What authentication does Jolly use?
Jolly is built on top of Slack's OAuth2 protocol and gains access to your Slack workspace only by that protocol. Please visit https://oauth.net/2 to learn more about OAuth2 and https://api.slack.com/authentication/oauth-v2 to learn more about Slack's OAuth2 protocol.
How are requests from Slack authenticated?
Every time you or your team member clicks "Set my birthday" or has any interaction with Jolly, Slack sends an HTTP request to Jolly's servers. Those requests are verified to make sure they are actually coming from Slack, and each request contains a specific token that identifies your workspace. Read more: https://api.slack.com/authentication/verifying-requests-from-slack
Visiting Jolly via the browser
Managing your workspace's billing settings, manually managing your Jolly users and onboarding Jolly into your workspace is all performed via the web browser.
Visiting Jolly via the web browser will prompt you to sign in with your Slack account. The sign-in flow is built on top of Slack's OpenID Connect protocol to gain access to your Slack user account. Please visit https://openid.net/developers/how-connect-works/ to learn more about OpenID Connect and https://api.slack.com/authentication/sign-in-with-slack to learn more about Slack's OpenID Connect protocol.
Access to Jolly webpages is restricted to HTTPS-encrypted connections with TLS 1.2 and higher.
Where is Jolly data stored?
Jolly's database is hosted and managed within Amazon's secure data centers and utilize the Amazon Web Service (AWS). Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon's data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Can Jolly read messages? What permissions does it have?
No, Jolly cannot read any messages sent in any public nor private channels or direct messages between users. Jolly can only read messages that are directly sent to it via the "Messages" tab in the Jolly's App Home.
Permssions that Jolly has in your workspace are:
users.profile:read,users:read,users:read.email— To be able to read user infoteam:read— To be able to view the workspace detailschannels:read— To be able to view the list of public channelsgroups:read— To be able to view the list of private channelschannels:join— To be able to join the Slack channel to send celebration messageschat:write— To be able to send messages to public Slack channelsim:history— To be able to interact with user in the App Home
What data does Jolly collect? (apart from birthdays & work anniversaries)
On our own servers and databases, Jolly collects the following information about your Slack workspace and your Slack users:
Your workspace's name, unique Slack ID and avatar URL
This data is only used to display name and avatar when onboarding, managing billing settings and managing users for easier identification. We may also occasionally reach out to you to ask for your feedback about Jolly.
Authorization token for your workspace
We need to interact with Slack API on behalf of your workspace, send data to your Slack workspace, send celebrations, etc. This token is provided to us by Slack upon installation and encrypted at rest using AES-256 encryption.
User's names, avatar, unique Slack ID and email address
Both name and email are encrypted at rest using AES-256 encryption. We collect them so that we can offer a better experience for our customers — for importing birthdays/anniversaries from a file, for integrating with HRIS systems, etc.
Request logs
Every time somebody from your workspace interacts with Jolly, sends it a message, or when Jolly interacts back with your workspace, we store that interaction. However, this is only done so we can investigate potential errors. We encrypt every request payload, and every response from Slack API at rest using AES-256 encryption.
All logs are completely removed from our database after a week.
Invoices
Even though our complete payment system is handled by Paddle, we store all past invoices for your workspace. We need to store them even if you remove your Jolly account for legal purposes.