SniffSec

Security & Privacy

Built to pass your security review.

SniffSec was built by a security professional who knows what security buyers look for. This page covers every technical decision that affects your organization's data.

Slack OAuth scopes requested

We request the minimum viable permissions. Here is every scope, why we need it, and what it does not allow.

commands

Required to register the /start-drill and /drill-report slash commands in your workspace.

chat:write

Required to send drill questions to users who initiate a drill via /start-drill.

users:read

Required to detect job function (Engineering vs. Non-Tech) for role-based track assignment.

⛔ Scopes we will never request

channels:history, groups:history, im:history, files:read, admin, or any scope that grants access to message content. We structurally cannot read your team's messages — even if we wanted to.

Data we collect

Slack User IDs

To identify who completed each drill.

Encrypted email addresses

AES-256-CBC at rest. Used only to contact admins.

Drill scores

Per-question accuracy, module scores, completion timestamps.

Completion timestamps

UTC-timestamped records for audit trail generation.

HMAC-signed audit logs

Tamper-evident. SHA-256 keyed. Cannot be retroactively modified.

Data we do NOT collect

Message history (any channel)

File contents or attachments

Private channel names or members

Workspace member lists

Direct message content

Custom emoji, workspace profile data

Billing or payment information

Any data from channels we don't post in

Security architecture

Encryption at rest

All PII (email addresses) encrypted using AES-256-CBC with a unique key per workspace. Keys stored separately from data.

Encryption in transit

All API communication over HTTPS/TLS 1.3. No plain-text transport of any data at any layer.

HMAC-signed audit logs

Every completion event is signed with HMAC-SHA256. Signatures are included in exported PDF reports. Auditors can verify log integrity independently.

AI and your data

User data is never sent to AI models. Drill questions are generated from curated, anonymized incident summaries reviewed by a human expert. Your team's scores and responses never touch an LLM.

Data retention

All workspace data — user records, scores, audit logs — is permanently deleted within 30 days of uninstalling the Slack app. Immediate deletion available on request.

Socket Mode: no webhooks

SniffSec uses Slack's Socket Mode. No public webhook endpoints are registered, which eliminates an entire class of public-facing attack surface.

Compliance & certifications

In Progress

SOC 2 Type II

SOC 2 Type II audit in progress. Security controls mapped to Trust Service Criteria. Report available to enterprise customers under NDA.

Aligned

GDPR

Data minimization, purpose limitation, right to erasure, and 30-day deletion on uninstall are implemented. DPA available on request.

Roadmap

ISO 27001

ISO 27001 certification is on the product roadmap. Security controls currently align with ISO 27001 Annex A requirements.

Contact us

HIPAA

For healthcare organizations requiring HIPAA compliance, contact us to discuss BAA availability and technical safeguards.

Security contact

Found a vulnerability? Have a security question before purchasing? Reach out directly to our security team.

Security reports:drill@sniffsec.com
General inquiries:hello@sniffsec.com

Responsible disclosure: we commit to acknowledging reports within 24 hours and providing a remediation timeline within 72 hours.