VGS Control
This app is not approved by Slack. Learn more.
VGS Control provides the translation layer between disparate tech stacks and confusing compliance controls, so you don’t have to figure out how to get compliant or manually check dozens of systems to provide evidence to auditors. Whether it's through data aliasing or automated integrations, VGS gets you secure and compliant fast. Integrate with Slack to automatically collect and import public Slack channel messages to use for audit evidence when undergoing your SOC 2, ISO or similar assessment.
Permissions
VGS Control will be able to view:
VGS Control will be able to do:
Review the details to better understand this app’s security practices. To learn more about assessing apps for your workspace visit our Help Center.
General
Developer
Very Good Security
Company headquarters location
United States
Terms of service
Privacy & data governance
Data retention policy
All information assets must be preserved for the period of the immediate or current use of the asset, unless a longer retention period is necessary for historical reference or to comply with contractual or legal requirements.
To provide for consistent retention and disposal of information assets, Data Owners must maintain an Information Asset Retention Schedule that provides a breakdown of when specific information assets are to be removed and/or destroyed based on the sensitivity of the data. This schedule must address VGS business, legal, fiscal, and reference requirements.
Unless specified otherwise in the Information Asset Retention Schedule, the retention period for an information asset begins on the date the asset was received or created by VGS.
Data archiving and removal policy
4. Customer Data Deletion Requests
Because immediate deletion of sensitive data may negatively impact downstream business requirements (e.g. deleting payment card data could prevent future refunds or make chargeback management substantially more difficult) we have a strict process around deletion.
Obtaining authorization
Scheduling or deleting data may only be done if one of the following methods of requests
A face-to-face meeting or video chat with Customer's authorized representative where said representative requests and authorizes the deletion, note: this should be accompanied by separate written confirmation from the Customer;
A PGP signed email including: a signed letter from Customer outlining the actions to take, defining the affected data, and authorizing Very Good Security to move forward;
Or a predefined data retention deadline.
The direct request (via email or slack) from an authorized employee must specifically confirm:
the data to be deleted
the reason for the deletion
the persons authorizing the deletion
Upon receiving and authenticating that request, we will immediately disable the related records as well as any access credentials so that the underlying sensitive data can no longer be accessed, retrieved, or otherwise used. After a waiting period of 180 days, we then securely delete the sensitive data.
Identification
The specific data to be deleted must be clearly defined either by an appropriate time range (including confirmed timezone) or, preferably, the specific records to be deleted with corresponding payload information to verify.
Data deletion must be done pursuant to proper change management procedures: prior to commencing deletion, the selected data must be confirmed and the deletion plan must be approved by a peer engineer.
Documentation
Customer communication authorizing deletion must be retained and attached to the appropriate ticket tasking out deletion along with copies of all customer communication associated with the deletion.
Data storage policy
Very Good Security retains data in accordance with it's Data Storage Policy which is available upon request
Data center location(s)
United States, Germany
Data hosting details
Completely hosted on AWS services between European and US regions
Data hosting company
AWS
App/service has sub-processors
no
Certifications & compliance
Data deletion request procedure
Scheduling or deleting data may only be done if one of the following methods of requests
1. A face-to-face meeting or video chat with Customer's authorized representative where
said representative requests and authorizes the deletion, note: this should be
accompanied by separate written confirmation from the Customer;
2. A PGP signed email including: a signed letter from Customer outlining the actions to
take, defining the affected data, and authorizing Very Good Security to move forward;
3. Or a predefined data retention deadline.
Confidential, Internal VGS Use Only
The direct request (via email or slack) from an authorized employee must specifically confirm:
1. the data to be deleted
2. the reason for the deletion
3. the persons authorizing the deletion
Upon receiving and authenticating that request, we will immediately disable the related records as well as any access credentials so that the underlying sensitive data can no longer be accessed, retrieved, or otherwise used. After a waiting period of 180 days, we then securely delete the sensitive data.
HIPAA compliant
yes
While this app may offer HIPAA compliance, Slack does not have a business associate agreement with any third-party application providers, including those in the Slack App Directory, so you are responsible for validating the provider's compliance and executing an appropriate agreement before enabling.
Security
Date of latest pen test
2021-06-21
Executive summary is available to potential customers upon request
yes
Supports Single Sign On (SSO) with the following providers
Okta and SAML
Supports Security Assertion Markup Language (SAML)
yes
Has a dedicated security team
yes
Contact for security issues
security@verygoodsecurity.com
Has a vulnerability disclosure program
yes
Vulnerability disclosure program URL
Vulnerability disclosure program covers Slack app
yes
Has a bug bounty program
yes
Bug bounty program URL
Requires third party authorization/connections
no
Uses token rotation
no