GDPR at Incognito

Your privacy and data security are our top priority. We’ve taken the following steps to ensure our General Data Protection Regulation (GDPR) readiness.

Data Security
Protecting customer data is a top priority at Incognito. We understand you are trusting us with your data and we take that responsibility extremely seriously. You can read the details of our security policies below.

Handling Data Subject Rights Requests
We've implemented some compliance measures to make it easy to handle requests such as deletion or update requests of your personal data.

To do so, email privacy@incognitoforslack.com with your request.

Additional training
The Incognito team has been diligent in conducting training with our team regarding data protection and incident response on potential issues like data breaches.

Hosting & Storage Location
All hosting and data storage for the Incognito for Slack app is located in Europe.

Sub processors
Incognito keeps the necessary sub processors to a minimum. The only sub-processors Incognito uses are:

HubSpot - located in the USA - for the purposes of customer management - view their GDPR policy
Heroku - located in the USA - for the purposes of server/app hosting - view their GDPR policy
Google - located in the USA - for the purposes of Gmail and Google Calendar - view their GDPR policy
Stripe - located in the USA - for the purposes of payment processing - view their GDPR 

Incognito Security

Cloud Hosting
Incognito's data and services are hosted with trusted Amazon Web Services (AWS) through Heroku, leveraging their world-class security.

SSL and Encryption
All data is transmitted over HTTPS, and any data stored is encrypted in transit and at rest using 256-bit encryption. Our application endpoints are all TLS/SSL to ensure all connections are secure.

Employee Access and Authentication
Access to customer data is limited to authorized employees whose job functions require it. Additionally, 2FA and strong password policies on all tools used internally are strictly implemented for all Incognito employees to ensure third-party access to these cloud services are protected.

Slack Permissions
Incognito uses Slack's Granular Permissions in order to request only the permissions we need to make the app function. When you install Incognito on your Slack workspace Slack will be present you with a list of the specific permissions that Incognito requests, and you will have an opportunity to approve or reject those permissions. You can view Incognito's Slack permissions without installing the app. Incognito only has access to public channels, private channels that the bot has be invited into, and content that is explicitly shared with the bot.

Channel and Message Access
Incognito's access to messages in Slack is very limited, in two ways:

1. Incognito can only read messages in channels or DMs where Incognito is a member, and only the messages sent while Incognito is in the channel (i.e. messages sent before Incognito joins or after Incognito leaves the channel are not accessible).

2. Incognito only needs to be in the channel(s) that you want to use to interact with Incognito (Feedback, Pulse Surveys, Introductions, etc.). Consequently Incognito will only be a member of channels that a user invites it to or where a user explicitly sets up Incognito. This means that Incognito does not have access to anyone's private DMs (unless it's a DM with Incognito ), nor does Incognito have access to any public or private channel content unless someone from your team has explicitly added Incognito to the channel or Incognito created the channel for set-up purposes.

Slack OAuth
Incognito uses Slack's OAuth to authenticate users and teams in Slack as well as for our web app, making use of Slack's world-class security.

PCI Compliance
Incognito uses Stripe as our payment provider. Stripe is a PCI compliant payment gateway service with very strong security practices. No credit card information is stored on our servers.