Building trust with security-conscious customers
Submit your app’s security and compliance information to the App Directory
Apps make work more pleasant and productive for teams in Slack. To make that happen, apps request permission to access information in a workspace.
Slack admins use app approvals to maintain control over the apps installed on their workspaces and to protect company data from security threats. Before installing an app, admins review what permissions an app is requesting, as well as its policies for security and data retention — but obtaining and reviewing this information can add time and friction to the app approval process.
Starting today, we’re kicking off the process of collecting security and compliance details for apps published in the App Directory. When submitting your app for review, you’ll find a section called Security & Compliance where you can start filling out information.
About security & compliance information
As a developer on Slack, surfacing security & compliance information in the App Directory allows you to answer critical questions for Slack admins, helping them make faster, more informed decisions about your app.
Here are the four categories of information you can provide — plus a peek at the new Security & Compliance tab in your app listing:
Admins want to know who built your app. In some cases, an app developer won’t be the same as the parent software company — at Slack, we built the Google Calendar app in-house.
By sharing your official developer name, where your company is located, and a link to your terms of service, you can establish an identity for your app.
Privacy & data governance
The data that flows through your app falls under to the Slack Developer Policy and API Terms of Service. With the security & compliance section, you can get more specific on how your app manages data, including details about retention, archive, storage and removal practices.
Articulating your approach to data governance can give admins confidence that your service has strong data management practices in place to identify, locate, and retrieve information as needed, in a timely and reliable manner.
Certifications & compliance
There are general audits and certifications that any service can acquire to verify that they operate under a specified set of security standards, like ISO 27001 or SOC 2. Depending on the industry, there might also be more nuanced standards, like HIPAA compliance or FedRAMP compliance.
By making links to your app’s certifications & compliance easily accessible in one place, Slack admins can spend less time searching for information and more time learning about your app.
Certifications and audits take time, but, chances are, you already have a few of the building blocks that make up a strong security program. For example if your service supports security features like SAML authentication and SSO, that’s a simple way to let admins know there’s a level of security in place to authenticate users.
There are also ways to pressure test your app against real-world scenarios — like penetration tests, which simulate a cyber attack to identify any security vulnerabilities.
To supplement pen testing schedules, some services will establish more scaled, community-based programs to report potential vulnerabilities whenever they arise:
- Vulnerability disclosure programs rely on the good will of the developers to crowdsource potential security vulnerabilities
- Bug bounty programs incentivize developers to report any vulnerabilities in exchange for compensation
Opting to be transparent with Slack admins builds credibility. Even if some security and compliance details are not applicable for your app, each piece of the puzzle you provide can help admins make better decisions about your app.
You can start submitting security and compliance details today, as part of the open beta. Under your app’s Settings, you’ll find a new section called Security & Compliance where you can start filling out information. We’ll review your submission, but it’s up to the developer to ensure the accuracy of these details.
Starting July 31, 2020, the App Directory will require newly submitted apps to provide certain security & compliance details. Existing Slack apps on the App Directory will be required to input this information by December 4, 2020.
Questions or feedback? Email email@example.com or tweet @SlackAPI.