Jellyfish Security HQ

Jellyfish is committed to being a responsible and secure software product. Please see below for a detailed overview of our security policies, and also be aware that you can email us at security@jellyfish.chat

Last Update: 22nd October 2018.

Q.What oAuth permissions do we require?

A.

  • We use “Sign in with Slack” OAuth login to authenticate users using our web UI.
  • We add a /jellyfish command to your Slack workspace, this is the entry point to using Jellyfish within slack.
  • We create a bot user within your Slack workspace, the bot user is used to post Jellyfish sessions, questions, comments and votes to the requested slack channel. This bot user does not and can not read any content in Slack channels other than the messages it creates on behalf of users when they interact with our service. It can not view or post in private channels unless it is explicitly invited into that channel as a normal user would be. Unlike a normal user this bot can not read content in the channel other than the messages it posts.
  • We use this permission so we know details about your organization such as its name & icon.
  • If (and only if) a user of your organization signs into our web UI via Slack OAuth, they are asked to grant us permission to use their name, avatar & email (used for transactional messages/billing etc), emails are never sold or given to any 3rd parties. If a user denies access to these permissions they can continue to use and interact with the app within Slack only.
    • Here is a sample user data dump showing all user data we hold when they interact with the app.
    • Note: if a user does not ever sign into our web UI or does not grant us OAuth permissions and they choose to interact with the app via Slack only, the Slack Install OAuth permission 4) above will give us the same data on a user as outlined above MINUS their email.
    • As authentication into our app uses Slack OAuth our service does not store any passwords or PII data other than what is outlined above.

Q.What other Slack data does Jellyfish access?

A.

We access no other data from your organization or it’s users other than what they contribute when interacting with the Jellyfish service. Jellyfish data includes:

  • Sessions
  • Questions
  • Comments
  • Votes

Q.What tools does Jellyfish use?

A.

Like all modern software services we use analytic tools to measure usage and to improve our service. The tools and their usage are outlined in our privacy policies and terms of service linked below.

Q.How is our data secured?

A.

All our systems are built using Heroku services, Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology.

Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

Heroku’s Security Policies: https://www.heroku.com/policy/security

Amazon AWS Security Policies: https://aws.amazon.com/security

In addition to the above, our service also uses Cloudflare Security Services to protect and secure our websites, applications and APIs against denial-of-service attacks, customer data compromise, abusive bots and OWASP identified vulnerabilities.

CloudFlare Security: https://www.cloudflare.com/security/

We utilize Cloudflare’s paid services such as Web Application Firewall (WAF) which prevents against OWASP vulnerabilities such as

  • Injection
  • Broken Authentication and Session Management
  • Sensitive Data Exposure
  • XML External Entities (XXE)
  • Broken Access Control
  • Security Misconfiguration
  • Cross-Site Scripting (XSS)
  • Insecure Deserialization
  • Using Components with Known Vulnerabilities
  • Insufficient Logging & Monitoring
  • plus many more… ref: https://www.cloudflare.com/waf/

All data is stored in AWS, access to this data is restricted to engineers and accessed over SSL. Non-Engineering staff are unable to access any backend systems directly, only via ACL protected user interfaces.

All communication from/to our service and Slack’s APIs are secured over SSL.

We do not store or process any payment information ourselves, we use Chargebee, a PCI-DSS Level 1 Service Provider.

Chargebee Security & Certifications: https://www.chargebee.com/security/

Q.What if I uninstall the Jellyfish Slack app?

A.

You will invalidate the access token we are granted at the time of install. Invalidated tokens will prevent us from being able to interact with your Slack workspace, to use the Jellyfish service again you will need to re-install our service.

We will delete all data we have for your organization by request only.

Email us security@jellyfish.chat for deletion requests.

Q.What if a user in my organization wants their data removed?

A.

We will remove any data a user wishes to have removed.

Email us security@jellyfish.chat for deletion requests.

Q.Can I export my data?

A.

Data export is an enterprise feature of our service, we can provide this if you are on an enterprise plan. If you are on a trial or free version of the service we will only accept deletion requests. Note: Data export will include anonymous questions and anonymous comments but it will not include user attribution. Anonymous features are anonymous. If this is of concern disallow anonymous questions and/or add moderation when hosting Jellyfish sessions. Refer to https://help.jellyfish.chat for more details.

Q.Data Breaches

A.

If we are victim to a data breach we will notify the affected organizations as soon as possible.

Q.Penetration Testing

A.

We pen-test our app using an external service from time to time, we can share the latest results if needed, an NDA may be required depending on the circumstances. Email us security@jellyfish.chat to request the report.

Q.DNS

A.

To help reduce spoofing attacks we utilize secure DNS (DNSSEC)

Q.Uptime

A.

Our uptime is monitored by an external service and can be viewed here https://status.jellyfish.chat

Q.Policy Changes

A.

This document will be updated when our policies change. Any further questions please contact us anytime security@jellyfish.chat