Last updated January 10, 2024

We are committed to maintaining the security of our customers' data. If you have questions or concerns about our security practices or if you want to disclose a vulnerability, please contact us at security@tidbitly.com.

Overview

Tidbitly is a Slack application hosted in an Amazon Web Services (AWS) account owned and operated by Tidbitly, LLC. When you install the Tidbitly application, you instruct Slack to grant Tidbitly permission to access your Slack workspace in order to perform its intended function of creating, executing, managing, and reviewing learning campaigns. Slack shows the exact permissions requested and granted during the installation process.

After installation, Tidbitly communicates with Slack to send and receive messages in your workspace (e.g., to post campaign tidbits, to dialogue with campaign creators). Tidbitly stores minimal information about your learning campaigns in its database records on AWS, and associates them with pseudo-anonymized Slack identifiers (e.g., user U06C1AV2TCK's campaign tidbits, workspace T03GR9LFTT6's subscription status). Tidbitly processes Slack and campaign events using compute resources in its AWS account.

Tidbitly may also communicate with other third-party services (e.g., a payment processor if you choose to subscribe, a web service where you've shared a file of tidbits). Tidbitly processes information received from these services in its AWS account, and stores minimal information needed for its operation (e.g., payment processor subscription ID not credit card details).

Our Responsibilities

We accept the following responsibilities in maintaining the confidentiality, integrity, and availability of Tidbitly resources.

Data Encryption

Tidbitly relies on the capabilities of AWS DynamoDB and S3 to encrypt data at rest. Tidbitly relies on the capabilities of AWS Lambda to ensure inbound connections are encrypted using TLS 1.2+. Tidbitly requests TLS 1.2+ encryption on all outbound connections to third-party services.

Access Control

Tidbitly obtains access tokens for Slack workspaces as part of the OAuth 2.0 installation flow. Slack authorizes all requests from Tidbitly to a workspace's protected resources using the provided access token. Tidbitly verifies all requests from Slack using a global signing secret.

Tidbitly generates unique, pre-signed S3 URLs for reports requested by campaign creators. Anyone given the full URL can view the report until the signature expires.

Infrastructure Security

Tidbitly relies on infrastructure as code to define separate staging and production AWS resources. A continuous integration and deployment (CI/CD) process automates the testing and application of changes to the environments.

All Tidbitly runtime processes use least-privileged identity access management (IAM) roles in order to access AWS resources. Similarly, Tidbitly staff have least-privileged IAM user accounts to support the operational tasks (e.g., reviewing logs).

All staff IAM accounts require multi-factor authentication at time of login.

Monitoring and Response

Tidbitly captures logs, metrics, and traces throughout its operation to aid monitoring of and response to unexpected behaviors. Tidbitly staff receive alerts for situations requiring further investigation and action.

Backup and Restoration

Tidbitly maintains continuous, point-in-time backups of its primary data store. Staff test the restoration process in the staging environment yearly.

Incident Reporting

Tidbitly staff will share details about security incidents on the Tidbitly website. Staff will send email notification to owners of paid subscriptions with active accounts when an incident report is available.

Third-Party Dependencies

Tidbitly relies on a handful of sub-processors and open source libraries to function. Tidbitly staff perform due diligence reviews of security practices when selecting sub-processors. Tidbitly staff also configure third-party vulnerability dependency scanning alerts and prioritize patches or upgrades based on finding severity.

Your Responsibilities

We assume you hold the following responsibilities in maintaining the confidentiality and integrity of data you choose to share with Tidbitly.

Access Control

Your Slack administrator is responsible for installing or uninstalling the Tidbitly application in your Slack workspace. Your Slack users are responsible for controlling which Slack conversations the Tidbitly application can access after installation. Your Tidbitly subscription administrator is responsible managing which users in your Slack workspace have the campaign creator role.