Paco follows the below Security Standards and Data Policy. We continuously review and improve these to follow evolving industry standards. As a result, these security standards and policies may change without notice.

Security Standards

Paco is hosted on Google Cloud Platform (GCP)'s App Engine. All communication with Paco from within the web app and with Slack is secured with support for TLS 1.2 and 1.3. Our data resides on Google Cloud servers using AES256, with keys managed by Google. More details here: https://cloud.google.com/security/encryption/default-encryption

tldr; All data is encrypted at rest as well as in motion with industry-standard algorithms.

Paco has been reviewed & approved by Slack. We use official, secure Slack APIs to communicate with Slack, and only use the minimum APIs needed to support the functionality offered. Our public facing APIs are secured by verifying that signed requests originate from Slack or are from an authenticated user. We have application level security controls to ensure that access to data is limited only to the companies that own that data.

Paco does not ask for or store any user passwords. Authentication to login to Paco via the web interface is handled by Slack via Oauth2. Our (soon to be released) 3rd party integrations also rely on Oauth2, circumventing the need for us to store any user passwords.

Data Policy

The only messages that Paco stores are visible to you in the form of asks. In terms of user information, we store the minimal data that we need to ensure a smooth experience including email address, user names, and time zone information.

Users have full control over their data, including deletion. If you would like to delete any data from our systems, you can directly do so by contacting us at support@pacohq.com.

We are committed to your privacy. We do not sell your data to any other companies. Nor does Paco track any user activity beyond the interactions with our system when you use the web application.

Within Paco, customer data is treated with utmost care. We do not share production data in development environments.