Make monday.com work with Microsoft 365 & SharePoint →
apps for monday.com
General Caster logo

General Caster

Omnidea S.r.l.

4.5 (31)

14,644 installs, since October 20, 2020.   256 installs/month.   Updated March 24, 2024.

Free plan available Existing legacy
Reporting & analytics Productivity & efficiency
Sign in to install
View on Marketplace
Gallery image Gallery image Gallery image

Create formulas and perform operations with your columns

General Caster is a monday.com app. It features a collection of powerful integrations aimed at giving more power to your boards and automating recurring workflows. monday.com already provides a Formula column, but it can't be to trigger additional workflows and populate dashboards data. General Caster merges the power of Microsoft Excel formulas with the usability of "real" monday.com columns.

Security & Compliance

Security

Does the developer periodically perform penetration testing?

Yes
We perform a full penetration test annualy

Does the developer have a dedicated security and privacy point of contact for such issues or questions?

Yes
[email protected]

Does the app restrict redirects and forwards only to approved destinations, or show a warning when redirecting to potentially untrusted content?

Yes
General Caster ensures that redirects and forwards are secure through the following measures: Allow List for Redirects: We enforce an allow list for all redirects and forwards, ensuring that users can only be redirected to trusted, pre-approved destinations. Any redirect attempt to an unapproved location is blocked. Input Validation: Redirect URLs are validated against this allow list to ensure no external or untrusted URLs can be injected into the redirection process. Warnings for Untrusted Content: If a destination URL is potentially untrusted or cannot be verified against the allow list, we show a warning to the user before proceeding, giving them a chance to confirm the action. These mechanisms protect the app from untrusted redirects and ensure user safety.

Does the app protect against mass parameter assignment attacks?

Yes
General Caster protects against mass parameter assignment attacks through the following measures: Explicit Parameter Whitelisting: We use explicit parameter whitelisting in our code, ensuring that only allowed parameters are processed during database operations. This prevents attackers from assigning unintended fields via form submissions or API requests. Framework-Level Protections: Our PHP framework includes built-in protections against mass assignment. We disable mass assignment by default and carefully control which fields can be updated. Input Validation and Filtering: All input is validated and filtered, ensuring that only expected and authorized data is accepted. This further mitigates the risk of mass assignment attacks. Role-Based Access Controls: Access to sensitive fields is restricted using role-based access control (RBAC), ensuring only authorized users can modify specific fields. These measures ensure that General Caster is protected from mass parameter assignment vulnerabilities.

Does the app perform encoding and sanitization on all user supplied parameters to protect against Cross-Site Scripting?

Not answered

Does the developer protect all state-changing actions against Cross-Site Request Forgery (CSRF)?

Yes
General Caster protects all state-changing actions against Cross-Site Request Forgery (CSRF) attacks by implementing the following measures: CSRF Tokens: We generate and validate CSRF tokens for all state-changing actions (e.g., form submissions, updates, deletions). These tokens are unique to each session and user, ensuring that only legitimate requests are processed. Same-Site Cookies: We utilize the SameSite cookie attribute, which restricts cookies from being sent in cross-site requests. This mitigates CSRF by preventing unauthorized requests from other sites from being executed. Session Validation: All requests that result in state changes are validated against the active user session, ensuring that only authenticated users with valid tokens can perform these actions. Framework-Level Security: Our PHP framework includes built-in protections against CSRF, further reducing the risk of such attacks. These measures collectively ensure that all state-changing actions are protected from CSRF attacks in General Caster.

Does the developer have mechanisms to notify monday.com in case of a security breach?

Yes
Incident Response Plan: We maintain a formal Incident Response Plan that outlines the steps to be taken in the event of a security breach. This includes immediate notification to key stakeholders, including monday.com, once a breach is confirmed. Rapid Notification: Upon identifying a potential or confirmed breach, we notify monday.com within 24 hours. This is done through predefined communication channels, ensuring prompt and secure disclosure. Breach Severity Assessment: We assess the severity and impact of the breach, and provide a detailed report to monday.com, outlining the nature of the breach, affected systems, data involved, and steps taken to mitigate the issue. Ongoing Updates: We maintain regular communication with monday.com during the incident, providing updates on investigation status, remediation efforts, and any additional measures being implemented to prevent future incidents. Post-Incident Reporting: After resolving the breach, we provide a post-incident report to monday.com, including lessons learned and any system improvements to prevent recurrence. This structured approach ensures quick and transparent communication with monday.com during any security incident.

Does this developer have a process for installing application-level updates and security patches for the service (such as software packages and databases)?

Yes
Automated Security Updates: We use Runcloud to manage our VPS, which automates security patching for Ubuntu 20.04 LTS, PHP, MariaDB, and other server services. This ensures critical security updates are applied promptly. Application-Level Updates: Updates to General Caster are first deployed in a staging environment for testing before going live. We regularly update third-party libraries and monitor for security vulnerabilities using tools like Composer for PHP. Critical Patches: Critical security patches, particularly for the application or database, are manually reviewed by our development team before deployment to ensure stability and security. Database Updates: MariaDB updates are handled regularly, with both automated patching and manual intervention for major updates to ensure data integrity and compatibility. Monitoring and Alerts: We have monitoring systems in place through Runcloud and DigitalOcean, which alert us to vulnerabilities and required updates, ensuring timely action. Backup and Rollback: Before updates, we create full system backups to enable quick rollback in case of any issues post-deployment. This approach ensures General Caster remains secure, up-to-date, and compliant with industry standards.

Compliance

Is the app certified with the information security standard ISO/IEC 27001:2022?

Not answered

Is the app compliant with the Health Insurance Portability and Accountability Act (HIPAA)?

No
Currently, General Caster is not HIPAA compliant. While we prioritize security and data protection, our application is not specifically designed to handle Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) requirements. However, should the need arise to process PHI or comply with HIPAA standards, we are prepared to undergo the necessary steps to implement required safeguards, such as encryption, access control, and audit logging, to meet HIPAA compliance.

Is the app certified with System and Organization Controls (SOC 2 or SOC 3)?

No
Currently, we'ee not independently certified with System and Organization Controls (SOC 1, SOC 2, SOC 3). However, we adhere to industry best practices for security, privacy, and data protection, and our hosting provider, DigitalOcean, holds SOC 2 certification. This ensures that the underlying infrastructure meets the stringent security and privacy standards required for SOC compliance. While we do not have direct SOC certification, we implement robust security measures, including encryption, access controls, and regular audits, to align with SOC 2 principles.

Is the app compliant with the General Data Protection Regulation (GDPR)?

Yes

Data

Does the app send any data outside of monday.com? If yes, indicate whether the data is customer-submitted (e.g., board names, item names, doc content) or non-customer-submitted (e.g., account ID, board ID, user ID).

Not answered

Where does the app store logs data?

Not answered

Where does the app store the app data?

Not answered

Does the developer ensure application logs do not contain secrets or personally-identifiable information (PII)?

Yes
General Caster ensures that logs do not contain secrets or Personally Identifiable Information (PII) through the following practices: Log Scrubbing: We use automated processes to scrub sensitive data from logs, ensuring that secrets (e.g., passwords, API keys) and PII are never recorded in any logs. Tokenization and Masking: For any necessary information in logs, we apply tokenization or masking techniques to obfuscate sensitive data such as email addresses or user IDs. Logging Best Practices: We follow logging best practices, only logging data essential for debugging and performance monitoring, without including sensitive or confidential customer information. Regular Log Audits: We conduct regular audits of our logging processes to ensure that no sensitive information is inadvertently captured in logs. These measures ensure that logs are secure and free from secrets or PII.

Is customer data segregated from the data of other customers (for example logically or physically)?

Yes
Logical Segregation at the Database Level: Customer data is logically segregated in the MariaDB database. Each customer’s data is uniquely identified and stored in isolated database tables, ensuring that data belonging to one customer cannot be accessed by another. This is enforced through application logic and database permissions. Access to data is restricted via strict role-based access control (RBAC) mechanisms within the application, ensuring that users can only access the data associated with their account. Multi-Tenant Architecture: General Caster follows a multi-tenant architecture, where customers share the same infrastructure (VPS and database server), but the data is logically separated to prevent overlap or unauthorized access. Application-Level Segregation: Within the PHP application, data handling and session management are built to ensure each session is tied to a specific customer or user account. Access to customer-specific data is verified through user authentication and session tokens, further preventing any possibility of data leakage across accounts. Encryption: Data is encrypted both in transit (using TLS/SSL) and at rest, ensuring secure communication and storage. This encryption adds another layer of segregation by ensuring that even if data were accessed improperly, it would remain unintelligible without the proper decryption keys. Infrastructure-Level Separation: Although the VPS is shared, DigitalOcean's VPS infrastructure ensures that each server instance is isolated from others. Each customer’s data remains isolated within the General Caster application, preventing cross-tenant access even at the physical infrastructure level.

Privacy

Does the developer enforce multi-factor authentication on employees access to systems which may process customer data?

Yes
General Caster enforces multi-factor authentication (MFA) for all employees accessing systems that process customer data. Our MFA enforcement includes the following: Mandatory MFA: All employees must use MFA to access any systems that handle or process customer data, ensuring an additional layer of security beyond just passwords. Authentication Methods: We use a combination of passwords and authentication apps (such as Google Authenticator or similar) for generating time-based one-time passwords (TOTP) to verify user identity. Access Control Systems: MFA is enforced for critical systems, including our servers (managed through Runcloud), databases (MariaDB), and any other systems interacting with customer data. Periodic Reviews: We regularly review and audit our MFA policies to ensure they meet industry standards and adapt to evolving security needs. By enforcing MFA, we significantly reduce the risk of unauthorized access to customer data.

Does the developer protect access to customer data based on the principle of least privilege?

Yes
General Caster protects customer data from access by non-classified company employees through the following measures: Role-Based Access Control (RBAC): We implement role-based access control, ensuring that only classified employees with specific roles have access to customer data. Non-classified employees are restricted from accessing any sensitive information. Principle of Least Privilege (PoLP): We adhere to the principle of least privilege, granting employees only the minimum access necessary to perform their job functions. Access to customer data is limited strictly to employees who require it for operational purposes. Data Access Logging: All access to customer data is logged and monitored. Any unauthorized access attempts are flagged, and appropriate action is taken immediately. Strict Authentication and Access Control: Employees must use multi-factor authentication (MFA) and secure credentials to access systems containing customer data, and additional authentication layers are required for accessing sensitive information. Regular Audits: We conduct regular access audits to ensure compliance with internal security policies and to verify that only classified employees have access to customer data. These mechanisms ensure that customer data is securely protected from non-classified employees.

Reviews

August 28, 2024

JL: The absolute worst support. They don't respond to any support requests at all, ever!

February 15, 2023

ZV: i love gc! <3

January 13, 2023

MA: I use this app in almost every installation.

December 20, 2022

NZ: It really hard to find out how to stop the paying pay

December 19, 2022

CS: If you can get the formulas to work it is very useful. But really struggling.

Installation history

We have data for December 28, 2024 onwards only. Collected sometime after 00:00 UTC daily.

ID: 8App ID: 8031Listing updated: November 14, 2024