Security FAQ
This page answers common security questions from teams evaluating Asyncbot. For detailed data handling practices, see our Privacy Policy.
Data Storage
Where is my data stored?
All data is stored within the European Union on servers in Paris, France (Hostinger infrastructure). Primary data storage and processing remains in the EU. Limited metadata (IP addresses, request headers) may be processed by our CDN provider (Cloudflare) at global edge locations.
What data do you store?
| Data Type | Stored? | Purpose |
|---|---|---|
| Slack workspace ID & name | Yes | Identify your workspace |
| Slack user IDs | Yes | Assign users to rotations |
| Slack display names | Yes (cached) | Render names in rotation cards and notifications |
| OAuth bot tokens | Yes (encrypted) | Post messages on your behalf |
| Rotation configurations | Yes | Operate your schedules |
| OOO dates & leave types | Yes | Skip unavailable people during rotation. Leave types stored only when synced from HiBob integration |
| Handoff notes | Yes (encrypted) | Free-text shift notes written by your team. Encrypted at rest with AES-256-GCM. Stored to deliver to the next on-duty person |
| Event logs | Yes | Audit trail (user IDs + actions, no message content) |
| Stripe billing IDs | Yes | Link your workspace to your subscription. Payment details (card, address) are stored by Stripe, not by us |
| User emails | No | Used transiently during HiBob sync to match employees to Slack users, then discarded. Never stored in our database |
| Message content | No | We only post messages, never read channel history |
| Passwords or user tokens | No | We use OAuth bot tokens only. No user passwords or user-level tokens |
How long do you keep data?
- Active workspaces: As long as Asyncbot is installed
- After uninstall: 30-day grace period, then permanent deletion
- Event logs: 1 year for Pro, 30 days for Free tier
- On request: Immediate deletion available — email [email protected]
Encryption & Security
Is my data encrypted?
Yes.
- In transit: All connections use TLS 1.2+ encryption
- At rest: OAuth tokens, integration credentials, and handoff notes are encrypted using AES-256-GCM
- Database: PostgreSQL on dedicated VPS infrastructure
What Slack permissions do you request?
We follow the principle of least privilege. Here is the complete list of scopes we request:
| Scope | Purpose |
|---|---|
commands | Handle /rotation slash commands |
chat:write | Post rotation announcements to channels |
chat:write.public | Post to channels the bot hasn't been invited to yet |
channels:read | List channels for rotation setup |
channels:history | Read channel messages for coverage thread tracking |
channels:join | Join channels when assigned a rotation |
groups:read | List private channels for rotation setup |
im:write | Send on-duty DM notifications |
im:read | Track DM delivery for notification updates |
im:history | Update previously sent DM messages (e.g., remove stale buttons) |
users:read | Resolve user IDs to display names |
users:read.email | Match Slack users to HiBob employees during integration sync (email used transiently, not stored) |
Do you have SOC 2 certification?
Not yet. We're a small, bootstrapped team focused on product quality. Our security practices follow industry best practices, but we haven't undergone formal SOC 2 audit.
If SOC 2 compliance is a requirement for your organization, please contact us to discuss your needs.
Infrastructure
What infrastructure do you use?
| Component | Provider | Location |
|---|---|---|
| Application hosting | Hostinger VPS | Paris, France (EU) |
| Database | PostgreSQL (self-hosted) | Paris, France (EU) |
| CDN / DDoS protection | Cloudflare | Global edge network |
| DNS | Cloudflare | Global |
What's your uptime target?
We target 99.9% uptime (this is an internal target, not a contractual SLA). Asyncbot is designed to be resilient — if our servers are temporarily unavailable, your Slack workspace continues to work normally. Scheduled rotations will catch up when service resumes.
Backups
Do you backup data?
Yes. We perform daily automated backups with 7-day retention. Backup restore procedures are tested periodically.
Can I export my data?
Yes. Under GDPR, you have the right to data portability. Contact [email protected] with your workspace ID to request an export of your rotation data.
Incident Response
How do I report a security issue?
Email [email protected]. We acknowledge all reports within 24 hours and aim to resolve critical issues within 72 hours.
Our security.txt file is available at /.well-known/security.txt.
What happens if there's a data breach?
In the unlikely event of a data breach affecting your workspace:
- We will notify affected workspace administrators within 72 hours as required by GDPR
- We will provide details on what data was affected
- We will outline steps we're taking to prevent recurrence
Subprocessors
We use the following third-party services to operate Asyncbot:
| Provider | Purpose | Data Location |
|---|---|---|
| Hostinger | Application & database hosting | Paris, France (EU) |
| Cloudflare | CDN, DDoS protection, DNS | Global edge network |
| Slack | Platform integration (your workspace) | US (Slack's infrastructure) |
| Stripe | Payment processing (Pro plans) | US/EU |
| HiBob | HRIS integration (optional, admin-enabled). OOO sync only | US/EU (customer's HiBob region) |
| Sentry | Error monitoring and performance tracking | US |
We evaluate subprocessors for security and GDPR compliance before integration.
Compliance
Are you GDPR compliant?
Yes. We are based in Belgium (EU) and designed Asyncbot with GDPR compliance from day one:
- Data minimization — we only collect what's necessary
- EU data residency — primary data storage in EU; see Subprocessors for full picture
- Data subject rights — access, rectification, erasure, portability
- 30-day post-uninstall deletion (backups may persist up to 7 additional days)
Do you sign DPAs (Data Processing Agreements)?
Yes. Contact [email protected] if your organization requires a DPA.
Contact
| Topic | Contact |
|---|---|
| Security issues | [email protected] |
| Privacy questions | [email protected] |
| Legal / DPAs | [email protected] |
| General support | [email protected] |
Legal entity: Sven Meys BV, Belgium