Incognito Security

Incognito is preparing for a SOC2 audit using the Drata platform. You can review our live security status and request documentation through our Drata Trust Center.

Cloud Hosting
Incognito's data and services are hosted with trusted Amazon Web Services (AWS) through Heroku, leveraging their world-class security.

SSL and Encryption
All data is transmitted over HTTPS, and any data stored is encrypted in transit and at rest using 256-bit encryption. Our application endpoints are all TLS/SSL to ensure all connections are secure.

Employee Access and Authentication
Access to customer data is limited to authorized employees whose job functions require it. Additionally, 2FA and strong password policies on all tools used internally are strictly implemented for all Incognito employees to ensure third-party access to these cloud services are protected.

Slack Permissions
Incognito uses Slack's Granular Permissions in order to request only the permissions we need to make the app function. When you install Incognito on your Slack workspace Slack will be present you with a list of the specific permissions that Incognito requests, and you will have an opportunity to approve or reject those permissions. You can view Incognito's Slack permissions without installing the app. Incognito only has access to public channels, private channels that the bot has be invited into, and content that is explicitly shared with the bot.

Channel and Message Access
Incognito's access to messages in Slack is very limited, in two ways:

1. Incognito can only read messages in channels or DMs where Incognito is a member, and only the messages sent while Incognito is in the channel (i.e. messages sent before Incognito joins or after Incognito leaves the channel are not accessible).

2. Incognito only needs to be in the channel(s) that you want to use to interact with Incognito (Feedback, Pulse Surveys, Introductions, etc.). Consequently Incognito will only be a member of channels that a user invites it to or where a user explicitly sets up Incognito. This means that Incognito does not have access to anyone's private DMs (unless it's a DM with Incognito ), nor does Incognito have access to any public or private channel content unless someone from your team has explicitly added Incognito to the channel or Incognito created the channel for set-up purposes.

Slack OAuth
Incognito uses Slack's OAuth to authenticate users and teams in Slack as well as for our web app, making use of Slack's world-class security.

PCI Compliance
Incognito uses Stripe as our payment provider. Stripe is a PCI compliant payment gateway service with very strong security practices. No credit card information is stored on our servers.