Metomic DLP for Slack Enterprise
Discover, control, and remediate sensitive data in your SaaS applicationsOur mission is to give SaaS-enabled companies greater visibility and control of sensitive data, so they can reduce the risk of a data breach, without getting in the way of their employees' productivity. Discover where data lives with Metomic DLP for SlackAccurately identify sensitive data across your Slack channels and files so you know precisely where it is, and who has access to it. Search using our 150+ data type classifiers, including the following categories: • Standard PII
• Health data
• Financial data
• Identification numbers
• Secrets and passwords
• ID documents
• Custom classifiersIn addition to public and private channel scanning, Metomic searches for sensitive data in files such as: • .docx
• .doc
• .xlsx
• .csv
• .txt
• .json
• .xml
• .rtf
• .ppt
• Machine readable PDFsEvery alert will provide context for:
• The exact location incl. a deeplink
• The classification of the Sensitive Data point(s) detected
• The name and email of the person who shared the link
• A link to the relevant violation in the Metomic Dashboard
• The name of relevant rule that was violated (if configured)Automatically Remediate and ControlYou can automate alerts, notifications and redaction, either based on ready-to-use Metomic rules or customised policies you've created. Use off-the-shelf Metomic rules to understand how sensitive data flows through your infrastructure. When a data security threat is discovered in Slack, Metomic will generate a violation and trigger alerts. You can also configure your own rules within the Metomic Dashboard.We offer suggested rules and policies that help: • Meet compliance and common regulatory requirements
• Protect secrets
• Delete PII
• Lock down customer dataWe also help you gain control of sensitive data risks by: • Redacting sensitive pieces of information
• Customising data retention periods
• Customising data redaction workflows
• Automatically notifying employeesTake action on past data immediately by quickly bulk-actioning past violations, or tackling violations one by one. Analytics and Reports to support your DLP strategy Access comprehensive reports and metrics that help you track progress and view the impact of your policies. Get peace of mind, knowing you're compliant with HIPAA, GDPR, CCPA, and other national and international regulations. To learn more or schedule a demo and see Metomic in action, visit our website at metomic.io. Or, reach out via email at info@metomic.io.
• Health data
• Financial data
• Identification numbers
• Secrets and passwords
• ID documents
• Custom classifiersIn addition to public and private channel scanning, Metomic searches for sensitive data in files such as: • .docx
• .doc
• .xlsx
• .csv
• .txt
• .json
• .xml
• .rtf
• .ppt
• Machine readable PDFsEvery alert will provide context for:
• The exact location incl. a deeplink
• The classification of the Sensitive Data point(s) detected
• The name and email of the person who shared the link
• A link to the relevant violation in the Metomic Dashboard
• The name of relevant rule that was violated (if configured)Automatically Remediate and ControlYou can automate alerts, notifications and redaction, either based on ready-to-use Metomic rules or customised policies you've created. Use off-the-shelf Metomic rules to understand how sensitive data flows through your infrastructure. When a data security threat is discovered in Slack, Metomic will generate a violation and trigger alerts. You can also configure your own rules within the Metomic Dashboard.We offer suggested rules and policies that help: • Meet compliance and common regulatory requirements
• Protect secrets
• Delete PII
• Lock down customer dataWe also help you gain control of sensitive data risks by: • Redacting sensitive pieces of information
• Customising data retention periods
• Customising data redaction workflows
• Automatically notifying employeesTake action on past data immediately by quickly bulk-actioning past violations, or tackling violations one by one. Analytics and Reports to support your DLP strategy Access comprehensive reports and metrics that help you track progress and view the impact of your policies. Get peace of mind, knowing you're compliant with HIPAA, GDPR, CCPA, and other national and international regulations. To learn more or schedule a demo and see Metomic in action, visit our website at metomic.io. Or, reach out via email at info@metomic.io.
Permissions
Metomic DLP for Slack Enterprise will be able to view:
Metomic DLP for Slack Enterprise will be able to do:
Review the details to better understand this app’s security practices. To learn more about assessing apps for your workspace visit our Help Center.
General
Developer
Metomic Limited
Company headquarters location
United Kingdom
Terms of service
Privacy & data governance
Data retention policy
See data deletion policy:
Customer data is retained for as long as the account is in active status. Data enters an “expired” state when the account is voluntarily closed.
Expired account data will be retained for 180 days. After this period, the account and related data will be removed. Customers that wish to
voluntarily close their account should download their data manually prior to closing their account.
If a customer account is involuntarily suspended, then there is a 90 day grace period during which the account will be inaccessible but can be
reopened if the customer meets their payment obligations and resolves any terms of service violations.
If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good
standing so that the user interface will be available for their use. After 91 days, the suspended account will be closed and the data will enter the
“expired” state. It will be permanently removed 90 days thereafter (except when required by law to retain).
Data archiving and removal policy
Also see data deletion policy:
Customer data is retained for as long as the account is in active status. Data enters an “expired” state when the account is voluntarily closed.
Expired account data will be retained for 180 days. After this period, the account and related data will be removed. Customers that wish to
voluntarily close their account should download their data manually prior to closing their account.
If a customer account is involuntarily suspended, then there is a 90 day grace period during which the account will be inaccessible but can be
reopened if the customer meets their payment obligations and resolves any terms of service violations.
If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good
standing so that the user interface will be available for their use. After 91 days, the suspended account will be closed and the data will enter the
“expired” state. It will be permanently removed 90 days thereafter (except when required by law to retain).
Data storage policy
We follow SOC 2 Criteria: CC6.1, CC6.7
This policy outlines many of the procedures and technical controls in support of data protection.
Scope
Production systems that create, receive, store, or transmit Metomic customer data (hereafter "Production Systems") must follow the requirements and guidelines described in this policy.
Policy
Metomic policy requires that:
Data must be handled and protected according to its classification requirements and following approved encryption standards, if applicable.
Whenever possible, store data of the same classification in a given data repository and avoid mixing sensitive and non-sensitive data in the same repository. Security controls, including authentication, authorization, data encryption, and auditing, should be applied according to the highest classification of data in a given repository.
All Production Systems must disable services that are not required to achieve the business purpose or function of the system.
All Production Systems must have security monitoring enabled, including activity and file integrity monitoring, vulnerability scanning, and/or malware detection, as applicable.
Data Protection Implementation and Processes
Customer Data Protection
Metomic hosts on AWS in the EU-WEST-2 region by default. Data may be replicated across multiple regions for redundancy and disaster recovery.
All Metomic employees adhere to the following processes to reduce the risk of compromising Production Data:
1. Implement and/or review controls designed to protect Production Data from improper alteration or destruction.
2. Ensure that confidential data is stored in a manner that supports user access logs and automated monitoring for potential security
incidents.
3. Ensure Metomic Customer Production Data is segmented and only accessible to Customer authorized to access data.
4. All Production Data at rest is stored on encrypted volumes using encryption keys managed by Metomic.
5. Volume encryption keys and machines that generate volume encryption keys are protected from unauthorized access. Volume encryption
key material is protected with access controls such that the key material is only accessible by privileged accounts.
Access
Metomic employee access to production is guarded by an approval process and by default is disabled. When access is approved, temporary access is granted that allows access to production. Production access is reviewed by the security team on a case by case basis.
Separation
Customer data is logically separated at the database/datastore level using a unique identifier for the customer. The separation is enforced at the API layer where the client must authenticate with a chosen account and then the customer unique identifier is included in the access token and used by the API to restrict access to data to the account. Relevent database/datastore queries then include the account identifier.
_
Monitoring
Metomic uses various tools to monitor the entire cloud service operation. If a system failure and alarm is triggered, key personnel are notified by text, chat, and/or email message in order to take appropriate corrective action.
Protecting Data At Rest
Encryption of Data at Rest
All databases, data stores, and file systems are encrypted according to Metomic’s Encryption Policy.
Protecting Data In Transit
All external data transmission is encrypted end-to-end using encryption keys managed by Metomic. This includes, but is not limited to, cloud infrastructure and third party vendors and applications.
Encryption of Data in Transit
All internet and intranet connections are encrypted and authenticated using a strong protocol, a strong key exchange, and a strong cipher.
Data protection via end-user messaging channels
Restricted and sensitive data is not allowed to be sent over electronic end-user messaging channels.
Data center location(s)
United Kingdom
Data hosting details
Cloud hosted (AWS), encrypted at rest and during transit
Data hosting company
AWS
App/service has sub-processors
no
Certifications & compliance
Data deletion request procedure
We have an automated process for account data deletion that triggers at the end of the 90 day grace period (see Data Archival/Removal policy)
HIPAA compliant
yes
While this app may offer HIPAA compliance, Slack does not have a business associate agreement with any third-party application providers, including those in the Slack Marketplace, so you are responsible for validating the provider's compliance and executing an appropriate agreement before enabling.
Security
Date of latest pen test
2022-09-20
Executive summary is available to potential customers upon request
yes
Supports Security Assertion Markup Language (SAML)
no
Has a dedicated security team
no
Contact for security issues
security@metomic.io
Has a vulnerability disclosure program
yes
Vulnerability disclosure program URL
Vulnerability disclosure program covers Slack app
yes
Has a bug bounty program
no
Requires third party authorization/connections
no
Third party services used by this app
Auth0
Uses token rotation
no