer to our Security Portal.
Does the uploaded information get backed up? Are there clear procedures in place in case we need to obtain a backup?
All information you upload in our app is stored in a database in a secure data centre of Microsoft Azure in Ireland (EU), with a backup site in the Netherlands (EU). ApprovalMax utilises the built-in Microsoft Azure backup service and performs two ...
Are the activities performed by users logged and are they accessible if necessary?
We do have logs, but we do not share them with our customers. For questions related to information security, please refer to our Security Portal.
Does ApprovalMax perform regular self-assessments based on international security practices?
We do go through 3rd party penetration testing every year, and perform regular internal self-assessment in addition to the external penetration testing. For questions related to information security, please refer to our Security Portal.
Does ApprovalMax have security and privacy accreditation? (SOC Type2, ISO27001, etc.)
Yes, ApprovalMax has ISO 27001:2022 certification. For questions related to information security, please refer to our Security Portal.
Does ApprovalMax support 2FA?
ApprovalMax supports 2FA via TOTP standard. The solution is optional for all users, except Australian and Xero-connected. Here you can see how to enable/disable 2FA and how 2FA can be enforced. For questions related to information security, please ...
Does ApprovalMax support SAML?
Currently, ApprovalMax does not support SAML. However, we'll consider this for future enhancements. For questions related to information security, please refer to our Security Portal.
Security - most frequently asked questions
Below, you'll find the answers to the most frequently asked security-related questions: ApprovalMax is GDPR compliant ApprovalMax supports Xero SSO, QuickBooks Online SSO, Google SSO, Microsoft SSO ApprovalMax supports Xero OAuth 2.0 ApprovalMax ...
Data Protection and Data Recovery
Data Protection ApprovalMax processes personal data as both a Data Controller and Data Processor, as defined in the Directive and the General Data Protection Regulation (GDPR). We are a Data Controller with regard to the client information we process ...
Supported browsers
ApprovalMax supports the following browsers: Chrome (the latest two versions) Firefox (the latest two versions) Safari (11 or later) Microsoft Edge (the latest two versions) Opera (the latest two versions) As the major functionality updates for ...
Restrictions for file upload
During the creation of requests in ApprovalMax, you can attach files to a request or in comment section. However, some technical limitations do apply. Below are supported file extensions, size and number of files that can be attached: Here are the ...
Does ApprovalMax support SSO?
At the moment, ApprovalMax supports Google, Microsoft, Xero, Intuit Single Sign-On. For questions related to information security, please refer to our Security Portal.
What data will ApprovalMax keep after the termination of a trial or a contract?
Upon termination, all of Your Data retained by ApprovalMax in the system database files shall be made available to you for a period of one year after the date of termination. Thereafter, all of Your Data retained by ApprovalMax in the system database ...
What happens to the customer-owned data?
You are the owner of all data input provided by you and all your output (collectively “Your Data”). ApprovalMax does make backup copies of Your Data. ApprovalMax may store and maintain Your Data for such period of time as it deems necessary. You ...
User login lockout policy
Users are locked out if they make multiple (6) failed login attempts. This is done to prevent the brute forcing of user passwords. Users will be able to retry logging in after 30 minutes. Other sessions (in the mobile app) will not be interrupted. ...
Password policy
Having a strong password is an important part of protecting your information. Use 8 or more characters Use upper and lower case letters (e.g. Aa) Use a number (e.g. 1234) Use a special character/symbol (e.g. !@#$) Different from your other passwords ...
Where is the data stored?
With due respect to the fact that our clients use ApprovalMax for handling their core finance information, we consider the privacy of our clients' data as one of our top priorities. All processing of customer data takes place in EU-based Microsoft ...
SSL usage
All data is transferred via a TLS-secure channel. SSL is used for both the web app and API. For questions related to information security, please refer to our Security Portal.
Next page

Popular Articles
Certification management
In the Practice Staff section, the Account Owner/Account Manager can only view a user’s certification status and download their certificate if the user has accepted an invitation: If a user has not yet completed certification, you can invite them to ...
Support Policy
Do feel free to contact us during your trial or subscription period and our Customer Support team will be happy to help you. When signing up for an ApprovalMax Trial, you’ll get placed on the Other Support service plan. Once you purchase a ...
Bill-to-PO Matching: Migration process from old Matching to new Matching
The previous version of Matching functionality will no longer be supported starting from 1 April 2023. This means that all Organisations should migrate to the new data format to continue using the Bill-to-PO Matching feature. If your Organisation’s ...
Roles in ApprovalMax (Xero)
There are three types of roles in ApprovalMax: Account-based, Organisation-based and Workflow-based roles. Within one Organisation a user in ApprovalMax can have one Account-based or Organisation-based role and at the same time be assigned to several ...
How do I set up the "Pulling from Xero" step for Bills?
All Bills in Xero with the status "Submitted for approval" will be picked up by ApprovalMax and put through the designated approval process. When pulling Bills from Xero into ApprovalMax, all Bills will be created in the name of a specific user ...

ApprovalMax | Security And Privacy | Knowledge Base

Security and Privacy

How to generate backup codes for 2FA?

Troubleshooting: Error during enabling 2FA using the Microsoft Authenticator app

What is "Trust this device" feature?

Support of a 24-hour token expiration

How does 2FA work on mobile devices?

2FA: Frequently Asked Questions

2FA enforcement

Why my Google Authenticator code for 2FA doesn't work?

Secure development

Employee access

Business continuity

Dedicated Security Team

DDoS protection

Network-level security

Infrastructure

App security protection

App security monitoring

Payment information

Data encryption

Account protection

Logout on inactivity

What happens to the emails sent to orders@approvalmax.com?

Does ApprovalMax have an incident response procedure?

Does the uploaded information get backed up? Are there clear procedures in place in case we need to obtain a backup?

Are the activities performed by users logged and are they accessible if necessary?

Does ApprovalMax perform regular self-assessments based on international security practices?

Does ApprovalMax have security and privacy accreditation? (SOC Type2, ISO27001, etc.)

Does ApprovalMax support 2FA?

Does ApprovalMax support SAML?

Security - most frequently asked questions

Data Protection and Data Recovery

Supported browsers

Restrictions for file upload

Does ApprovalMax support SSO?

What data will ApprovalMax keep after the termination of a trial or a contract?

What happens to the customer-owned data?

User login lockout policy

Password policy

Where is the data stored?

SSL usage

Next page

Popular Articles

Certification management

Support Policy

Bill-to-PO Matching: Migration process from old Matching to new Matching

Roles in ApprovalMax (Xero)

How do I set up the "Pulling from Xero" step for Bills?