Truffle Security and Data Handling Standards

Truffle will abide by the security standards set forth below (“Security Standards”), which detail the various actions taken by Truffle to provide the service. During the Subscription Term, these security standards may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as deemed reasonably necessary by Truffle.

Truffle provides tightly controlled and hardened access to its search engine and knowledge base, and is only accessible to authorized users via an internal corporate VPN or Slack API callbacks.

Scope of Access

Truffle is only able to access channels in Slack that it has been added to by the user’s express intent. The administrator of the Slack workspace is responsible for managing permissions to restrict or allow app installations. Truffle cannot access direct messages, nor can Truffle be added to group direct message conversations.

Data Storage

Information gathered by Truffle is stored in a search engine, provided by Elastic.co and sent to OpenAI for processing. Hosting is provided by AWS on European servers. Truffle stores full-text summaries of conversations, but not verbatim text from threads. Processed conversation summaries are stored and used to answer questions. Information extracted from conversations is stored in a multi-tenant search engine environment. Application security controls ensure that access to data is limited only to the Customer that owns that data. Production content is not used in testing environments.

Network Controls

Truffle public-facing API only processes signed requests originating from the Slack API. All other requests are blocked, and each request is additionally checked to guard against time replay attacks. Communication between each component belonging to Truffle and external to Truffle takes place inside Truffle’s own network, hosted inside an AWS VPC. Once conversation data reaches Truffle’s network, it is contained inside the network and only accessed via the before mentioned Slack API. Truffle’s internal network is only accessible from the outside by authorized users via VPN access, which is logged and monitored. All VPN certificates are unique to each VPN user, ensuring accurate monitoring.

Encryption at Rest

All messages, secrets, keys, and identifiers are stored encrypted with 256 bit AES encryption.

Encryption in Flight

All internal and external API is encrypted with SSL.

Audit Logging

Internal network access is logged and stored for up to 3 months.

Data Retention and Deletion

Retention

Truffle stores conversations and links to relevant conversations indefinitely, unless a deletion event is triggered. User preferences are stored until a deletion event is triggered.

Data Deletion

If Truffle is removed from a Slack channel, the data associated with that channel is deleted after 14 days. When Truffle is removed from a workspace, all related data from that workspace is deleted after 30 days. The Slack workspace administrator or the user that installed Truffle may request that all data associated with that workspace be deleted immediately. This may be done by submitting a request to privacy@truffle.bot.

Personally Identifiable Information

Truffle may collect personally identifiable information extracted from conversations in Slack. These are retained as part of Truffle’s knowledge base, and may be used as a part of providing Truffle’s core functionality. The data collected will be deleted as part of a deletion request or upon account closure.

Behavior and Usage Tracking

Truffle uses internal analytics to collect information about the way users interact with the service in order to make product decisions.

Usage behavior is collected anonymously, and only identified by the workspace ID from which the behavior originated. Event tracking is used only to improve the quality of Truffle, it is not shared with any other parties. Behavior tracking events are deleted after two years.

Subprocessors

Truffle uses third-party subprocessors to provide specific services. These subprocessors have access to or process customer data. The current subprocessors include:

  • Elastic.co: Provides search engine infrastructure for Truffle’s knowledge base. For more information about Elastic.co’s security practices, please visit their security page.

  • OpenAI: Provides artificial intelligence services to support Truffle’s core functionality. For more information about OpenAI’s security practices, please visit their privacy policy. Truffle has executed OpenAI’s Data Processing Addendum.

  • AWS: Provides cloud infrastructure and services for hosting and storing Truffle’s data. For more information about AWS’s security practices, please visit their security page.

  • Stripe: Use for payment and subscription management. For more information, please visit their security page.

Truffle will ensure that subprocessors are GDPR compliant and maintain a high standard of security to protect customer data.