Praise is committed to being a secure and reliable service that other companies can trust. Our founding team is composed of senior engineers who have worked in highly regulated environments like cloud security and gaming compliance technology. Put simply: we refuse to compromise on security in favor of achieving greater velocity in how we build our product.
Internal security practices
Praise requires all employees to utilize multi-factor authentication to interact with all 1st or 3rd party accounts, applications, systems, or data.
Infrastructure and network security
Praise hosts the entirety of it's software and services on Amazon Web Services (AWS). Within AWS, we use best practices including isolated network layers for application and data. Between these layers, we utilize ACLs and security groups to ensure each system can only access the exact minimum set of network assets it needs to perform it's tasks.
We store all secrets (database credentials, API keys, sensitive data) encrypted in AWS secrets manager and use IAM roles to authorize specific services to access them. We encrypt all of our user data at rest, and take extra precautions to also encrypt OAuth tokens at the database column level. The application decodes these secrets in real-time when needing to access a third party service such as Slack.
Backup and disaster recovery
Praise utilizes geographically distributed environments to ensure data availability and uptime. In the unlikely event of simultaneous failure of both environments, Praise maintains daily backups ensuring no data loss beyond a 24H window.
Data controllers and processors
As a data controller, Praise is the primary owner of the following pieces of customer data.
|User real names and addresses||For shipping physical rewards via post|
As a data processor, Praise retains copies of the following pieces of customer data from external systems.
|User meta information including name, email, job title, and avatar image||Slack, G-Suite, MS Teams, Discord|
|Workspace meta information, including name and avatar image||Slack, MS Teams, Discord|
|OAuth access tokens||Slack, G-Suite, MS Teams, Discord|
All third parties that receive customer data from Praise
|Amazon Web Services (AWS)||Cloud hosting provider||USA|
|Cloudflare||Content delivery network||USA|
|Hubspot||Customer relationship management||USA|
Third party application access
Slack OAuth scopes
|channels:manage||Manage public channels that Praise has been added to and create new ones||Praise creates two channels upon installation to notify members when recognition occurs in a channel they aren't a member of, as well as a place for admins to receive new order notifications|
|channels:read||View basic information about public channels in a workspace||Praise uses this to read channels during installation to make sure we don't try to create a channel that already exists, if the app is being re-installed|
|channels:join||Manage public channels that your slack app has been added to and create new ones||Praise creates two channels upon installation to notify members when recognition occurs in a channel they aren't a member of, as well as a place for admins to receive new order notifications. Praises also joins a public channel if you select it as a target for these notifications|
|chat:write||Send messages as @praise||Praise posts a message when a member recognizes another member|
|chat:write.customize||Send messages as @praise with a customized username and avatar||Praise posts a message when a member recognizes another member, and has the ability to mask itself as an internal company benefit rather than an independent app|
|chat:write.public||Send messages to channels @praise isn't a member of||Praise posts a message when a member recognizes another member, regardless of if the bot has been invited to the specific channel|
|commands||Add shortcuts and/or slash commands that people can use||Praise uses slash commands as a primary interface for interacting with it|
|groups:read||View basic information about private channels that Praise has been added to||Praise uses this to read channels during installation to make sure we don't try to create a channel that already exists|
|groups:write||Manage private channels that Praise has been added to and create new ones||Praise creates a private channel upon installation to optionally notify admins when they receive new order notifications|
|im:write||Start direct messages with people||Praise sends DMs to individuals when they receive praise from others that has been marked as "silent"|
|links:read||View praise.fun URLs in messages||Praise unfurls it's own URLs with a custom message|
|links:write||Show previews of URLs in messages||Praise unfurls it's own URLs with a custom message|
|team:read||View the name, email domain, and icon for workspaces Praise is connected to||Praise uses metadata from the workspace for displaying the workspace name and avatar inside of its web interface|
|users.profile:read||View profile details about people in a workspace||Praise uses metadata from users when creating a new user record based on information from an external system user record|
|users:read||View people in a workspace||Praise uses the list of users to create internal user records based on information from external system user records and help perform billing calculations requiring total active user count|
|users:read.email||View email addresses of people in a workspace||Praise uses the email of users to send transactional emails upon confirmation of them purchasing a reward from the built-in store|