Allma

Try Allma todaySign in

🔐 Security specifications

Allma understands and practices the importance of both security and reliability as two core pillars of building an effective and trustworthy software product for other companies. Our team is composed of senior engineers who have a past of working in highly regulated and security-sensitive environments like health care and cloud security and compliance technology. We've leveraged our experience to develop our philosophy, which is simply to not compromise on security for sake of the product, speed, or any other ephemeral short-term gain.

MFA

Allma requires all employees to use multi-factor authentication to interact with all Allma 1st or 3rd party accounts, services, applications, systems, or data.

Infrastructure & Network-level Security

Allma hosts all of our cloud applications on AWS. Within AWS, we use best practices for creating a secure environment. Within our configured VPC we utilize infrastructure services containing customer data in private subnets and user-facing applications in public subnets with strong ACLs between the layers ensuring only specific applications have access to layers containing data. 

Secrets Management

Allma utilizes both AWS SSM as well as AWS secrets management to house application secrets, database credentials, encryption keys, and other sensitive pieces of data separately from both our application code and our hosted databases. Our AWS server instances are able to retrieve these secrets as-needed via IAM roles applied to the tasks running our application containers. 

Data Storage & Encryption

Our databases in AWS are encrypted at rest, and additionally, we take steps to identify and encrypt certain data we deem sensitive for our customers at the record/row/column level within our databases. Our application dynamically encrypts and decrypts this data when reading/writing to the database and the keys for encryption are stored separately in AWS secrets manager and rotated automatically every 90d. The types of data we elect to provide this additional security for on behalf of our customers includes, but is not limited to:

  1. Chat messages collected from communications platforms like Slack, Zoom, etc.
  2. Access tokens that provide access on behalf of a customer to external services via integrations, like Slack, PagerDuty, etc.

As a policy, any data that could be damaging to a customer if exposed we will take the extra precautions to encrypt and store in this manner.

Allma Processor Data

As a data processor instead of a controller, Allma manages the following data:

  1. Slack chat messages, emoji reactions, and attachments posted exclusively in incident management channels created by the Allma application.
    1. Messages are encrypted at the row/record level in our database and cannot be read with just database access alone.
    2. Attachments are not downloaded and re-stored, and are kept secure by the same ACLs employed by Slack and their CDN.
  2. Services and alerts from external alerting providers such as PagerDuty.

Slack OAuth Scopes

Scopes & Purposes

Scope

Description

Purpose

app_mentions:read

View messages that directly mention @allma in conversations that the app is in

Enable conversational interfaces & chat ops commands when users interact with Allma

channels:history

View messages and other content in public channels that Allma has been added to

Ingest of messages for incident channels

channels:join

Join public channels in a workspace

Joining of incident channels and channels which are configured to receive notifications

channels:manage

Manage public channels that Allma has been added to and create new ones

Creation of incident channels

channels:read

View basic information about public channels in a workspace

Allowing a selection of channels for receiving incident notifications

chat:write

Send messages as @allma

Posting messages to Slack

chat:write.customize

Send messages as @allma with a customized username and avatar

Posting messages to Slack

commands

Add shortcuts and/or slash commands that people can use

Enabling use of slash commands and shortcuts to interact with Allma

emoji:read

View custom emoji in a workspace

Reading custom emoji for processing when displaying incident timelines and transcripts in web app

files:read

View files shared in channels and conversations that Allma has been added to

Storing references to graphs or artifacts related to an incident posted in an incident channel

files:write

Upload, edit, and delete files as Allma

For posting rendered images of graphs for incident and alerting history

groups:history

View messages and other content in private channels that Allma has been added to

Ingest of messages for private incident channels

groups:read

View basic information about private channels that Allma has been added to

Allowing a selection of channels for receiving incident notifications

im:history

View messages and other content in direct messages that Allma has been added to

Allowing users to directly interact with the app via DM

im:read

View basic information about direct messages that Allma has been added to

Allowing users to directly interact with the app via DM

im:write

Start direct messages with people

Allowing users to directly interact with the app via DM, sending notifications to individuals on Slack

links:read

View allma.dev and allma.io URLs in messages

For capturing links to Allma web app pages and providing actions in app

links:write

Show previews of allma.dev and allma.io URLs in messages

For capturing links to Allma web app pages and providing actions in app

pins:read

View pinned content in channels and conversations that Allma has been added to

For storing what messages are pinned in incident channels to expose via the web app and timeline editor

reactions:read

View emoji reactions and their associated content in channels and conversations that Allma has been added to

Ingest of reactions for incident channels and timeline entry building

reactions:write

Add and edit emoji reactions

For using emoji reactions as a way to confirm the app added a message to the incident timeline

team:read

View the name, email domain, and icon for workspaces Allma is connected to

For displaying workspace information when logged in via Allma web app

users.profile:read

View profile details about people in a workspace

For collecting avatars and names to display when referencing users in the Allma app

users:read

View people in a workspace

For collecting avatars and names to display when referencing users in the Allma app

users:read.email

View email addresses of people in a workspace

For communicating to users with transactional communications they opted into related to incidents occurring in the workspace

users:write

Set presence for Allma

For allowing the bot to set their presence when active incidents are occurring in the workspace

Data Subprocessors

A list of third party processors that get customer data from the Allma technology platform.

  1. Segment (Product analytics)
  2. Heap (Product analytics)
  3. Variance (Product analytics)
  4. Mixpanel (Product analytics)
  5. PostHog (Product analytics)
  6. Amazon Web Services (Hosting provider)
  7. Datadog (Applications logs + monitoring)
  8. Postmark (Transactional email)
  9. Cloudflare (Content delivery network)

our newsletter is cool

allma, inc © 2022