Security at Slite


One of our favourite pillar at Slite is transparency.
We value customer data security, as you trust us to store valuable information. And what's better to enhance trust than transparency in our process ?
— From our security team

Security standard

Slite is SOC2 Type II approved

We developed a partnership with  https://www.vanta.com/  to provide clear checkpoints toward SOC2 type II compliance.
If you don't know SOC2 you can read  wikipedia  related page but it's basically an IT security standard to align our process and to elevate our security maturity validated by external auditors.


See our security checks live

You can check our live security health checks directly from  Vanta report .
An email is requested for us to know who is looking at the report. The password is Public.

There is also the official  Vanta trust report. 


Last official report from SOC2 type II auditor


PDF document 1MB
It appears you do not have a PDF plugin for this browser.

Previous official report from SOC2 type II auditor


PDF document 4MB

PDF document 836KB

PDF document 2MB


Security basics

Following the SOC2 standard, here are the security basics we follow to improve the trust our client can have in our product but also the security feelings of our Slite employees.


Cloud provider location

To safely and quickly build Slite, we completely rely on  Google Cloud Platform .
As a mostly European company, we choose to locate our servers and databases in  St. Ghislain, Belgium, Europe .

If you travel near Brussel, you can pass by Saint-Ghislain to enjoy the  Mural project  painted by local street artist  Oli-B .

On the other hand, what you can't do is to sneak into the datacenter to steal our customer's data Man Detective. Indeed, according to Google:
We use secure perimeter defense systems, comprehensive camera coverage, biometric authentication, and a 24/7 guard staff. In addition, we enforce a strict access and security policy at our data centers and ensure all staff is trained to be security minded.



Network communication

All your communications with our server are encrypted using TLS with configuration best practices which give us a A+ on  SSL Labs .

This mean you can safely browse your Slite docs from untrusted public WiFi and, as long as you can still see the padlock in the top URL bar, your docs' content will stay protected.
Between our servers, your data are processed and transferred in a safe private network where only restricted Slite employees can access for maintenance and debugging purposes.


Data storage integrity

We divided your data in 3 categories:


1) Structural data

Those data contain organization and user information (email, protected password and display name) but also your docs structure (in which channels are your doc, or sub-docs etc...)
They reside in a  PostgreSQL  database (think of a big ordered library).
Daily  backups  are made and stored in various Google European datacenters to ensure we will never loose your data.
We keep backups for the last 7 days, meaning we can restore your data in the state they were each day between today and 7 days ago.
Moreover, we test those backups every months.


2) Documents content

Your most valuable data: All the actual content of your docs, live editing and history reside in a  MongoDB  database (think of a big record of what everybody type).
As those data are the core of our service, we use multiple type of backups called  snapshots :
  • One snapshot is done every 6 hours and saved for 7 days.
  • One other snapshot is done every Saturday and saved for 4 weeks.
  • And a last snapshot is done every last day of the month and saved for 1 year.
With all of those precautions, we can be confident we will never lose your data!


2 bis) Documents indexed in our search engine

To help us provide a useful search engine, we use an  Elasticsearch  database.
Uncontextualized fully textual docs are indexed in their service so you can effectively search into all your docs.
For the retrieval part of our Ask feature. We are computing semantic vectors of all textual content by using an internal GPU.


3) Media

Last data category is your uploaded media.
Every images or files you attach to a doc are uploaded to Google buckets.
Imagine just a simple big photo album with all your images and files laying down there with an unique name.

Those media are stored, spread in various Google data centers in Europe.
A copy of all media is made every day in a second bucket also spread in Europe.

Now you know all about our processes which ensure your data are well saved and it's almost impossible we could lose it. Data integrity and availability is good, let's see how we enforce confidentiality now.


Confidentiality

We do not provide  end-to-end encryption , at this time However, your data is encrypted in transit between your device and our servers (using first grade TLS) and everything is  encrypted at rest by Google  (if someone stole a hard disk from Google St. Ghislain's super secure datacenter, he/she won't be able to read the data.)

Your data on our servers is protected by authentication and authorization logic.


Slite application

If you already used Slite before, you may know we offer classic login/password authentication but also Google, Slack and Apple  SSO .

For enterprise plan, we also offer the possibility to enforce SSO with Google or to provide your own authentication provider through  OAuth 2.0 OpenId Connect  (ex: Okta, Azure AD, OneLogin, Auth0...).

Then you can create user groups and choose various authorization mechanisms:
  • Docs are public inside your organization
  • Docs are kept private for special users or groups inside your organization
  • Docs are published publicly on the internet
There is also the classic Read-only vs Read/Write permissions on each doc.

All of those logic are handled by code written by our fellow engineers Woman Technologist

Secure coding

As you may have heard in news, building secure software is hard, vulnerabilities are found every day in  everything :
Here are some steps we follow to limit and detect human mistakes:
  • All our developers are aware of best practices in secure development (OWASP TOP 10).
  • We are using standard cryptography algorithm and well-tested open-source frameworks.
  • Each line of code we write is double checked (peer review).
  • Various tests are automatically run before each new code deployment.
  • Each year we hire external security engineers to do  penetration testing  and code audit.
  • We also reward and encourage every competent people out there to report discovered vulnerabilities
  • We tend to publicly keep track of  the discovered vulnerabilities  (by both pentesters and bounty hunters)
  • We run various automatic scans to reduce outdated code we could use:
  •  Google Cloud Container vulnerability scanning 
  •  GitHub Dependabot  alerts
  • We enforce SLA to fix security vulnerabilities following  Google project zero 

Slite internals

Another source of vulnerabilities is ourselves: the Sliters.
In addition to developping secure code, we also have access to your data to help you use our product, analyze how we could improve, investigate bugs...
And you surely know about  phishing  and social engineering techniques to compromise employees...

We thought about it and follow processes to limit the impact or reduce chance of employee compromission:
  • We use Google SSO everywhere with  2FA  to manage our employees and permissions from a single spot.
  • We quarterly review those permissions and follow  principle of least privilege .
  • We keep audit accesses to each of the data  we mentioned before .
  • We all follow security training to keep our minds sharpened against the current threats.
  • We use  1Password  for our own passwords and limit shared passwords to the minimum.
  • All our professional computer hard disks are encrypted to prevent impact of physical theft.


Payment

Well, yes, you can unblock some limitation and features Sparkles if you pay for it. And payment is a source of stress.
We completely externalized it with  Stripe , the payment platform reference. Nobody at Slite can see nor access your bank information, it's all handled by this  PCI certified  company.
Only few Slite employees can manage your Stripe subscription.

We keep improving ourselves on enforcing confidentiality on both sides (application with more features and internals with more processes and checks). This is a never-ending journey but we are confident we are on the good track Railway Track


Availability

Having your data safe and properly redundant keeps us breathing but there is a last aspect we should discuss: application availability.
How do we make sure you can still safely and properly access your docs 24 * 365 using slite application ?!

It's a bit techie but we use well-tested standards to deploy and ensure everything is working after a deployment with  ArgoCD  and  Kubernetes .

Just imagine a factory which takes new application code, builds it, packs it, ships it, opens it, puts it online, validates it and finally plugs the internet into it.
As you can see on our  status.slite.com  page, this process help us reach 99.995% uptime during the last year.

We also use  Datadog  to monitor all our databases and servers to detect activity pick, scale our infrastructure on-demand and stay cool when everything works ! Grinning Face with Sweat


Other questions on security

Is search engine indexation enabled for public documents ?

In the past we choose to prevent indexation of your public documents. But we decided this choice should be yours so you can opt for this in the sharing modal.


How stable is Slite as a company ?

We are backed by top tier VCS including  Index Ventures  and  Spark Capital . Slite has been accelerated at  YCombinator  in San Francisco.  


Do you have more information on Privacy?

You can read more in the document above. Obviously, we don't share your data with any advertising company.
Third parties only have access to anonymized data. It mostly serves us for behaviour analytics and statistics as we follow  data-driven marketing  strategy.