Security and Data Access

eddy's security best practices

Slack Permissions

eddy uses Slack's OAuth Permission Scopes to request access only to those permissions that are required for eddy's onboarding functions. When you install eddy in your Slack workspace Slack will display a list of permissions that eddy needs to access for your approval.

The following Slack Scopes are currently used by eddy:

Slack Permissions

Scope Description Functionality
app_mentions:read This scope lets an app View messages that directly mention @your_slack_app in conversations that the app is in Allows the user to direct a message to eddy in a Group Direct Message.
channels:history View messages and other content in public channels that your slack app has been added to Allows eddy to return a list of channels to allow the manager to create and assign an onboarding plan to a team.
channels:read View basic information about public channels in a workspace Allows eddy to return a list of channels to allow the manager to create and assign an onboarding plan to a team.
chat:write Post messages in approved channels Allows eddy to send messages in DMs and Group DMs.
groups:history View messages and other content in private channels that your slack app has been added to Allows the user to direct a message to eddy in a Group Direct Message.
groups:read View basic information about private channels that your slack app has been added to Allows the user to direct a message to eddy in a Group Direct Message.
im:history View messages and other content in direct messages that your slack app has been added to Allows eddy to send messages in DMs.
im:read View basic information about direct messages that your slack app has been added to Allows eddy to detect answers to their questions and respond to commands in DMs.
im:write Start direct messages with people Allows eddy to kick off onboarding for your New Hire, and initiate Buddy conversations when your New Hire gets stuck.
mpim:history View messages and other content in group direct messages that your slack app has been added to Allows eddy to send messages in group DMs.
mpim:read View basic information about group direct messages that your slack app has been added to Allows eddy to detect answers to their questions and respond to commands in Group DMs.
mpim:write Start group direct messages with people Allows eddy to connect your New Hire to their Buddy or SME when they are blocked on a task.
team:read View the name, email domain, and icon for workspaces your slack app is connected to Allows eddy to identify your workspace and other meta data to support your account experience - so you don't have to recreate it in eddy.
users:read View people in a workspace Allows eddy to present a list of people in you slack workspace, so they can be selected for Onboarding, assigned as a Buddy, or contacted as a SME.
users:read.email View email addresses of people in a workspace Allows eddy to uniquely identify users in your Slack workspace and track their interactions with eddy for usage and reporting.

Accessing Message and Channel Data

eddy has very limited access to messages in your company's Slack workspace. eddy will never have access to direct messages, unless it's a direct message or group direct message with eddy. eddy will only have access to channel messages when eddy is added to a channel, and only for the duration of eddy's time in that channel. Note: we currently don't recommend adding eddy to any of your workspace channels; eddy does not require being added to any channel in order to fully function.

Edify does not store Slack message content except for direct valid responses to eddy for the exclusive purpose of tracking Learners' progress.

Security Practices and Infrastructure

Infrastructure

eddy is built on the Amazon Web Services with support from FlowXO and the Slack API. We utilize segregated accounts for production infrastructure access with security credentials stored in secrets management systems and never in code.

Security & Privacy

We protect user information, with an emphasis on secure servers, firewalls, and by employing SSL encryption (where appropriate). No PII is stored beyond a user's Name and Email, which is used for the purpose of identifying accounts.

Edify does not access or store data included in links, and we are not intended as a replacement for your existing documentation repository. While we stand by our security measures, users are advised to never include usernames, passwords, or other sensitive data directly in Edify's Learning Paths.

Authentication

Authentication is handled by Auth0 for eddy's administrative WebUI. Through this tool, we support SSO using Google and Slack.

Payments

We utilize Stripe for payments, ensuring that we do not collect or store your payment information.

Maintenance & Reliability

Code deployments and clustering utilize immutable Docker instances to segregated VPCs for Production and Staging deployments. New code is deployed with zero down-time, and must pass checks before being promoted to production. We perform daily back-ups of our data to ensure reliability.