đ Security specifications
Allma understands and practices the importance of both security and reliability as two core pillars of building an effective and trustworthy software product for other companies. Our team is composed of senior engineers who have a past of working in highly regulated and security-sensitive environments like health care and cloud security and compliance technology. We've leveraged our experience to develop our philosophy, which is simply to not compromise on security for sake of the product, speed, or any other ephemeral short-term gain.
MFA
Allma requires all employees to use multi-factor authentication to interact with all Allma 1st or 3rd party accounts, services, applications, systems, or data.
Infrastructure & Network-level Security
Allma hosts all of our cloud applications on AWS. Within AWS, we use best practices for creating a secure environment. Within our configured VPC we utilize infrastructure services containing customer data in private subnets and user-facing applications in public subnets with strong ACLs between the layers ensuring only specific applications have access to layers containing data.Â
Secrets Management
Allma utilizes both AWS SSM as well as AWS secrets management to house application secrets, database credentials, encryption keys, and other sensitive pieces of data separately from both our application code and our hosted databases. Our AWS server instances are able to retrieve these secrets as-needed via IAM roles applied to the tasks running our application containers.Â
Data Storage & Encryption
Our databases in AWS are encrypted at rest, and additionally, we take steps to identify and encrypt certain data we deem sensitive for our customers at the record/row/column level within our databases. Our application dynamically encrypts and decrypts this data when reading/writing to the database and the keys for encryption are stored separately in AWS secrets manager and rotated automatically every 90d. The types of data we elect to provide this additional security for on behalf of our customers includes, but is not limited to:
- Chat messages collected from communications platforms like Slack, Zoom, etc.
- Access tokens that provide access on behalf of a customer to external services via integrations, like Slack, PagerDuty, etc.
As a policy, any data that could be damaging to a customer if exposed we will take the extra precautions to encrypt and store in this manner.
Allma Processor Data
As a data processor instead of a controller, Allma manages the following data:
- Slack chat messages, emoji reactions, and attachments posted exclusively in incident management channels created by the Allma application.
- Messages are encrypted at the row/record level in our database and cannot be read with just database access alone.
- Attachments are not downloaded and re-stored, and are kept secure by the same ACLs employed by Slack and their CDN.
- Services and alerts from external alerting providers such as PagerDuty.
Slack OAuth Scopes
Scopes & Purposes
Scope | Description | Purpose |
---|---|---|
app_mentions:read | View messages that directly mention @allma in conversations that the app is in | Enable conversational interfaces & chat ops commands when users interact with Allma |
channels:history | View messages and other content in public channels that Allma has been added to | Ingest of messages for incident channels |
channels:join | Join public channels in a workspace | Joining of incident channels and channels which are configured to receive notifications |
channels:manage | Manage public channels that Allma has been added to and create new ones | Creation of incident channels |
channels:read | View basic information about public channels in a workspace | Allowing a selection of channels for receiving incident notifications |
chat:write | Send messages as @allma | Posting messages to Slack |
chat:write.customize | Send messages as @allma with a customized username and avatar | Posting messages to Slack |
commands | Add shortcuts and/or slash commands that people can use | Enabling use of slash commands and shortcuts to interact with Allma |
emoji:read | View custom emoji in a workspace | Reading custom emoji for processing when displaying incident timelines and transcripts in web app |
files:read | View files shared in channels and conversations that Allma has been added to | Storing references to graphs or artifacts related to an incident posted in an incident channel |
files:write | Upload, edit, and delete files as Allma | For posting rendered images of graphs for incident and alerting history |
groups:history | View messages and other content in private channels that Allma has been added to | Ingest of messages for private incident channels |
groups:read | View basic information about private channels that Allma has been added to | Allowing a selection of channels for receiving incident notifications |
im:history | View messages and other content in direct messages that Allma has been added to | Allowing users to directly interact with the app via DM |
im:read | View basic information about direct messages that Allma has been added to | Allowing users to directly interact with the app via DM |
im:write | Start direct messages with people | Allowing users to directly interact with the app via DM, sending notifications to individuals on Slack |
links:read | View allma.dev and allma.io URLs in messages | For capturing links to Allma web app pages and providing actions in app |
links:write | Show previews of allma.dev and allma.io URLs in messages | For capturing links to Allma web app pages and providing actions in app |
pins:read | View pinned content in channels and conversations that Allma has been added to | For storing what messages are pinned in incident channels to expose via the web app and timeline editor |
reactions:read | View emoji reactions and their associated content in channels and conversations that Allma has been added to | Ingest of reactions for incident channels and timeline entry building |
reactions:write | Add and edit emoji reactions | For using emoji reactions as a way to confirm the app added a message to the incident timeline |
team:read | View the name, email domain, and icon for workspaces Allma is connected to | For displaying workspace information when logged in via Allma web app |
users.profile:read | View profile details about people in a workspace | For collecting avatars and names to display when referencing users in the Allma app |
users:read | View people in a workspace | For collecting avatars and names to display when referencing users in the Allma app |
users:read.email | View email addresses of people in a workspace | For communicating to users with transactional communications they opted into related to incidents occurring in the workspace |
users:write | Set presence for Allma | For allowing the bot to set their presence when active incidents are occurring in the workspace |
Data Subprocessors
A list of third party processors that get customer data from the Allma technology platform.
- Segment (Product analytics)
- Heap (Product analytics)
- Variance (Product analytics)
- Mixpanel (Product analytics)
- PostHog (Product analytics)
- Amazon Web Services (Hosting provider)
- Datadog (Applications logs + monitoring)
- Postmark (Transactional email)
- Cloudflare (Content delivery network)