eddy uses Slack's OAuth Permission Scopes to request access only to those permissions that are required for eddy's onboarding functions. When you install eddy in your Slack workspace Slack will display a list of permissions that eddy needs to access for your approval.
The following Slack Scopes are currently used by eddy:
Accessing Message and Channel Data
eddy has very limited access to messages in your company's Slack workspace. eddy will never have access to direct messages, unless it's a direct message or group direct message with eddy. eddy will only have access to channel messages when eddy is added to a channel, and only for the duration of eddy's time in that channel. Note: we currently don't recommend adding eddy to any of your workspace channels; eddy does not require being added to any channel in order to fully function.
Security Practices and Infrastructure
eddy is built on the Amazon Web Services with support from FlowXO and the Slack API. We utilize segregated accounts for production infrastructure access with security credentials stored in secrets management systems and never in code.
Security & Privacy
We protect user information, with an emphasis on secure servers, firewalls, and by employing SSL encryption (where appropriate). No PII is stored beyond a user's Name and Email, which is used for the purpose of identifying accounts.
Authentication is handled by Auth0 for eddy's administrative WebUI. Through this tool, we support SSO using Google and Slack.
We utilize Stripe for payments, ensuring that we do not collect or store your payment information.
Maintenance & Reliability
Code deployments and clustering utilize immutable Docker instances to segregated VPCs for Production and Staging deployments. New code is deployed with zero down-time, and must pass checks before being promoted to production. We perform daily back-ups of our data to ensure reliability.