One of our favourite pillar at Slite is transparency.
We value customer data security, as you trust us to store valuable information. And what's better to enhance trust than transparency in our process ?
— From our security team
Security standard
Slite is SOC2 Type II approved
SOC2 Type II
We developed a partnership with https://www.vanta.com/ to provide clear checkpoints toward SOC2 type II compliance.
If you don't know SOC2 you can read wikipedia related page but it's basically an IT security standard to align our process and to elevate our security maturity validated by external auditors.
See our security checks live
You can check our live security health checks directly from Vanta report.
An email is requested for us to know who is looking at the report. The password is Public.
Previous official report from SOC2 type II auditor
PDF document 4MB
2023
PDF document 836KB
2022
PDF document 2MB
2021
Security basics
Following the SOC2 standard, here are the security basics we follow to improve the trust our client can have in our product but also the security feelings of our Slite employees.
If you travel near Brussel, you can pass by Saint-Ghislain to enjoy the Mural project painted by local street artist Oli-B.
St. Ghislain by Oli-B
On the other hand, what you can't do is tosneak into the datacenter to steal our customer's data .Indeed, according to Google:
We use secure perimeter defense systems, comprehensive camera coverage, biometric authentication, and a 24/7 guard staff. In addition, we enforce a strict access and security policy at our data centers and ensure all staff is trained to be security minded.
Network communication
All your communications with our server are encrypted using TLS with configuration best practices which give us a A+ on SSL Labs.
This mean you can safely browse your Slite docs from untrusted public WiFi and, as long as you can still see the padlockin the top URL bar, your docs' content will stay protected.
Look for the padlock to be safe
Between our servers, your data are processed and transferred in a safe private network where only restricted Slite employees can access for maintenance and debugging purposes.
Data storage integrity
We divided your data in 3 categories:
1) Structural data
Those data contain organization and user information (email, protected password and display name) but also your docs structure (in which channels are your doc, or sub-docs etc...)
They reside in a PostgreSQL database (think of a big ordered library).
Photo by Andy Stafiniak from FreeImages
Daily backups are made and stored in various Google European datacenters to ensure we will never loose your data.
We keep backups for the last 7 days, meaning we can restore your data in the state they were each day between today and 7 days ago.
Moreover, we test those backups every months.
2) Documents content
Your most valuable data: All the actual content of your docs, live editing and history reside in a MongoDB database (think of a big record of what everybody type).
Photo by abcdz2000 from FreeImages
As those data are the core of our service, we use multiple type of backups called snapshots:
One snapshot is done every 6 hours and saved for 7 days.
One other snapshot is done every Saturday and saved for 4 weeks.
And a last snapshot is done every last day of the month and saved for 1 year.
With all of those precautions, we can be confident we will never lose your data!
2 bis) Documents indexed in our search engine
To help us provide a useful search engine, we use an Elasticsearch database.
Uncontextualized fully textual docs are indexed in their service so you can effectively search into all your docs.
For the retrieval part of our Ask feature. We are computing semantic vectors of all textual content by using an internal GPU.
3) Media
Last data category is your uploaded media.
Every images or files you attach to a doc are uploaded to Google buckets.
Imagine just a simple big photo album with all your images and files laying down there with an unique name.
Those media are stored, spread in various Google data centers in Europe.
A copy of all media is made every day in a second bucket also spread in Europe.
Now you know all about our processes which ensure your data are well saved and it's almost impossible we could lose it. Data integrity and availability is good, let's see how we enforce confidentiality now.
Confidentiality
We do not provide end-to-end encryption, at this time However, your data is encrypted in transit between your device and our servers (using first grade TLS) and everything is encrypted at rest by Google (if someone stole a hard disk from Google St. Ghislain's super secure datacenter, he/she won't be able to read the data.)
Your data on our servers is protected by authentication and authorization logic.
Slite application
If you already used Slite before, you may know we offer classic login/password authentication but also Google, Slack and Apple SSO.
For enterprise plan, we also offer the possibility to enforce SSO with Google or to provide your own authentication provider through OAuth 2.0 OpenId Connect (ex: Okta, Azure AD, OneLogin, Auth0...).
Then you can create user groups and choose various authorization mechanisms:
Docs are public inside your organization
Docs are kept private for special users or groups inside your organization
Docs are published publicly on the internet
There is also the classic Read-only vs Read/Write permissions on each doc.
All of those logic are handled by code written by our fellow engineers
Secure coding
As you may have heard in news, building secure software is hard, vulnerabilities are found every day in everything:
Boosted Boards skateboards - CVE-2015-2247
Here are some steps we follow to limit and detect human mistakes:
All our developers are aware of best practices in secure development (OWASP TOP 10).
We are using standard cryptography algorithm and well-tested open-source frameworks.
Each line of code we write is double checked (peer review).
Various tests are automatically run before each new code deployment.
Each year we hire external security engineers to do penetration testing and code audit.
We also reward and encourage every competent people out there to report discovered vulnerabilities
We enforce SLA to fix security vulnerabilities following Google project zero
Slite internals
Another source of vulnerabilities is ourselves: the Sliters.
In addition to developping secure code, we also have access to your data to help you use our product, analyze how we could improve, investigate bugs...
And you surely know about phishing and social engineering techniques to compromise employees...
We thought about it and follow processes to limit the impact or reduce chance of employee compromission:
We use Google SSO everywhere with 2FA to manage our employees and permissions from a single spot.
We all follow security training to keep our minds sharpened against the current threats.
We use 1Password for our own passwords and limit shared passwords to the minimum.
All our professional computer hard disks are encrypted to prevent impact of physical theft.
Payment
Well, yes, you can unblock some limitation and features if you pay for it. And payment is a source of stress.
We completely externalized it with Stripe, the payment platform reference. Nobody at Slite can see nor access your bank information, it's all handled by this PCI certified company.
Only few Slite employees can manage your Stripe subscription.
We keep improving ourselves on enforcing confidentiality on both sides (application with more features and internals with more processes and checks). This is a never-ending journey but we are confident we are on the good track
Availability
Having your data safe and properly redundant keeps us breathing but there is a last aspect we should discuss: application availability.
How do we make sure you can still safely and properly access your docs 24 * 365 using slite application ?!
It's a bit techie but we use well-tested standards to deploy and ensure everything is working after a deployment with ArgoCD and Kubernetes.
Just imagine a factory which takes new application code, builds it, packs it, ships it, opens it, puts it online, validates it and finally plugs the internet into it.
Continuous deployment process
As you can see on our status.slite.com page, this process help us reach 99.995% uptime during the last year.
We also use Datadog to monitor all our databases and servers to detect activity pick, scale our infrastructure on-demand and stay cool when everything works !
Other questions on security
Is search engine indexation enabled for public documents ?
In the past we choose to prevent indexation of your public documents. But we decided this choice should be yours so you can opt for this in the sharing modal.
You can read more in the document above. Obviously, we don't share your data with any advertising company.
Third parties only have access to anonymized data. It mostly serves us for behaviour analytics and statistics as we follow data-driven marketing strategy.