David Simpson Apps is the trading name of Concise Web Design Limited, a UK-registered company. We build and maintain apps for monday.com. Our apps are listed on the monday.com Marketplace.

All our monday.com apps are hosted on the monday apps framework — the same enterprise-grade infrastructure that powers monday.com itself. The underlying infrastructure runs on Amazon Web Services (AWS) and is maintained and secured by monday.com.

This means your data benefits from monday.com's certified infrastructure, including SOC 2 Type II, ISO 27001, and GDPR compliance. See trust.monday.com for full details.

David Simpson Apps does not currently hold standalone certifications such as SOC 2 Type II or ISO 27001. We are evaluating these as our business grows.

However, because our apps run entirely within the monday apps framework, they inherit the security controls and certified posture of monday.com's infrastructure. monday.com holds SOC 2 Type II, ISO 27001, ISO 27018, ISO 27017, and other certifications. You can view and download their reports at trust.monday.com.

In the event of a security incident affecting your data, we will notify affected customers as required by applicable data protection law (including GDPR Article 33/34 obligations) — typically within 72 hours of becoming aware of the breach.

For infrastructure-level incidents on monday.com's platform, please also check status.monday.com.

Our apps only request the OAuth scopes required for the specific functionality of each app. We follow a principle of data minimisation — we do not request broad account access. The exact permissions are shown in the monday.com Marketplace listing for each app, and you must explicitly grant them during installation.

No. We do not sell, rent, or share your personal data with third parties for their own marketing or commercial purposes. Data accessed through our apps is used solely to provide the app's functionality to you.

Yes. As a UK-registered company processing the data of EU and UK residents, we are subject to the UK GDPR and EU GDPR respectively and take our obligations seriously. This includes maintaining a legal basis for processing, upholding data subject rights, and ensuring Data Processing Agreements are in place with all subprocessors.

Our full Privacy Policy is available at dsapps.dev/policies/privacy.

You can submit a data deletion request by emailing privacy@dsapps.dev with the subject line "Data Deletion Request". Please include your monday.com account URL and email address so we can identify the data to delete. We will confirm receipt and complete the deletion within 30 days.

Data processed by our apps is stored within monday.com's infrastructure on AWS. The region your data is stored in depends on the data residency configuration of your monday.com account. monday.com offers data residency in the US and EU — for details, see monday.com's data residency documentation.

Transient operational data (e.g. temporary files generated during an export) is deleted within 72 hours.

We welcome responsible disclosure from security researchers. If you discover a vulnerability in any of our apps or infrastructure, please email security@dsapps.dev with a description of the issue. We aim to acknowledge reports within 48 hours and will keep you updated as we investigate and remediate.

Please do not disclose vulnerabilities publicly until we have had a reasonable opportunity to address them.

Yes. Multi-factor authentication (MFA) is required for all team members accessing production systems, code repositories, and administrative tools. We enforce MFA wherever supported and do not permit access with only a username and password on critical systems.