WorkHub is your all-in-one solution for resource planning and workforce management, designed for project managers, team leads, and operations teams who need full visibility into who's doing what โ across all their boards โ and whether they have the capacity to do it.
Why Choose WorkHub?
๐ Remaining Estimates: The first monday.com app that auto-distributes remaining work across future days. As hours are logged, WorkHub recalculates what's left and updates your workload view instantly. Your plan always answers: "Can we still deliver on time?"
๐ฑ Mobile Time Tracking: Log work directly from the monday.com mobile app. Open any item, tap the Time Tracking tab, and record hours. See Original Estimate, Logged, and Remaining at a glance. Perfect for field workers, contractors, and remote teams who aren't at a desk.
๐ Resource Scheduler: Scheduler lets you drag tasks across dates and assignees on a Gantt-like timeline. Capacity Management shows color-coded workload per person per day in five modes: Worklog for past + Workload for future, Remaining Estimate, Availability, Original Estimate, and Number of Items. Define working hours per person or group - part-time, compressed, and custom schedules all supported.
โฑ๏ธ Timesheets & Approvals: Route timesheets through approval workflows. View timesheets by user, by board, or by item - with summary and progress views. Classify worklogs as Billable or Non-Billable with customizable categories. Managers review, approve, or reject - all within monday.com. Ready for payroll, invoicing, and compliance out of the box.
๐๏ธ Leave & Availability: Request and approve vacation, annual leave, sick leave, and custom types. Import public holidays by country and assign per person or team. Approvals sync instantly to capacity and scheduler - no manual adjustments.
Built for teams that need to get it right. Responsive support from the team that builds the product - not a help desk queue.
Missing something? We love hearing from users. If a feature isn't here yet, we'll work with you to build it.
Does the developer periodically perform penetration testing?
Not answered
Does the developer have a dedicated security and privacy point of contact for such issues or questions?
Yes
Our team has a dedicated point of contact for security and privacy inquiries. Security issues can be reported to support@reinwok.com and will be triaged within 24 hours.
Does the app restrict redirects and forwards only to approved destinations, or show a warning when redirecting to potentially untrusted content?
Yes
All redirects in our application are restricted to approved destinations. OAuth flows redirect only to hardcoded monday.com authorization endpoints, and post-authentication redirects use server-configured environment variables โ no user-supplied URLs are used for redirection.
Does the app protect against mass parameter assignment attacks?
Yes
We use NestJS global ValidationPipe with strict whitelisting (whitelist: true, forbidNonWhitelisted: true). All endpoints enforce typed DTOs with class-validator decorators, rejecting any unexpected properties in request payloads.
Does the app perform encoding and sanitization on all user supplied parameters to protect against Cross-Site Scripting?
Yes
Backend validates and constrains all user input via class-validator DTOs. Frontend sanitizes all external data using DOMPurify with zero allowed HTML tags/attributes (plain text only). No unsafe rendering patterns (innerHTML, eval) are used.
Does the developer protect all state-changing actions against Cross-Site Request Forgery (CSRF)?
Yes
Our application uses stateless JWT-based authentication via Authorization headers (Bearer tokens). Since tokens are not stored in cookies and must be explicitly attached to each request, the application is inherently protected against CSRF attacks. All state-changing actions require a valid session token verified against monday.com's signing secret.
Does the developer have mechanisms to notify monday.com in case of a security breach?
Yes
We have structured logging via GCP Cloud Logging for security event monitoring. In case of a detected security breach, we will notify monday.com's security team promptly via the designated partner communication channels, including details of the incident scope and remediation steps
Does this developer have a process for installing application-level updates and security patches for the service (such as software packages and databases)?
Yes
We maintain a regular process for reviewing and applying security patches to all application dependencies and infrastructure. Our application is containerized (Docker) and deployed on Google Cloud Run, enabling rapid deployment of security updates. Dependencies are regularly audited and updated
Compliance
Is the app certified with the information security standard ISO/IEC 27001:2022?
Not answered
Is the app compliant with the Health Insurance Portability and Accountability Act (HIPAA)?
Not answered
Is the app certified with System and Organization Controls (SOC 2 or SOC 3)?
Not answered
Is the app compliant with the General Data Protection Regulation (GDPR)?
Yes
The app is designed with GDPR principles in mind. We minimize data collection by storing primarily monday.com identifiers rather than personal data - user names and personal details are fetched in real-time from the monday.com API and are not persisted. Customer data is logically isolated using PostgreSQL Row-Level Security. All data is hosted on Google Cloud Platform infrastructure within GDPR-compliant regions. Data is encrypted at rest and in transit. The app supports data deletion upon account uninstallation to fulfill right-to-erasure requirements.
Data
Does the app send any data outside of monday.com? If yes, indicate whether the data is customer-submitted (e.g., board names, item names, doc content) or non-customer-submitted (e.g., account ID, board ID, user ID).
Yes
Yes. The app sends data to our backend service hosted on Google Cloud Platform (Cloud Run). The data sent includes non-customer-submitted identifiers (account ID, board ID, item ID, user ID) as well as limited customer-submitted content (worklog, descriptions, leave request notes, and user-defined names for saved views, reports, holidays, and capacity schemes).
Where does the app store logs data?
other
Application logs are stored in Google Cloud Logging (GCP).
Where does the app store the app data?
DB
App data is stored in a PostgreSQL database hosted on Google Cloud Platform (Cloud SQL).
Does the developer ensure application logs do not contain secrets or personally-identifiable information (PII)?
Yes
Our logging implementation uses structured logging that captures request metadata, error details, and operational events without logging authentication tokens, session secrets, or personally-identifiable information. Sensitive headers (Authorization, X-Monday-Token) are not included in log output. Logs contain only operational data such as request paths, status codes, error messages, and tenant account IDs. Additionally, we have automated checks in our merge process to detect and prevent any accidental logging of sensitive data before code reaches production.
Is customer data segregated from the data of other customers (for example logically or physically)?
Yes
Yes. Customer data is logically segregated using PostgreSQL Row-Level Security (RLS) policies. Every data table includes an account_id column, and RLS policies enforce that each tenant can only access rows matching their own account_id. The tenant context is set at the database session level via middleware after JWT authentication, ensuring data isolation is enforced at the database layer - not just the application layer.
Privacy
Does the developer enforce multi-factor authentication on employees access to systems which may process customer data?
Yes
We enforce multi-factor authentication on all systems that process or have access to customer data, including our Google Cloud Platform console, GitHub repositories. MFA is required for all team members with access to production infrastructure and databases.
Does the developer protect access to customer data based on the principle of least privilege?
Yes
Access to production customer data is restricted based on the principle of least privilege. Our Google Cloud Platform IAM roles are scoped to grant only the minimum permissions required for each team member's role. Direct access to the production database is limited to essential personnel only. Application secrets and credentials are managed through GCP Secret Manager with access controls. No production customer data is used in development or testing environments.
Reviews
April 10, 2026
KW: Work Hub has been an excellent addition to how we use monday.com. The integration is seamless, it has improved visibility, structure, and accountability across our workflows, and it adds real day to day value without unnecessary complexity.
Historical data
Installation history
We have data for December 28, 2024 onwards only. Collected sometime after 00:00 UTC daily.
Total number of installs
Change in total number of installs in last 1 day(s)
Compares the number of installs on each date with 1 days previously:
Max
Min
Current
Change in total number of installs in last 7 day(s)
Compares the number of installs on each date with 7 days previously:
Max
Min
Current
Change in total number of installs in last 30 day(s)
Compares the number of installs on each date with 30 days previously:
Max
Min
Current
Change in total number of installs in last 90 day(s)
Compares the number of installs on each date with 90 days previously:
Max
Min
Current
Change in total number of installs in last 180 day(s)
Compares the number of installs on each date with 180 days previously:
Max
Min
Current
Ratings history
Categories history
Each of the following is a yes/no answer, so the graphs show 1 for yes, and 0 for no.
