Security specifications

Praise is committed to being a secure and reliable service that other companies can trust. Our founding team is composed of senior engineers who have worked in highly regulated environments like cloud security and gaming compliance technology. Put simply: we refuse to compromise on security in favor of achieving greater velocity in how we build our product.

Internal security practices

MFA

Praise requires all employees to utilize multi-factor authentication to interact with all 1st or 3rd party accounts, applications, systems, or data.

Infrastructure and network security

Praise hosts the entirety of it's software and services on Amazon Web Services (AWS). Within AWS, we use best practices including isolated network layers for application and data. Between these layers, we utilize ACLs and security groups to ensure each system can only access the exact minimum set of network assets it needs to perform it's tasks.

Data security

We store all secrets (database credentials, API keys, sensitive data) encrypted in AWS secrets manager and use IAM roles to authorize specific services to access them. We encrypt all of our user data at rest, and take extra precautions to also encrypt OAuth tokens at the database column level. The application decodes these secrets in real-time when needing to access a third party service such as Slack.

Backup and disaster recovery

Praise utilizes geographically distributed environments to ensure data availability and uptime. In the unlikely event of simultaneous failure of both environments, Praise maintains daily backups ensuring no data loss beyond a 24H window.

Data controllers and processors

Controller data

As a data controller, Praise is the primary owner of the following pieces of customer data.

DataPurpose
User real names and addressesFor shipping physical rewards via post

Processor data

As a data processor, Praise retains copies of the following pieces of customer data from external systems.

DataSource system(s)
User meta information including name, email, job title, and avatar imageSlack, G-Suite, MS Teams, Discord
Workspace meta information, including name and avatar imageSlack, MS Teams, Discord
OAuth access tokensSlack, G-Suite, MS Teams, Discord

Data sub-processors

All third parties that receive customer data from Praise

Sub-processorPurposeLocation
HeapProduct analyticsUSA
Amazon Web Services (AWS)Cloud hosting providerUSA
CloudflareContent delivery networkUSA
DatadogApplication monitoringUSA
PostmarkTransactional emailUSA
HubspotCustomer relationship managementUSA
StripePayment processorUSA

Third party application access

Slack OAuth scopes

ScopeDescriptionPurpose
channels:manageManage public channels that Praise has been added to and create new onesPraise creates two channels upon installation to notify members when recognition occurs in a channel they aren't a member of, as well as a place for admins to receive new order notifications
channels:readView basic information about public channels in a workspacePraise uses this to read channels during installation to make sure we don't try to create a channel that already exists, if the app is being re-installed
channels:joinManage public channels that your slack app has been added to and create new onesPraise creates two channels upon installation to notify members when recognition occurs in a channel they aren't a member of, as well as a place for admins to receive new order notifications. Praises also joins a public channel if you select it as a target for these notifications
chat:writeSend messages as @praisePraise posts a message when a member recognizes another member
chat:write.customizeSend messages as @praise with a customized username and avatarPraise posts a message when a member recognizes another member, and has the ability to mask itself as an internal company benefit rather than an independent app
chat:write.publicSend messages to channels @praise isn't a member ofPraise posts a message when a member recognizes another member, regardless of if the bot has been invited to the specific channel
commandsAdd shortcuts and/or slash commands that people can usePraise uses slash commands as a primary interface for interacting with it
groups:readView basic information about private channels that Praise has been added toPraise uses this to read channels during installation to make sure we don't try to create a channel that already exists
groups:writeManage private channels that Praise has been added to and create new onesPraise creates a private channel upon installation to optionally notify admins when they receive new order notifications
im:writeStart direct messages with peoplePraise sends DMs to individuals when they receive praise from others that has been marked as "silent"
links:readView praise.fun URLs in messagesPraise unfurls it's own URLs with a custom message
links:writeShow previews of URLs in messagesPraise unfurls it's own URLs with a custom message
team:readView the name, email domain, and icon for workspaces Praise is connected toPraise uses metadata from the workspace for displaying the workspace name and avatar inside of its web interface
users.profile:readView profile details about people in a workspacePraise uses metadata from users when creating a new user record based on information from an external system user record
users:readView people in a workspacePraise uses the list of users to create internal user records based on information from external system user records and help perform billing calculations requiring total active user count
users:read.emailView email addresses of people in a workspacePraise uses the email of users to send transactional emails upon confirmation of them purchasing a reward from the built-in store
Built with the good vibes in MA, USA

Product