Security and data handling.
AutoPulse is designed to keep the app simple, account-scoped, and focused on the minimum monday.com data needed to check whether expected work exists.
Hosting
The AutoPulse app is designed to run on monday Code. App traffic uses HTTPS, and production configuration is stored in monday Code environment variables or secrets. Local development data is separate from production.
Domain verification
AutoPulse publishes the monday.com domain association file at /monday-app-association.json so monday.com can verify ownership of the website domain used for the marketplace listing. Production app and website domains should use valid HTTPS, TLS 1.2 or higher, and HSTS.
Data minimization
AutoPulse stores only the information required to create watchdogs, run checks, create incidents, notify selected users, and show dashboard or digest summaries. The app does not need monday.com passwords, payment card data, or full board exports.
Account isolation
Every rule, pending check, incident, setting, and digest record is scoped to the monday.com account ID. API requests resolve the monday account context before returning or changing account data.
Tokens and secrets
monday.com client secrets, signing secrets, and API tokens must remain server-side. AutoPulse validates monday session tokens for app requests when the client secret is configured and does not expose backend secrets in browser code. Secrets are not committed to the code repository.
Webhooks and duplicate protection
AutoPulse uses monday.com webhooks for configured source boards. Pending checks use idempotency keys so repeated webhook deliveries do not create duplicate pending checks or duplicate incidents.
Incident records
Incidents are created on the selected monday.com incident board. Each incident explains what changed, what AutoPulse expected to find, what it checked, and the recommended next step. Repeated failures update the same open incident instead of spamming the team.
Third-party services
The initial marketplace version relies on monday.com APIs, monday Code, monday marketplace billing, and the public website host. It does not use AI models or direct outbound email delivery for customer data.
Logging
AutoPulse logs operational events needed to debug webhook handling, scheduled checks, API errors, and incident creation. Logs should avoid storing secrets, tokens, or full board exports. Production logging should use monday Code logs where available and follow the retention settings of the hosting environment.
Input validation
AutoPulse validates required rule fields, account context, board and column identifiers, delay settings, severity values, and incident actions before creating or changing records. User-facing text is rendered as text, not executable HTML.
Retention and uninstall
AutoPulse keeps app records while needed to provide the service and support the customer. If the app is uninstalled or deauthorized, data handling follows monday.com marketplace requirements and applicable law. See the Privacy Policy for more detail.
Security contact
Report security concerns to support@autopulse.solutions. Include "Security" in the subject line so the request is prioritized correctly.