Castle can send notifications to Slack channels whenever items are added to a List. This means that your team can get real time notification whenever a condition of your choice is applied, and have it be based on any type of entity, such as User, IP or email domain. Slack notifications are a great way of monitoring the impact of Policies before deciding to take action, e.g. to highlight users sharing accounts.Useful links: Pricing - https://castle.io/pricing Privacy - https://castle.io/privacy
Castle will be able to view:
Castle will be able to do:
Review the details to better understand this app’s security practices. To learn more about assessing apps for your workspace visit our Help Center.
Castle shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data.
Data archiving and removal policy
Data classified as restricted or confidential shall be securely deleted when no longer needed. Castle shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party Management Policy. Only third-parties who meet Castle requirements for secure data disposal shall be used for storing and processing restricted or confidential data.
Castle shall ensure that all restricted and confidential data is securely deleted from company devices prior to, or at the time of disposal.
Customer accounts and data shall be deleted from operating production systems within 90 days of contract termination through manual data deletion processes. Archives of customer data, obfuscated to remove any customer PII data, can persist in S3 storage indefinitely (for training our risk models).
Data storage policy
Castle classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Data owners are responsible for identifying any additional requirements for specific data or exceptions to standard handling requirements.
Information systems and applications shall be classified according to the highest classification of data that they store or process.
Confidential data is subject to the following protection and handling requirements:
● Access for non-pre approved roles requires documented approval from the data owner
● Access is restricted to specific employees, roles and/or departments
● Confidential systems shall not allow unauthenticated or anonymous access
● Confidential Customer Data shall not be used or stored in non-production systems/environments
● Confidential data shall be encrypted in transit over public networks
● Confidential data shall be stored on encrypted hard drives
● Mobile device hard drives containing confidential data, including laptops, shall be encrypted
● Mobile devices storing or accessing confidential data shall be protected by a log-on
password or passcode and shall be configured to lock the screen after five (5) minutes of
● Backups shall be encrypted
● Confidential data shall not be stored on personal phones or devices or removable media
including USB drives, CD’s, or DVD’s
● Paper records shall be labeled “confidential” and securely stored and disposed
● Hard drives and mobile devices used to store confidential information must be securely
wiped prior to disposal or physically destroyed
● Transfer of confidential data to people or entities outside the company shall only be done in
accordance with a legal contract or arrangement, and the explicit written permission of management or the data owner
Castle shall evaluate the risks inherent in processing and storing data, and shall implement cryptographic controls to mitigate those risks where deemed appropriate. Where encryption is in use, strong cryptography with associated key management processes and procedures shall be implemented and documented. All encryption shall be performed in accordance with industry standards, including NIST SP 800-57.
For all personal data, Castle shall consider the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, and implement appropriate technical and organizational measures surrounding the pseudonymization and encryption of data to ensure a level of security appropriate to the risk.
For all web traffic sent over the public Internet containing confidential information, the TLS v1.2 protocol or better must be utilized.
Data Deletion. At the expiry or termination of the Agreement, Service Provider will, at Company’s option, delete or return all Company Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Service Provider’s data retention schedule), except where Service Provider is required to retain copies under applicable laws, in which case Service Provider will isolate and protect that Company Personal Data from any further Processing except to the extent required by applicable laws.
Requests to delete data can be sent to email@example.com.
While this app may offer HIPAA compliance, Slack does not have a business associate agreement with any third-party application providers, including those in the Slack App Directory, so you are responsible for validating the provider's compliance and executing an appropriate agreement before enabling.
Supports Single Sign On (SSO) with the following providers
Supports Security Assertion Markup Language (SAML)