Looking to automate celebrations in Slack? Check out Jolly.

shiftbot

Security

Since ShiftBot is deeply integrated into your Slack organization and gains access to the list of users, you may have some concerns regarding the security of ShiftBot.

What authentication does ShiftBot use?

ShiftBot is built on top of Slack's OAuth2 protocol and gains access to your Slack workspace only by that protocol. Please visit https://oauth.net/2 to learn more about OAuth2 and https://api.slack.com/authentication/oauth-v2 to learn more about Slack's OAuth2 protocol.

How are requests from Slack authenticated?

Every time you or your team member clicks "Set my work hours" or has any interaction with ShiftBot, Slack sends an HTTP request to ShiftBot's servers. Those requests are verified to make sure they are actually coming from Slack, and each request contains a specific token that identifies your workspace. Read more: https://api.slack.com/authentication/verifying-requests-from-slack

Visiting ShiftBot via the browser

Managing your workspace's billing settings, managing your ShiftBot account and onboarding ShiftBot into your workspace is all performed via the web browser.

Visiting ShiftBot via the web browser will prompt you to sign in with your Slack account. The sign-in flow is built on top of Slack's OpenID Connect protocol to gain access to your Slack user account. Please visit https://openid.net/developers/how-connect-works/ to learn more about OpenID Connect and https://api.slack.com/authentication/sign-in-with-slack to learn more about Slack's OpenID Connect protocol.

Access to ShiftBot webpages is restricted to HTTPS-encrypted connections with TLS 1.2 and higher.

Where is ShiftBot data stored?

ShiftBot's database is hosted and managed within Amazon's secure data centers and utilize the Amazon Web Service (AWS). Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon's data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

Can ShiftBot read messages? What permissions does it have?

No, ShiftBot cannot read any messages sent in any public nor private channels or direct messages between users. ShiftBot can only read messages that are directly sent to it via the "Messages" tab in the ShiftBot's App Home.

Permssions that ShiftBot has in your workspace are:

  • users.profile:read, users:read, users:read.email — To be able to read user info
  • team:read — To be able to view the workspace details
  • channels:read — To be able to view the list of public channels
  • groups:read — To be able to view the list of private channels
  • channels:join — To be able to join the Slack channel to send messages
  • chat:write — To be able to send messages to public Slack channels
  • im:history — To be able to interact with user in the App Home
  • usergroups:read — To be able to view the list of Slack usergroups

What data does ShiftBot collect?

On our own servers and databases, ShiftBot collects the following information about your Slack workspace and your Slack users:

Your workspace's name, unique Slack ID and avatar URL

This data is only used to display name and avatar when onboarding, managing billing settings and managing users for easier identification. We may also occasionally reach out to you to ask for your feedback about ShiftBot.

Authorization token for your workspace

We need to interact with Slack API on behalf of your workspace, send data to your Slack workspace, etc. This token is provided to us by Slack upon installation and encrypted at rest using AES-256 encryption.

User's names, avatar and their Slack ID

Both name and email are encrypted at rest using AES-256 encryption.

Request logs

Every time somebody from your workspace interacts with ShiftBot, sends it a message, or when ShiftBot interacts back with your workspace, we store that interaction. However, this is only done so we can investigate potential errors. We encrypt every request payload, and every response from Slack API at rest using AES-256 encryption.

All logs are completely removed from our database after a week.

Invoices

Even though our complete payment system is handled by Paddle, we store all past invoices for your workspace. We need to store them even if you remove your ShiftBot account for legal purposes.

shiftbot

Join awesome teams that are already using ShiftBot

Have we convinced you to start using ShiftBot? Install it and say goodbye to spending time thinking when your coworkers are online.

Add to Slack