Create beautiful group cards with your monday team.
Group Card makes it easy to celebrate birthdays, farewells, anniversaries, and milestones with your team, right inside monday.com. No more juggling separate tools, chasing contributors, or forgetting someone's special day.
Built for HR teams, people managers, EAs, and anyone who wants to make work feel more human.
✅ Create a card in under 30 seconds: Pick an occasion, template and recipient. Then invite your team to sign.
✅ 9 occasion types — birthdays, anniversaries, farewells, thank you, congrats, new baby, get well, welcome, and promotion!
✅ Fun opening effects — confetti, balloons, sparkles on reveal
✅ One-click invites via monday bell notifications, fun for contributors to sign
✅ Schedule delivery for the perfect moment
✅ 100% hosted on monday.com — no external servers
Stop coordinating birthday cards in Slack threads. You know the drill: a message asking everyone to sign a Google Doc, half the team forgets, and the recipient sees the thread by accident. Group Card lives where your team already works — no context-switching, no separate logins.
Features
🎨 Template library — designs across 9 occasion types with opening effects like confetti, balloons, and sparkles.
✍️ Rich signing — contributors add a personal message, pick a GIF and Emoji, choose fonts and colors.
💡 Events Timeline — Create cards from our Events timeline with your team's birthdays and anniversaries
👥 One-click invites — invite individuals, whole teams, or your entire workspace.
🛠️ Stay in control — track who has signed, nudge those who haven't, preview as the recipient, and schedule delivery.
🔒 Private by design — recipients can't see their own card until delivery.
Who it's for
HR teams and People Ops sending company-wide cards
People managers celebrating wins and milestones
Remote and hybrid teams who miss the office card-passing moment
EAs and admins who coordinate group cards by hand
Use it for
Birthdays and work anniversaries
Welcome cards for new hires
Farewells when someone moves on
Congratulations on promotions, weddings, and new babies
Team thank-you cards after a big launch
📧 Contact Support — install now and make work feel more human.
Security & Compliance
Security
Does the developer periodically perform penetration testing?
Yes
We periodically perform penetration testing on Group Card. Our process covers the OWASP Top 10 and OWASP ASVS L1 controls and includes active probes of authentication, authorization (cross-tenant and cross-role), input handling, rate limiting, and outbound egress. A pen test is run before each significant release, and findings are tracked to remediation before the release ships. The most recent pen test (2026-05-28, v1.0.0) returned zero open findings. The hosting platform, Monday Code, is additionally covered by monday.com's own annual third-party penetration testing program.
Does the developer have a dedicated security and privacy point of contact for such issues or questions?
Does the app restrict redirects and forwards only to approved destinations, or show a warning when redirecting to potentially untrusted content?
Yes
The only redirect the app performs is to monday.com's own OAuth authorization endpoint. The OAuth state parameter is validated server-side. No user-supplied URLs are ever used in any redirect or forward.
Does the app protect against mass parameter assignment attacks?
Yes
All API endpoints explicitly extract and validate individual fields from request bodies. Request payloads are never spread or passed directly into storage.
Does the app perform encoding and sanitization on all user supplied parameters to protect against Cross-Site Scripting?
Yes
User-supplied content is rendered with automatic output encoding and is never injected as HTML. Inputs are validated server-side before storage.
Does the developer protect all state-changing actions against Cross-Site Request Forgery (CSRF)?
Yes
The app authenticates every request with a short-lived bearer token issued by monday.com and sets no cookies, so browser-based CSRF cannot forge valid requests.
Does the developer have mechanisms to notify monday.com in case of a security breach?
Yes
We maintain an incident response process that includes notifying monday.com within 72 hours of any confirmed breach. Reports can be initiated at security@bam-apps.com.
Does this developer have a process for installing application-level updates and security patches for the service (such as software packages and databases)?
Yes
Monday Code handles infrastructure and database patching. Application dependencies are monitored continuously and patched before each release.
Compliance
Is the app certified with the information security standard ISO/IEC 27001:2022?
Yes
The app is hosted entirely on Monday Code, which is covered by monday.com's ISO/IEC 27001 certification: https://trust.monday.com. Group Card runs on this infrastructure and inherits its controls.
Is the app compliant with the Health Insurance Portability and Accountability Act (HIPAA)?
No
The app is not independently HIPAA certified and does not offer a Business Associate Agreement (BAA). It is not designed to process protected health information.
Is the app certified with System and Organization Controls (SOC 2 or SOC 3)?
Yes
The app is hosted entirely on Monday Code, which is covered by monday.com's SOC 2 Type II and SOC 3 certifications : https://trust.monday.com
Is the app compliant with the General Data Protection Regulation (GDPR)?
Yes
The app runs on monday.com's GDPR-compliant platform and stores all data exclusively on Monday infrastructure. All app data is purged on uninstall, and the app uses no cookies. Data subject requests can be directed to privacy@bam-apps.com.
Data
Does the app send any data outside of monday.com? If yes, indicate whether the data is customer-submitted (e.g., board names, item names, doc content) or non-customer-submitted (e.g., account ID, board ID, user ID).
No
No user data, account data, or workspace data is sent outside of monday.com. Card content, message text, recipient names, user names, board names, item names, account IDs, board IDs, and user IDs all stay within monday.com infrastructure. The only outbound call the app makes is to a third-party GIF provider (Klipy) to power the optional GIF picker in the signing flow. When a user types into the GIF picker, their search term (e.g. "happy birthday") is sent to Klipy so it can return matching GIFs. The search term is whatever the user freely types into the picker — it does not include any monday data, recipient names, message content, or user/account identifiers.
Where does the app store logs data?
monday
Logs are stored in Monday Code's built-in logging infrastructure, covered by monday.com's SOC 2 and ISO 27001 certifications.
Where does the app store the app data?
monday
All app data — card content, settings, OAuth tokens, and secrets — is stored exclusively on monday.com's platform. No external database or third-party storage is used.
Does the developer ensure application logs do not contain secrets or personally-identifiable information (PII)?
Yes
Logs contain only non-PII identifiers and operation outcomes. Tokens, email addresses, and user names are never logged.
Is customer data segregated from the data of other customers (for example logically or physically)?
Yes
Monday Code provides infrastructure isolation between accounts. At the application level, all stored data is scoped by account, ensuring complete logical isolation.
Privacy
Does the developer enforce multi-factor authentication on employees access to systems which may process customer data?
Yes
MFA is enforced on all systems with access to app configuration and source code, including source control and the monday.com Developer Center.
Does the developer protect access to customer data based on the principle of least privilege?
Yes
The app requests only the minimum monday.com scopes required for its functionality. Within the app, access to each card is enforced server-side by role (owner, invited signer, recipient, view-only), so users only see and act on what they are entitled to.
Reviews
No reviews yet.
Historical data
Installation history
We have data for December 28, 2024 onwards only. Collected sometime after 00:00 UTC daily.
Total number of installs
Change in total number of installs in last 1 day(s)
Compares the number of installs on each date with 1 days previously:
Max
Min
Current
Change in total number of installs in last 7 day(s)
Compares the number of installs on each date with 7 days previously:
Max
Min
Current
Change in total number of installs in last 30 day(s)
Compares the number of installs on each date with 30 days previously:
Max
Min
Current
Change in total number of installs in last 90 day(s)
Compares the number of installs on each date with 90 days previously:
Max
Min
Current
Change in total number of installs in last 180 day(s)
Compares the number of installs on each date with 180 days previously:
Max
Min
Current
Ratings history
Categories history
Each of the following is a yes/no answer, so the graphs show 1 for yes, and 0 for no.
{
"id": 10001186,
"marketplace_developer_id": 100000174,
"app_id": 11069790,
"app_type": "app",
"security_info": {},
"gallery_assets": [
{
"url": "https://cdn.monday.com/marketplace/10001186/10001186_2026_5_4_6_11_5_kjm70ryk.png",
"type": "image"
},
{
"url": "https://cdn.monday.com/marketplace/10001186/10001186_2026_5_4_6_11_14_vcck6wqi.png",
"type": "image"
},
{
"url": "https://cdn.monday.com/marketplace/10001186/10001186_2026_5_4_6_11_22_kcvewrmg.png",
"type": "image"
},
{
"url": "https://cdn.monday.com/marketplace/10001186/10001186_2026_5_4_6_11_29_89ftdmrj.png",
"type": "image"
},
{
"url": "https://cdn.monday.com/marketplace/10001186/10001186_2026_5_4_6_11_37_0d9jg86.png",
"type": "image"
}
],
"description": "<p>Group Card makes it easy to celebrate birthdays, farewells, anniversaries, and milestones with your team, right inside monday.com. No more juggling separate tools, chasing contributors, or forgetting someone's special day.</p><p><br></p><p>Built for HR teams, people managers, EAs, and anyone who wants to make work feel more human.</p><p><br></p><p>✅ Create a card in under 30 seconds: Pick an occasion, template and recipient. Then invite your team to sign.</p><p>✅ 9 occasion types — birthdays, anniversaries, farewells, thank you, congrats, new baby, get well, welcome, and promotion! </p><p>✅ Fun opening effects — confetti, balloons, sparkles on reveal</p><p>✅ One-click invites via monday bell notifications, fun for contributors to sign</p><p>✅ Schedule delivery for the perfect moment</p><p>✅ 100% hosted on monday.com — no external servers</p><p><strong>Stop coordinating birthday cards in Slack threads.</strong> You know the drill: a message asking everyone to sign a Google Doc, half the team forgets, and the recipient sees the thread by accident. <strong>Group Card</strong> lives where your team already works — no context-switching, no separate logins.</p><p><strong>Features</strong></p><p>🎨 <strong>Template library</strong> — designs across 9 occasion types with opening effects like confetti, balloons, and sparkles.</p><p>✍️ <strong>Rich signing</strong> — contributors add a personal message, pick a GIF and Emoji, choose fonts and colors.</p><p>💡 <strong>Events Timeline</strong> — Create cards from our Events timeline with your team's birthdays and anniversaries</p><p>👥 <strong>One-click invites</strong> — invite individuals, whole teams, or your entire workspace.</p><p>🛠️ <strong>Stay in control</strong> — track who has signed, nudge those who haven't, preview as the recipient, and schedule delivery.</p><p>🔒 <strong>Private by design</strong> — recipients can't see their own card until delivery.</p><p><strong>Who it's for</strong></p><ul><li>HR teams and People Ops sending company-wide cards</li><li>People managers celebrating wins and milestones</li><li>Remote and hybrid teams who miss the office card-passing moment</li><li>EAs and admins who coordinate group cards by hand</li></ul><p><strong>Use it for</strong></p><ul><li><em>Birthdays</em> and <em>work anniversaries</em></li><li><em>Welcome</em> cards for new hires</li><li><em>Farewells</em> when someone moves on</li><li><em>Congratulations</em> on promotions, weddings, and new babies</li><li><em>Team thank-you cards</em> after a big launch </li></ul><p><br></p><p>📧 <a href=\"mailto:support@bam-apps.com\" rel=\"noopener noreferrer\" target=\"_blank\">Contact Support</a> — install now and make work feel more human.</p>",
"short_description": "Create beautiful group cards with your monday team.",
"thumbnail_url": "https://cdn.monday.com/marketplace/10001186/10001186_2026_4_18_9_17_37_vbeg22g.png",
"logo_url": "https://cdn.monday.com/marketplace/10001186/10001186_2026_4_18_9_17_25_7kr6chr.png",
"feedback_url": "support@bam-apps.com",
"privacy_policy_url": "https://bam-apps.com/apps/group-card/privacy/",
"featured": false,
"name": "Group Card",
"how_to_use_url": "https://bam-apps.com/apps/group-card/help/getting-started",
"external_pricing_url": null,
"keywords": "employee engagement,HR,recognition,anniversary,farewell,group card,team,celebration,birthday,greeting card",
"compliance_answers": [
{
"fileName": "59gucf3.pdf",
"questionId": 20,
"shortAnswer": true,
"detailedAnswer": "The app is hosted entirely on Monday Code, which is covered by monday.com's ISO/IEC 27001 certification: https://trust.monday.com. Group Card runs on this infrastructure and inherits its controls."
},
{
"questionId": 19,
"shortAnswer": false,
"detailedAnswer": "No user data, account data, or workspace data is sent outside of monday.com. Card content, message text, recipient names, user names, board names, item names, account IDs, board IDs, and user IDs all stay within monday.com infrastructure.\n\nThe only outbound call the app makes is to a third-party GIF provider (Klipy) to power the optional GIF picker in the signing flow. When a user types into the GIF picker, their search term (e.g. \"happy birthday\") is sent to Klipy so it can return matching GIFs. The search term is whatever the user freely types into the picker — it does not include any monday data, recipient names, message content, or user/account identifiers."
},
{
"questionId": 18,
"detailedAnswer": "Logs are stored in Monday Code's built-in logging infrastructure, covered by monday.com's SOC 2 and ISO 27001 certifications.",
"logHostingProvider": "monday"
},
{
"questionId": 17,
"detailedAnswer": "All app data — card content, settings, OAuth tokens, and secrets — is stored exclusively on monday.com's platform. No external database or third-party storage is used.",
"dataHostingProvider": "monday"
},
{
"fileName": "4c8moaq.pdf",
"questionId": 15,
"shortAnswer": true,
"detailedAnswer": "We periodically perform penetration testing on Group Card. Our process covers the OWASP Top 10 and OWASP ASVS L1 controls and includes active probes of authentication, authorization (cross-tenant and cross-role), input handling, rate limiting, and outbound egress. A pen test is run before each significant release, and findings are tracked to remediation before the release ships. The most recent pen test (2026-05-28, v1.0.0) returned zero open findings. The hosting platform, Monday Code, is additionally covered by monday.com's own annual third-party penetration testing program."
},
{
"questionId": 14,
"shortAnswer": true,
"detailedAnswer": "Security inquiries: security@bam-apps.com. Privacy inquiries: privacy@bam-apps.com."
},
{
"questionId": 13,
"shortAnswer": false,
"detailedAnswer": "The app is not independently HIPAA certified and does not offer a Business Associate Agreement (BAA). It is not designed to process protected health information."
},
{
"fileName": "1v0c6bnf.pdf",
"questionId": 12,
"shortAnswer": true,
"detailedAnswer": "The app is hosted entirely on Monday Code, which is covered by monday.com's SOC 2 Type II and SOC 3 certifications : https://trust.monday.com"
},
{
"questionId": 11,
"shortAnswer": true,
"detailedAnswer": "The app runs on monday.com's GDPR-compliant platform and stores all data exclusively on Monday infrastructure. All app data is purged on uninstall, and the app uses no cookies. Data subject requests can be directed to privacy@bam-apps.com."
},
{
"questionId": 10,
"shortAnswer": true,
"detailedAnswer": "The only redirect the app performs is to monday.com's own OAuth authorization endpoint. The OAuth state parameter is validated server-side. No user-supplied URLs are ever used in any redirect or forward."
},
{
"questionId": 9,
"shortAnswer": true,
"detailedAnswer": "All API endpoints explicitly extract and validate individual fields from request bodies. Request payloads are never spread or passed directly into storage."
},
{
"questionId": 8,
"shortAnswer": true,
"detailedAnswer": "Logs contain only non-PII identifiers and operation outcomes. Tokens, email addresses, and user names are never logged."
},
{
"questionId": 7,
"shortAnswer": true,
"detailedAnswer": "MFA is enforced on all systems with access to app configuration and source code, including source control and the monday.com Developer Center."
},
{
"questionId": 6,
"shortAnswer": true,
"detailedAnswer": "The app requests only the minimum monday.com scopes required for its functionality. Within the app, access to each card is enforced server-side by role (owner, invited signer, recipient, view-only), so users only see and act on what they are entitled to."
},
{
"questionId": 5,
"shortAnswer": true,
"detailedAnswer": "User-supplied content is rendered with automatic output encoding and is never injected as HTML. Inputs are validated server-side before storage."
},
{
"questionId": 4,
"shortAnswer": true,
"detailedAnswer": "The app authenticates every request with a short-lived bearer token issued by monday.com and sets no cookies, so browser-based CSRF cannot forge valid requests."
},
{
"questionId": 3,
"shortAnswer": true,
"detailedAnswer": "We maintain an incident response process that includes notifying monday.com within 72 hours of any confirmed breach. Reports can be initiated at security@bam-apps.com."
},
{
"questionId": 2,
"shortAnswer": true,
"detailedAnswer": "Monday Code handles infrastructure and database patching. Application dependencies are monitored continuously and patched before each release."
},
{
"questionId": 1,
"shortAnswer": true,
"detailedAnswer": "Monday Code provides infrastructure isolation between accounts. At the application level, all stored data is scoped by account, ensuring complete logical isolation."
}
],
"created_at": "2026-05-18T09:16:57.000Z",
"updated_at": "2026-06-04T12:01:17.000Z",
"automation_app_id": null,
"marketplace_category_ids": [
10000006,
8,
5
],
"pinned_for_categories_ids": [],
"featured_for_categories_ids": [],
"pricing_data": null,
"label": null,
"app_values": [
"Fun"
],
"security": false,
"display_in_template_store": false,
"acquisition_source": "No touch",
"is_connector": false,
"terms_of_service_url": "https://bam-apps.com/apps/group-card/terms/",
"available_for_tiers": [],
"available_for_products": [],
"google_analytics_tag_id": "G-KHM5RGE6VC",
"is_solution": false,
"cta_override": null,
"app_scope_str": "me:read,users:read,notifications:write,teams:read,boards:read",
"app_client_id": "a7acedcd7b538d0a6dcb0ddb5285bbac",
"app_color": {
"hsl": {
"h": 3.5294117647058822,
"s": 0.6967213114754098,
"l": 0.5215686274509803,
"a": 1
},
"hex": "#da3a30",
"rgb": {
"r": 218,
"g": 58,
"b": 48,
"a": 1
},
"hsv": {
"h": 3.5294117647058822,
"s": 0.7798165137614679,
"v": 0.8549019607843137,
"a": 1
},
"oldHue": 22.714285714285715,
"source": "hex"
},
"plans": [
{
"id": "11069790-1-free",
"appPlanId": "free",
"name": "Free",
"versionId": 1,
"isTrial": false,
"prices": {
"type": "standard",
"monthly": 0,
"yearly": 0
},
"versionState": "live",
"appId": 11069790,
"description": "Send 2 active group cards at a time. Unlimited signers, all occasion templates, GIFs, emojis, font styles, manual delivery, and sign-up reminders. Drafts and delivered cards don't count toward the limit.",
"extraData": {
"bullets": [
"2 active cards",
"Unlimited signers + reminder notifications",
"All occasion templates",
"GIFs, emojis & font styles",
"Manual delivery"
],
"monthlyFee": 0,
"yearlyFee": 0
},
"isFree": true,
"isRecommended": false,
"currency": "USD"
},
{
"id": "11069790-1-starter",
"appPlanId": "starter",
"name": "Starter",
"versionId": 1,
"isTrial": false,
"prices": {
"type": "standard",
"monthly": 19,
"yearly": 16
},
"versionState": "live",
"appId": 11069790,
"description": "Everything in Free, plus scheduled delivery with recipient timezone support and 8 active cards.",
"extraData": {
"bullets": [
"8 active cards",
"Scheduled delivery (timezone-aware)",
"Unlimited signers + reminder notifications",
"All occasion templates",
"GIFs, emojis & font styles"
],
"monthlyFee": 19,
"yearlyFee": 16
},
"isFree": false,
"isRecommended": false,
"currency": "USD"
},
{
"id": "11069790-1-standard",
"appPlanId": "standard",
"name": "Standard",
"versionId": 1,
"isTrial": true,
"prices": {
"type": "standard",
"monthly": 39,
"yearly": 32
},
"versionState": "live",
"appId": 11069790,
"description": "Everything in Starter, plus 20 active cards and the custom template builder so your team can design its own card templates.",
"extraData": {
"bullets": [
"20 active cards",
"Scheduled delivery (timezone-aware)",
"Unlimited signers + reminder notifications",
"All occasion template",
"GIFs, emojis & font styles"
],
"monthlyFee": 39,
"yearlyFee": 32
},
"isFree": false,
"isRecommended": true,
"currency": "USD"
},
{
"id": "11069790-1-premium",
"appPlanId": "premium",
"name": "Premium",
"versionId": 1,
"isTrial": false,
"prices": {
"type": "standard",
"monthly": 79,
"yearly": 66
},
"versionState": "live",
"appId": 11069790,
"description": "Everything in Standard, plus 50 active cards for organizations coordinating cards across many teams.",
"extraData": {
"bullets": [
"50 active cards",
"Scheduled delivery (timezone-aware)",
"Unlimited signers + reminder notifications",
"All occasion templates",
"GIFs, emojis & font styles"
],
"monthlyFee": 79,
"yearlyFee": 66
},
"isFree": false,
"isRecommended": false,
"currency": "USD"
},
{
"id": "11069790-1-unlimited",
"appPlanId": "unlimited",
"name": "Unlimited",
"versionId": 1,
"isTrial": false,
"prices": {
"type": "standard",
"monthly": 149,
"yearly": 124
},
"versionState": "live",
"appId": 11069790,
"description": "Unlimited active cards. No ceiling on concurrent celebrations across your workspace.",
"extraData": {
"bullets": [
"Unlimited active cards",
"Scheduled delivery (timezone-aware)",
"Unlimited signers + reminder notifications",
"All occasion templates",
"GIFs, emojis & font styles"
],
"monthlyFee": 149,
"yearlyFee": 124
},
"isFree": false,
"isRecommended": false,
"currency": "USD"
}
],
"app_live_version": {
"updated_at": "2026-06-07T07:32:13.233Z",
"id": 15197938
},
"pricing_model": null,
"badges_data": {
"security": false,
"app_values": [
"Fun"
],
"acquisition_source": "No touch",
"display_in_template_store": false
},
"data": {
"is_solution": false,
"cta_override": null,
"is_connector": false,
"available_for_tiers": [],
"terms_of_service_url": "https://bam-apps.com/apps/group-card/terms/",
"available_for_products": [],
"google_analytics_tag_id": "G-KHM5RGE6VC"
},
"display": null,
"installsDelta": {
"totalInstalls": 4,
"sevenDays": 0
}
}
