Metomic DLP for Slack Enterprise

Description Permissions Security & Compliance

Discover, control, and remediate sensitive data in your SaaS applicationsOur mission is to give SaaS-enabled companies greater visibility and control of sensitive data, so they can reduce the risk of a data breach, without getting in the way of their employees' productivity. Discover where data lives with Metomic DLP for SlackAccurately identify sensitive data across your Slack channels and files so you know precisely where it is, and who has access to it. Search using our 150+ data type classifiers, including the following categories: • Standard PII
• Health data
• Financial data
• Identification numbers
• Secrets and passwords
• ID documents
• Custom classifiersIn addition to public and private channel scanning, Metomic searches for sensitive data in files such as: • .docx
• .doc
• .xlsx
• .csv
• .txt
• .json
• .xml
• .rtf
• .ppt
• Machine readable PDFsEvery alert will provide context for:

• The exact location incl. a deeplink
• The classification of the Sensitive Data point(s) detected
• The name and email of the person who shared the link
• A link to the relevant violation in the Metomic Dashboard
• The name of relevant rule that was violated (if configured)Automatically Remediate and ControlYou can automate alerts, notifications and redaction, either based on ready-to-use Metomic rules or customised policies you've created. Use off-the-shelf Metomic rules to understand how sensitive data flows through your infrastructure. When a data security threat is discovered in Slack, Metomic will generate a violation and trigger alerts. You can also configure your own rules within the Metomic Dashboard.We offer suggested rules and policies that help: • Meet compliance and common regulatory requirements
• Protect secrets
• Delete PII
• Lock down customer dataWe also help you gain control of sensitive data risks by: • Redacting sensitive pieces of information
• Customising data retention periods
• Customising data redaction workflows
• Automatically notifying employeesTake action on past data immediately by quickly bulk-actioning past violations, or tackling violations one by one. Analytics and Reports to support your DLP strategy Access comprehensive reports and metrics that help you track progress and view the impact of your policies. Get peace of mind, knowing you're compliant with HIPAA, GDPR, CCPA, and other national and international regulations. To learn more or schedule a demo and see Metomic in action, visit our website at metomic.io. Or, reach out via email at info@metomic.io.

Permissions

Metomic DLP for Slack Enterprise will be able to view:

Metomic DLP for Slack Enterprise will be able to do:

Review the details to better understand this app’s security practices. To learn more about assessing apps for your workspace visit our Help Center.

General

Privacy & data governance

Data retention policy

See data deletion policy: Customer data is retained for as long as the account is in active status. Data enters an “expired” state when the account is voluntarily closed. Expired account data will be retained for 180 days. After this period, the account and related data will be removed. Customers that wish to voluntarily close their account should download their data manually prior to closing their account. If a customer account is involuntarily suspended, then there is a 90 day grace period during which the account will be inaccessible but can be reopened if the customer meets their payment obligations and resolves any terms of service violations. If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good standing so that the user interface will be available for their use. After 91 days, the suspended account will be closed and the data will enter the “expired” state. It will be permanently removed 90 days thereafter (except when required by law to retain).

Data archiving and removal policy

Also see data deletion policy: Customer data is retained for as long as the account is in active status. Data enters an “expired” state when the account is voluntarily closed. Expired account data will be retained for 180 days. After this period, the account and related data will be removed. Customers that wish to voluntarily close their account should download their data manually prior to closing their account. If a customer account is involuntarily suspended, then there is a 90 day grace period during which the account will be inaccessible but can be reopened if the customer meets their payment obligations and resolves any terms of service violations. If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good standing so that the user interface will be available for their use. After 91 days, the suspended account will be closed and the data will enter the “expired” state. It will be permanently removed 90 days thereafter (except when required by law to retain).

Data storage policy

We follow SOC 2 Criteria: CC6.1, CC6.7 This policy outlines many of the procedures and technical controls in support of data protection. Scope Production systems that create, receive, store, or transmit Metomic customer data (hereafter "Production Systems") must follow the requirements and guidelines described in this policy. Policy Metomic policy requires that: Data must be handled and protected according to its classification requirements and following approved encryption standards, if applicable. Whenever possible, store data of the same classification in a given data repository and avoid mixing sensitive and non-sensitive data in the same repository. Security controls, including authentication, authorization, data encryption, and auditing, should be applied according to the highest classification of data in a given repository. All Production Systems must disable services that are not required to achieve the business purpose or function of the system. All Production Systems must have security monitoring enabled, including activity and file integrity monitoring, vulnerability scanning, and/or malware detection, as applicable. Data Protection Implementation and Processes Customer Data Protection Metomic hosts on AWS in the EU-WEST-2 region by default. Data may be replicated across multiple regions for redundancy and disaster recovery. All Metomic employees adhere to the following processes to reduce the risk of compromising Production Data: 1. Implement and/or review controls designed to protect Production Data from improper alteration or destruction. 2. Ensure that confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents. 3. Ensure Metomic Customer Production Data is segmented and only accessible to Customer authorized to access data. 4. All Production Data at rest is stored on encrypted volumes using encryption keys managed by Metomic. 5. Volume encryption keys and machines that generate volume encryption keys are protected from unauthorized access. Volume encryption key material is protected with access controls such that the key material is only accessible by privileged accounts. Access Metomic employee access to production is guarded by an approval process and by default is disabled. When access is approved, temporary access is granted that allows access to production. Production access is reviewed by the security team on a case by case basis. Separation Customer data is logically separated at the database/datastore level using a unique identifier for the customer. The separation is enforced at the API layer where the client must authenticate with a chosen account and then the customer unique identifier is included in the access token and used by the API to restrict access to data to the account. Relevent database/datastore queries then include the account identifier. _ Monitoring Metomic uses various tools to monitor the entire cloud service operation. If a system failure and alarm is triggered, key personnel are notified by text, chat, and/or email message in order to take appropriate corrective action. Protecting Data At Rest Encryption of Data at Rest All databases, data stores, and file systems are encrypted according to Metomic’s Encryption Policy. Protecting Data In Transit All external data transmission is encrypted end-to-end using encryption keys managed by Metomic. This includes, but is not limited to, cloud infrastructure and third party vendors and applications. Encryption of Data in Transit All internet and intranet connections are encrypted and authenticated using a strong protocol, a strong key exchange, and a strong cipher. Data protection via end-user messaging channels Restricted and sensitive data is not allowed to be sent over electronic end-user messaging channels.

Data center location(s)

United Kingdom

Data hosting details

Cloud hosted (AWS), encrypted at rest and during transit

Data hosting company

AWS

App/service has sub-processors

Certifications & compliance

Security