Security at Happybara

At Happybara, we know that security and reliability are critical for teams that trust our Slack apps — Nightowl, Channitor, Proper, and Streamly — in their daily workflows. We're a small, focused team of founders, and we take protecting your data seriously.

App Store reference

• Nightowl - Security | Slack Marketplace
• Channitor - Security | Slack Marketplace
• Proper - Security | Slack Marketplace
• Streamly - Security | Slack Marketplace

Quick Links

• Data Security Policy
• Data Processing Addendum
• Subprocessors
• FAQ

General Security Practices

• Access to servers, datastores, source code, and third-party tools is secured with strong non-SMS two-factor authentication (2FA) via TOTP apps.
• All personnel use strong, randomly-generated passwords that are unique and never reused. Our password policy is detailed here.
• Dependency vulnerabilities are continuously monitored through automated tools. We rapidly patch and deploy updates when issues are detected. Many of our services are serverless, so the underlying infrastructure security is handled by AWS.
• All changes to our codebase go through peer review and internal testing processes to minimize risks and regressions.
• We have a small team who all have skin in the game to make Happybara the best it can be. No external contractors have access to any production systems, and are only contracted for non-critical business domains, such as design work.
• All team members have gone through basic security training suited to their role, including training on secure handling of Slack OAuth flows, data encryption, dependency management, and secure development best practices.

Infrastructure

• Our services are hosted directly on Amazon Web Services (AWS), leveraging their world-class physical and network security practices.
• Our servers are located in AWS's us-west-2 (Oregon, USA) region.
• All production data is encrypted at rest using AES-256 encryption standards.
• Backups are taken via point-in-time snapshots and retained for 35 days, encrypted at rest.

Authentication & Authorization

• Users authenticate through Slack's secure OAuth 2.0 flow.
• We validate all incoming requests to ensure they originate from Slack's infrastructure.
• OAuth tokens and sensitive secrets are encrypted at rest.
• Our access control policies and details on user permissions are documented in our Data Security Policy.

Encryption

• All communication between customers, Slack, and Happybara’s backend services is protected with industry-standard TLS encryption (HTTPS) in transit.
• We encrypt all data at rest using AES-256 across our services. Keys are securely managed with AWS.
• As a policy, we avoid handling sensitive personal data whenever possible to further minimize exposure risks.

Payments

• All payment processing is handled by Stripe, a PCI-DSS certified payment provider.
• Happybara does not store or process any credit card or bank information directly. All payment data is handled securely through tokenized references via Stripe. Full details are available on Stripe's security page.

Backups & Disaster Recovery

• Production databases are backed up continuously and stored with point-in-time recovery for 35 days.
• Backups are encrypted using AES-256 encryption and stored within AWS’s secure infrastructure.

High Availability & Resilience

Our infrastructure is built with high availability in mind, often opting to use serverless patterns. Thanks in part to AWS, we've never had a major incident preventing our apps from functioning.

Monitoring & Incident Response

• We have real-time monitoring and alerting systems in place.
• Our team is automatically alerted to major outages, crashes, or unusual behavior to ensure prompt resolution and minimal disruption.

Vendors

We carefully select only a small number of vendors who have high security standards and help us deliver better software for our customers. Please see the Subprocessors document for more detail.

Legal Compliance

Happybara strives to align with relevant privacy and data protection laws such as GDPR and CCPA. While we are not formally certified at this time, we honor user rights around data access, correction, and deletion, and we maintain strong technical and organizational security measures.

Compliance

We currently do not maintain formal security certifications (e.g., SOC 2, ISO 27001), though we aim to operate in a manner that would let us apply & receive them without significant changes to our company processes. We would like to someday add them. If you require those certifications, please reach out to us at support@happybara.io and we can discuss.

FAQs

What user data do you collect?

We minimize data collection whenever possible, as have no interest in storing data that could cause us or our customers issues. We only store information necessary to provide and improve our services. Details about our data practices are available in our Data Processing Addendum and Data Security Policy.

To give an example in layman's terms: for Channitor we store the Slack Channel IDs for channels, counts of number of channels & users to show the C/U ratio, Channitor app settings, and the timestamp of the newest message in a channel so we can calculate whether it's over threshold.

How long is data retained and can it be deleted?

Please refer to our Data Processing Addendum for information on data retention and deletion policies.

What Slack permissions do your apps request?

Our apps (Nightowl, Channitor, Proper, Streamly) request only the minimum necessary permissions to function properly. We clearly explain requested scopes during the Slack OAuth install process, and you can always review or revoke installed apps through your Slack workspace settings.

OAuth Scopes: Why does your app have im:history/write scopes?

Our apps use those scopes to interact with users in the Messages Tab of App Home, when users interact directly with the bot. That's also how we are able to send messages notifying the user of results of their actions, like "your message was scheduled" or "scan has completed".

Do you perform vulnerability audits or penetration testing?

We have completed an external security audit in coordination with Slack's Security team in Dec 2023.

Will you fill out our security questionnaire?

Due to our small team size, we generally do not fill out custom security questionnaires. We maintain this public security page to proactively answer common security-related questions. However, for certain strategic opportunities, we may make exceptions. Please reach out to discuss at support@happybara.io.

If a question is not answered on this page or in the docs from "Quick Links" section, let us know and we can add it.

Can you sign a DPA (Data Processing Addendum)?

We already provide a standard Data Processing Addendum that governs our handling of any personal data. If your organization requires a signed copy, please contact support@happybara.io.

Do you support Single Sign-On (SSO)?

Since all authentication is handled through Slack’s OAuth system, we automatically benefit from any SSO settings your Slack workspace enforces.

How do I report a vulnerability or security concern?

We do not have a bug-bounty program in place, but if you believe you have found a security vulnerability or concern, please contact us at support@happybara.io.
We encourage responsible disclosure and will respond promptly, though we do ask researchers give us a reasonable time to investigate and address findings. We believe in the positives of responsible disclosure and will respect researchers who treat us & our systems with respect.