What authentication does ShiftBot use?
ShiftBot is built on top of Slack's OAuth2 protocol and gains access to your Slack workspace only by that protocol. Please visit https://oauth.net/2 to learn more about OAuth2 and https://api.slack.com/authentication/oauth-v2 to learn more about Slack's OAuth2 protocol.
How are requests from Slack authenticated?
Every time you or your team member clicks "Set my work hours" or has any interaction with ShiftBot, Slack sends an HTTP request to ShiftBot's servers. Those requests are verified to make sure they are actually coming from Slack, and each request contains a specific token that identifies your workspace. Read more: https://api.slack.com/authentication/verifying-requests-from-slack
Visiting ShiftBot via the browser
Managing your workspace's billing settings, managing your ShiftBot account and onboarding ShiftBot into your workspace is all performed via the web browser.
Visiting ShiftBot via the web browser will prompt you to sign in with your Slack account. The sign-in flow is built on top of Slack's OpenID Connect protocol to gain access to your Slack user account. Please visit https://openid.net/developers/how-connect-works/ to learn more about OpenID Connect and https://api.slack.com/authentication/sign-in-with-slack to learn more about Slack's OpenID Connect protocol.
Access to ShiftBot webpages is restricted to HTTPS-encrypted connections with TLS 1.2 and higher.
Where is ShiftBot data stored?
ShiftBot's database is hosted and managed within Amazon's secure data centers and utilize the Amazon Web Service (AWS). Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon's data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Can ShiftBot read messages? What permissions does it have?
No, ShiftBot cannot read any messages sent in any public nor private channels or direct messages between users. ShiftBot can only read messages that are directly sent to it via the "Messages" tab in the ShiftBot's App Home.
Permssions that ShiftBot has in your workspace are:
users.profile:read
,users:read
,users:read.email
— To be able to read user infoteam:read
— To be able to view the workspace detailschannels:read
— To be able to view the list of public channelsgroups:read
— To be able to view the list of private channelschannels:join
— To be able to join the Slack channel to send messageschat:write
— To be able to send messages to public Slack channelsim:history
— To be able to interact with user in the App Homeusergroups:read
— To be able to view the list of Slack usergroups
What data does ShiftBot collect?
On our own servers and databases, ShiftBot collects the following information about your Slack workspace and your Slack users:
Your workspace's name, unique Slack ID and avatar URL
This data is only used to display name and avatar when onboarding, managing billing settings and managing users for easier identification. We may also occasionally reach out to you to ask for your feedback about ShiftBot.
Authorization token for your workspace
We need to interact with Slack API on behalf of your workspace, send data to your Slack workspace, etc. This token is provided to us by Slack upon installation and encrypted at rest using AES-256 encryption.
User's names, avatar and their Slack ID
Both name and email are encrypted at rest using AES-256 encryption.
Request logs
Every time somebody from your workspace interacts with ShiftBot, sends it a message, or when ShiftBot interacts back with your workspace, we store that interaction. However, this is only done so we can investigate potential errors. We encrypt every request payload, and every response from Slack API at rest using AES-256 encryption.
All logs are completely removed from our database after a week.
Invoices
Even though our complete payment system is handled by Paddle, we store all past invoices for your workspace. We need to store them even if you remove your ShiftBot account for legal purposes.