Truffle Security and Data Handling Standards

Truffle will abide by the security standards set forth below (“Security Standards”), which detail the various actions taken by Truffle to provide the service. During the Subscription Term, these security standards may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as deemed reasonably necessary by Truffle.

Truffle provides tightly controlled and hardened access to its search engine and knowledge base, and is only accessible to authorized users via an internal corporate VPN or Slack API callbacks.

Scope of Access

Truffle is only able to access channels in Slack that it has been added to. The administrator of the Slack workspace is responsible for managing permissions to restrict or allow app installations. Truffle cannot access direct messages, nor can Truffle be added to group direct message conversations. If Truffle is added to a private channel, only users who belong to that channel can access the information Truffle finds.

Data Storage

Information gathered by Truffle is stored in a search engine, provided by Elastic.co, and hosted by AWS on European servers. Full text conversations are not retained, only keywords and relevant metadata are stored in the search engine. Information extracted from conversations is stored in a multi-tenant search engine environment. Application security controls ensure that access to data is limited only to the Customer that owns that data. Production content is not used in testing environments.

Network controls

Truffle public-facing API only processes signed requests originating from the Slack API. All other requests are blocked, and each request is additionally checked to guard against time replay attacks. Communication between each component belonging to Truffle and external to Truffle takes place inside Truffle’s own network, hosted inside an AWS VPC. Once conversation data reaches Truffle’s network, it is contained inside the network and only accessed via the before mentioned Slack API. Truffle’s internal network is only accessible from the outside by authorized users via VPN access, which is logged and monitored. All VPN certificates are unique to each VPN user, ensuring accurate monitoring.

Encryption at rest

All messages, secrets, keys, and identifiers are stored encrypted with 256 bit AES encryption.

Encryption in flight

All internal and external API is encrypted with SSL.

Audit logging

Internal network access is logged and stored for up to 3 months.

Data Retention and Deletion

Retention

Truffle stores conversation keywords and links to relevant conversations indefinitely, unless a deletion event is triggered. User preferences are stored until a deletion event is triggered.

Data deletion

If Truffle is removed from a Slack channel, the data associated with that channel is deleted after 14 days. When Truffle is removed from a workspace, all related data from that workspace is deleted after 30 days. The Slack workspace administrator or the user that installed Truffle may request that all data associated with that workspace be deleted immediately. This may be done by submitting a request to privacy@truffle.bot.

Personally Identifiable Information

Truffle may collect personally identifiable information extracted from conversations in Slack. These are retained as part of Truffle’s knowledge base, and may be used as a part of providing Truffle’s core functionality. The data collected will be deleted as part of a deletion request or upon account closure.

Behavior and usage tracking

Truffle uses Google Analytics to collect information about the way users interact with the service in order to make product decisions.

Usage behavior is collected anonymously, and only identified by the workspace ID from which the behavior originated. Event tracking is used only to improve the quality of Truffle, it is not shared with any other parties.
Behavior tracking events are deleted after two years.