Security & Data Handling

SPHIOR Ops Console for Monday

This page describes how SPHIOR ("we") secures SPHIOR Ops Console for Monday (the "App") and handles your data. For how we treat data more broadly, see our Privacy Policy at https://ops-console.sphior.com/privacy.

1. Architecture & data handling

· Hosted on monday code. The App runs on monday.com's managed infrastructure (monday code). We do not operate a separate external database, log shipper, or analytics pipeline. · No long-term storage of customer business data. Board and item content is processed transiently — in memory or short-lived staging — and deleted immediately after the operation completes or after delivery to your chosen cloud. · Delivery to your own cloud. Exports are delivered to your own Google Drive at your instruction; we do not keep a copy. · Encryption in transit: TLS for every API call, enforced by the monday.com and Google platforms. · Encryption at rest: configuration and tokens are held in monday Storage / monday SecureStorage, encrypted by monday.com. Undo snapshots are stored encrypted.

2. Undo snapshots & retention

Before any destructive action (duplicate merge, bulk archive, or find & replace), the App captures an Undo snapshot so you can recover. Snapshots are encrypted, carry a 30-day time-to-live (TTL), and are automatically deleted when the TTL elapses. They are the only customer content the App retains beyond the duration of an operation.

3. Least-privilege scopes

The App requests only the minimum monday.com scopes required for its functionality: me:read, account:read, boards:read, boards:write, and notifications:write. Google Drive access is limited to the drive.file scope, which grants access only to files the App itself creates or that you explicitly select — never your whole Drive. The App does not request end-user passwords or personal access tokens; platform tokens are managed by monday.com and Google.

4. Storage locations

· Configuration, schedules, and job settings → monday Storage. · OAuth tokens (monday and, if connected, Google) → monday SecureStorage. · Undo snapshot payloads → encrypted object storage (BLOB) with a 30-day TTL. · Anonymous usage counts → aggregate metrics only, containing no personal data and no board content. There is no external customer-data database operated by SPHIOR.

5. Vulnerability management & secure development

· Automated security scanning. As authenticated web-security auditing is SPHIOR's core business, we run static analysis (SAST), dependency / open-source scanning (SCA), and authenticated dynamic testing (DAST) against the App's reachable surfaces on a regular basis and before significant releases. · Dependencies are pinned via lockfiles; a software bill of materials (SBOM) is maintained and reviewed each release. · Findings are triaged and remediated within defined timelines aligned to the monday.com marketplace security requirements. · TypeScript strict mode, ESLint, and peer review run before merge to the main branch. No secrets are committed to source control.

6. Security incident response

In the event of a confirmed security incident affecting the App: 1. Triage begins within 24 hours of confirmation. 2. Customer notification is sent to affected installations within 72 hours of confirming material impact, aligned with GDPR Article 33 expectations. 3. Root-cause analysis and a remediation plan follow; customer-impacting fixes are published through the monday.com marketplace update pipeline. 4. A post-incident summary is shared with affected customers and, where appropriate, summarized publicly. Suspected security events can be reported to security@sphior.com at any time; we acknowledge within 1 business day.

7. Access controls (internal)

· Least privilege. Access to source-code repositories, the monday.com developer console, and production deployment is restricted to App maintainers on a need-to-know basis. No shared accounts or shared production credentials are used. · The main branch is protected with required status checks (type-check, lint, and tests must pass before merge). · Multi-factor authentication (MFA) is required on all accounts with access to source code, the developer console, and deploy tooling. · The access list is reviewed at least quarterly and revoked promptly when no longer needed.

8. Artificial intelligence

The App's core functionality — deduplication, find & replace, bulk archive, export, and recurring items — is fully deterministic. No customer board data is sent to any AI or machine-learning service, and we do not use your data to train models.

9. Responsible disclosure

We welcome security research on the App. Please report findings privately to security@sphior.com with a description, reproduction steps, impact assessment, and any suggested mitigations. We commit to acknowledging your report within 1 business day, providing an initial triage decision within 5 business days, and not pursuing legal action against good-faith researchers who follow this policy.

10. Contact

Security events: security@sphior.com General contact: support@sphior.com Privacy inquiries: see the Privacy Policy at https://ops-console.sphior.com/privacy

Last updated: 2026-07-11