Security

Since Jolly is directly plugged into your Slack workspace and gains access to the list of users and their birthdays, you may have some concerns regarding the security of Jolly.

What authentication does Jolly use?

Jolly is built on top of Slack's OAuth2 protocol and gains access to your Slack workspace only by that protocol. Please visit https://oauth.net/2 to learn more about OAuth2 and https://api.slack.com/authentication/oauth-v2 to learn more about Slack's OAuth2 protocol.

How are your requests authenticated?

Every time your team member clicks "Set my birthday" or has any interaction with Jolly, Slack sends an HTTP request to Jolly's servers. Those requests are verified to make sure they are actually coming from Slack, and each request contains a specific token that identifies your workspace. Read more: https://api.slack.com/authentication/verifying-requests-from-slack

Visiting Jolly settings via the browser

Managing your workspace's billing settings, manually managing your Jolly users and onboarding Jolly into your workspace is all performed via the web browser. You may notice that URLs when performing these actions are very long and cryptic. This is done intentionally, because Jolly generates a random, unique identifier for every workspace. When visiting a webpage to manage your Jolly billing, you need to provide that randomly generated identifier for your workspace. URLs are encrypted, so even if you know somebody else's identifier, you will need to provide the encrypted version of the URL identifier to gain access. Jolly decrypts the URL and locates the workspace by the decrypted identifier.

These URL identifiers are rotated every week for every workspace in Jolly.

For every public URL that Jolly uses, we attach a "X-Robots-Tag: noindex" header to the response to make sure those webpages are never indexed by search engines.

For your own security, please inform your workspace admins to never send these URLs to anyone.

Access to Jolly webpages is restricted to HTTPS-encrypted connections.

Where is Jolly data stored?

Jolly's database is hosted and managed within Amazon's secure data centers and utilize the Amazon Web Service (AWS). Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon's data center operations have been accredited under:

Can Jolly read messages? What permissions does it have?

No, Jolly cannot read any messages sent in any public nor private channels or direct messages between users. Jolly can only read messages that are directly sent to it via the "Messages" tab in the Jolly's App Home.

Permssions that Jolly has in your workspace are:

What data does Jolly collect? (apart from birthdays & work anniversaries)

On our own servers and databases, Jolly collects the following information about your Slack workspace and your Slack users:

Your workspace's name, unique Slack ID and avatar URL

This data is only used to display name and avatar when onboarding, managing billing settings and managing users for easier identification. We may also occasionally reach out to you to ask for your feedback about Jolly.

Authorization token for your workspace

We need to interact with Slack API on behalf of your workspace, send data to your Slack workspace, send celebrations, etc. This token is provided to us by Slack upon installation and encrypted at rest using AES-256 encryption.

User's names, avatar, unique Slack ID and optionally email

We feel email is a bit more "private" than name; that's why you can opt-out of email collecting when onboarding Jolly into your workspace. Both name and email are encrypted at rest using AES-256 encryption.

It's important to note that we don't care about your user's names or emails. Core of Jolly would be 100% functional even without name or email. We only collect them so we can display them for you when you manage your users, just so you have easier way of identifying your users. Without name or email, you would only be able to identify your users by avatar and their Slack ID.

Request logs

Every time somebody from your workspace interacts with Jolly, sends it a message, or when Jolly interacts back with your workspace, we store that interaction. However, this is only done so we can investigate potential errors. We encrypt every request payload, and every response from Slack API at rest using AES-256 encryption.

All logs are completely removed from our database after a week.

Invoices

Even though our complete payment system is handled by Paddle, we store all past invoices for your workspace. We need to store them even if you remove your Jolly account for legal purposes.

Ready to get started?

Did we successfully convince you to try Jolly? Get stared for free in minutes. Be a good manager and let Jolly make you never miss your team member's birthday or work anniversary.