🔐

Security Specifications

Allma understands and practices the importance of both security and reliability as two core pillars of building an effective and trustworthy software product for other companies. Our team is composed of senior engineers who have a past of working in highly regulated and security-sensitive environments like health care and cloud security and compliance technology. We've leveraged our experience to develop our philosophy, which is simply to not compromise on security for sake of the product, speed, or any other ephemeral short-term gain.

MFA

Allma requires all employees to use multi-factor authentication to interact with all Allma 1st or 3rd party accounts, services, applications, systems, or data.

Infrastructure & Network-level Security

Allma hosts all of our cloud applications on AWS. Within AWS, we use best practices for creating a secure environment. Within our configured VPC we utilize infrastructure services containing customer data in private subnets and user-facing applications in public subnets with strong ACLs between the layers ensuring only specific applications have access to layers containing data.

Secrets Management

Allma utilizes both AWS SSM as well as AWS secrets management to house application secrets, database credentials, encryption keys, and other sensitive pieces of data separately from both our application code and our hosted databases. Our AWS server instances are able to retrieve these secrets as-needed via IAM roles applied to the tasks running our application containers.

Data Storage & Encryption

Our databases in AWS are encrypted at rest, and additionally, we take steps to identify and encrypt certain data we deem sensitive for our customers at the record/row/column level within our databases. Our application dynamically encrypts and decrypts this data when reading/writing to the database and the keys for encryption are stored separately in AWS secrets manager and rotated automatically every 90d. The types of data we elect to provide this additional security for on behalf of our customers includes, but is not limited to:

  1. Chat messages collected from communications platforms like Slack, Zoom, etc.
  2. Access tokens that provide access on behalf of a customer to external services via integrations, like Slack, PagerDuty, etc.

As a policy, any data that could be damaging to a customer if exposed we will take the extra precautions to encrypt and store in this manner.

Allma Processor Data

As a data processor instead of a controller, Allma manages the following data:

  1. Slack chat messages, emoji reactions, and attachments posted exclusively in incident management channels created by the Allma application.
    1. Messages are encrypted at the row/record level in our database and cannot be read with just database access alone.
    2. Attachments are not downloaded and re-stored, and are kept secure by the same ACLs employed by Slack and their CDN.
  2. Services and alerts from external alerting providers such as PagerDuty.

Slack OAuth Scopes

Scopes & Purposes

ScopeDescriptionPurpose
app_mentions:read
View messages that directly mention @allma in conversations that the app is in
Enable conversational interfaces & chat ops commands when users interact with Allma
channels:history
View messages and other content in public channels that Allma has been added to
Ingest of messages for incident channels
channels:join
Join public channels in a workspace
Joining of incident channels and channels which are configured to receive notifications
channels:manage
Manage public channels that Allma has been added to and create new ones
Creation of incident channels
channels:read
View basic information about public channels in a workspace
Allowing a selection of channels for receiving incident notifications
chat:write
Send messages as @allma
Posting messages to Slack
chat:write.customize
Send messages as @allma with a customized username and avatar
Posting messages to Slack
commands
Add shortcuts and/or slash commands that people can use
Enabling use of slash commands and shortcuts to interact with Allma
emoji:read
View custom emoji in a workspace
Reading custom emoji for processing when displaying incident timelines and transcripts in web app
files:read
View files shared in channels and conversations that Allma has been added to
Storing references to graphs or artifacts related to an incident posted in an incident channel
files:write
Upload, edit, and delete files as Allma
For posting rendered images of graphs for incident and alerting history
groups:history
View messages and other content in private channels that Allma has been added to
Ingest of messages for private incident channels
groups:read
View basic information about private channels that Allma has been added to
Allowing a selection of channels for receiving incident notifications
im:history
View messages and other content in direct messages that Allma has been added to
Allowing users to directly interact with the app via DM
im:read
View basic information about direct messages that Allma has been added to
Allowing users to directly interact with the app via DM
im:write
Start direct messages with people
Allowing users to directly interact with the app via DM, sending notifications to individuals on Slack
links:read
View allma.dev and allma.io URLs in messages
For capturing links to Allma web app pages and providing actions in app
links:write
Show previews of allma.dev and allma.io URLs in messages
For capturing links to Allma web app pages and providing actions in app
pins:read
View pinned content in channels and conversations that Allma has been added to
For storing what messages are pinned in incident channels to expose via the web app and timeline editor
reactions:read
View emoji reactions and their associated content in channels and conversations that Allma has been added to
Ingest of reactions for incident channels and timeline entry building
reactions:write
Add and edit emoji reactions
For using emoji reactions as a way to confirm the app added a message to the incident timeline
team:read
View the name, email domain, and icon for workspaces Allma is connected to
For displaying workspace information when logged in via Allma web app
users.profile:read
View profile details about people in a workspace
For collecting avatars and names to display when referencing users in the Allma app
users:read
View people in a workspace
For collecting avatars and names to display when referencing users in the Allma app
users:read.email
View email addresses of people in a workspace
For communicating to users with transactional communications they opted into related to incidents occurring in the workspace
users:write
Set presence for Allma
For allowing the bot to set their presence when active incidents are occurring in the workspace

Data Subprocessors

A list of third party processors that get customer data from the Allma technology platform.

  1. Segment (Product analytics)
  2. Heap (Product analytics)
  3. Amazon Web Services (Hosting provider)
  4. Datadog (Applications logs + monitoring)
  5. Postmark (Transactional email)
  6. Cloudflare (Content delivery network)