Your privacy and data security are our top priority. We’ve taken the following steps to ensure our General Data Protection Regulation (GDPR) readiness.

Data Security
Protecting customer data is a top priority at Incognito. We understand you are trusting us with your data and we take that responsibility extremely seriously. You can read the details of our security policies below.

Handling Data Subject Rights Requests
‍We've implemented some compliance measures to make it easy to handle requests such as deletion or update requests of your personal data.

To do so, email privacy@incognitoforslack.com with your request.

Additional training
The Incognito team has been diligent in conducting training with our team regarding data protection and incident response on potential issues like data breaches.

Hosting & Storage Location
All hosting and data storage for the Incognito for Slack app is located in Europe.
‍
Sub processors
The sub-processors Incognito uses are:

Slack Technologies, LLC - located in the USA - for the purposes of app hosting & internal communication - view their GDPR policy
‍
HubSpot, Inc. - located in the USA - for the purposes of customer management - view their GDPR policy
‍
Salesforce, Inc. - located in the USA - for the purposes of server/app hosting on Heroku - view their GDPR policy
‍
Google LLC - located in the USA - for the purposes of Gmail and Google Calendar - view their GDPR policy
‍
Stripe, Inc. - located in the USA - for the purposes of payment processing - view their GDPR policy

OpenAI, L.L.C. - located in the USA - for the purposes of AI content creation. All Incognito users have the option to opt out of this sub-processor - view their GDPR policy

Cloud Hosting
‍Incognito's data and services are hosted with trusted Amazon Web Services (AWS) through Heroku, leveraging their world-class security.

SSL and Encryption
‍All data is transmitted over HTTPS, and any data stored is encrypted in transit and at rest using 256-bit encryption. Our application endpoints are all TLS/SSL to ensure all connections are secure.

Employee Access and Authentication
‍Access to customer data is limited to authorized employees whose job functions require it. Additionally, 2FA and strong password policies on all tools used internally are strictly implemented for all Incognito employees to ensure third-party access to these cloud services are protected.

Slack Permissions
Incognito uses Slack's Granular Permissions in order to request only the permissions we need to make the app function. When you install Incognito on your Slack workspace Slack will be present you with a list of the specific permissions that Incognito requests, and you will have an opportunity to approve or reject those permissions. You can view Incognito's Slack permissions without installing the app. Incognito only has access to public channels, private channels that the bot has be invited into, and content that is explicitly shared with the bot.

Channel and Message Access
Incognito's access to messages in Slack is very limited, in two ways:
‍
1. Incognito can only read messages in channels or DMs where Incognito is a member, and only the messages sent while Incognito is in the channel (i.e. messages sent before Incognito joins or after Incognito leaves the channel are not accessible).

2. Incognito only needs to be in the channel(s) that you want to use to interact with Incognito (Feedback, Pulse Surveys, Introductions, etc.). Consequently Incognito will only be a member of channels that a user invites it to or where a user explicitly sets up Incognito. This means that Incognito does not have access to anyone's private DMs (unless it's a DM with Incognito ), nor does Incognito have access to any public or private channel content unless someone from your team has explicitly added Incognito to the channel or Incognito created the channel for set-up purposes.

Slack OAuth
Incognito uses Slack's OAuth to authenticate users and teams in Slack as well as for our web app, making use of Slack's world-class security.

PCI Compliance
Incognito uses Stripe as our payment provider. Stripe is a PCI compliant payment gateway service with very strong security practices. No credit card information is stored on our servers.
‍