Secure development

Secure development

ApprovalMax develops security best practices and frameworks according to OWASP Top 10 and SANS Top 25.
To ensure the highest security in our software, we use the following best practices:
  1. Developers participate in regular security training to learn about common vulnerabilities and threats.
  2. We review our code for security vulnerabilities.
  3. We regularly update our dependencies and make sure none of them has known vulnerabilities.
  4. We use Static Application Security Testing (SAST) to detect basic security vulnerabilities in our codebase.
  5. We rely on yearly third-party security experts to perform penetration tests of our applications.
For questions related to information security, please refer to our Security Portal.

    • Related Articles

    • SSL usage

      All data is transferred via a TLS-secure channel. SSL is used for both the web app and API. For questions related to information security, please refer to our Security Portal.

    • Who has access to the Connections List?

      Access to the Connections List is strictly limited to Account Owners or Account Managers. This restriction is in place to ensure the confidentiality and security of the data accessed through this list. Each user is only able to view and manage their ...

    • What is "Trust this device" feature?

      The "Trust this device" feature is a functionality that allows users to designate a specific device as trusted during the login process. When enabled, this feature provides the user with the convenience of bypassing the usual two-factor ...

    • Where is the data stored?

      With due respect to the fact that our clients use ApprovalMax for handling their core finance information, we consider the privacy of our clients' data as one of our top priorities. All processing of customer data takes place in EU-based Microsoft ...

    • Data Protection and Data Recovery

      Data Protection ApprovalMax processes personal data as both a Data Controller and Data Processor, as defined in the Directive and the General Data Protection Regulation (GDPR). We are a Data Controller with regard to the client information we process ...