Data retention policy
Vacation Tracker stores the minimum required data that our platform uses. We'll automatically delete all the data for our customers one year after the last activity in Vacation Tracker. We will also delete all the organization data upon request. Our users can request data removal by contacting our support. See https://vacationtracker.io/faq for more information. The data will be removed from our system in up to five business days after the request. Vacation Tracker stores the following: * Organization ID and Slack workspace and enterprise IDs * Basic user data for imported Slack users, including their display name, profile photo URL, and user's Slack ID. * User's email address. We use email addresses as unique identifiers for our users. We'll never send anything to these addresses without explicit permission from the user. * Leave tracking data and setting from the Vacation Tracker application itself. Data archiving and removal policy
Vacation Tracker will remove all data we store for an organization one year after the last interaction with our application or upon request. This data includes everything we keep in our databases for an organization and its users. We'll also remove all logs after three months. However, our log records do not store any data representing a unique identifier for organizations and users.
Data storage policy
We store all Vacation Tracker data in an Amazon DynamoDB database. All stored data is fully encrypted at rest. DynamoDB encryption at rest provides enhanced security by encrypting all our data at rest using encryption keys stored in the AWS Key Management Service (AWS KMS). Critical data, such as leave request reason, is encrypted using a separate AWS KMS key that is deleted when we remove the organization's data.
Data center location(s)
Germany, United States
Data hosting details
Vacation Tracker is built and distributed on Amazon Web Services (AWS), using a serverless architecture and services such as AWS Lambda, AWS AppSync, Amazon API Gateway, Amazon DynamoDB, and others. We are keeping the least possible amount of sensitive data about your team and team members, such as basic information about the users, your leave policies and all of your leave requests. However, even though we store the minimal possible amount of data about your organization, the security of that data is very important for us. We store all Vacation Tracker data in an Amazon DynamoDB database. All stored data is fully encrypted at rest. DynamoDB encryption at rest provides enhanced security by encrypting all our data at rest using encryption keys stored in the AWS Key Management Service (AWS KMS). The data is processed by more than 50 AWS Lambda functions. To keep our security level high, each of our functions is fully isolated and has the least amount of permissions. For example, the service that saves a new leave request does not have permission to read an existing leave request or team and user data. Communication between Slack and our backend application, as well as between our dashboard (frontend) and our backend application goes through a RESTful API built on top of the Amazon API Gateway and GraphQL built using AWS AppSync. All of the APIs created with Amazon API Gateway and AWS AppSync expose HTTPS endpoints only. Amazon API Gateway and AWS AppSync do not support unencrypted (HTTP) endpoints. Also, our API and GraphQL endpoints are protected by Amazon Cognito authorization, and require a valid user token to be able to access the requested data.
App/service has sub-processors
yes
Guidelines for sub-processors
App/service uses large language models (LLM)
yes
LLM model(s) used
We are using the Azure OpenAI GPT 4 turbo model (primary model) and the Amazon Bedrock Claude 3 Sonet model (we are currently testing it; we might use it soon for some production workloads).
LLM retention settings
Microsoft Azure stores prompts and generated content for up to thirty (30) days. Amazon Bedrock doesn't store or log LLM data. Vacation Tracker stores the conversation for up to 7 days or until the conversation is resolved.
LLM data tenancy policy
The Azure OpenAI GPT 4o model is in the Azure France Central region. The Amazon Bedrock models are in the AWS eu-central-1 (Frankfurt) region. We use the default data tenancy settings for both Azure OpenAI and Amazon Bedrock.
LLM data residency policy
The Azure OpenAI GPT 4o model is in the Azure France Central region. The Amazon Bedrock models are in the AWS eu-central-1 (Frankfurt) region. We use the default data tenancy settings for both Azure OpenAI and Amazon Bedrock.