Security standards & Data policy
Paco follows the below Security Standards and Data Policy. We continuously review and improve these to follow evolving industry standards. As a result, these security standards and policies may change without notice.
Paco is hosted on Google Cloud Platform (GCP)'s App Engine. All communication with Paco from within the web app and with Slack is secured with support for TLS 1.2 and 1.3. Our data resides on Google Cloud servers using AES256, with keys managed by Google. More details here: https://cloud.google.com/security/encryption/default-encryption
tldr; All data is encrypted at rest as well as in motion with industry-standard algorithms.
Paco has been reviewed & approved by Slack. We use official, secure Slack APIs to communicate with Slack, and only use the minimum APIs needed to support the functionality offered. Our public facing APIs are secured by verifying that signed requests originate from Slack or are from an authenticated user. We have application level security controls to ensure that access to data is limited only to the companies that own that data.
Paco does not ask for or store any user passwords. Authentication to login to Paco via the web interface is handled by Slack via Oauth2. Our (soon to be released) 3rd party integrations also rely on Oauth2, circumventing the need for us to store any user passwords.
We are committed to your privacy. We do not sell your data to any other companies. Nor does Paco track any user activity beyond the interactions with our system when you use the web application.
Within Paco, customer data is treated with utmost care. We do not share production data in development environments.