LEAD.Bot Privacy FAQ

LEAD is GDPR Compliant and the EU-U.S. DPF and the Swiss-U.S. DPF certified. You can find out more on our website at the following locations:

• • Privacy Policy (https://www.lead.app/privacy-policy/)
  • Trust & Security (https://www.lead.app/trust/)
  • Vulnerability Disclosure Program (https://www.lead.app/responsible-disclosure-policy/)

LEAD is also required to go through a review process with Slack and Microsoft before our apps are approved to be listed in their stores. Those stores have more details about the API scopes granted to our app.

 

 

Frequently Asked Questions

Session 1. The questions apply to both LEAD.bot for Slack and Microsoft Teams 

Session 2. LEAD.bot for Slack related questions 

Session 3. LEAD.bot for Microsoft Teams related questions 

Session 1. Questions apply to both LEAD.bot for Slack and Microsoft Teams 

Q1. Setup Instructions?

• • The app can be installed directly through the app store of Microsoft and Slack. You can find links to each app store directly on our website, as well as installation instructions.

  

Q2. Access?

• • Access is granted through authentication using either the Slack or Microsoft API (depending on the chosen platform). The installation user will be given Administrator privileges, and we can grant the same privileges to additional users upon request. These users will be able to alter matching schedules, change messages that match receive, and alter other configurations within the LEADBot application.

 

 Q3. Security Measures, Disaster Recovery Protocol? 

• • Our team undergoes quarterly security reviews and has in place an Incident Response Policy for any security-related issues and also manages a Vulnerability Disclosure Program.
  • Our Internal Threat Model documentation contains more details on our infrastructure and security, and is available upon request for eligible customers. 

(Email security@lead.app if you need to review the documents mentioned in Q3). 

  

Q4. Payment Information?

• • Our payment integration is with Stripe. It is PCI compliant, and we do not store any payment info from the customers. 
  • We currently actively offering 2 tiers. One is the Free tier, the other is the Basic tier, The Basic tier starts with 24 active users. (Pricing: LEAD.bot for Slack ,  Pricing: LEAD.bot for  Microsoft Teams,)
  • We offer 14 days free trial with unlimited active user numbers. 

 

Q5. Hosting Provider Details?

• • All data is hosted on encrypted volumes in Amazon AWS in the US-East-1 Region
  • All servers use EBS volume encryption, databases are stored on volume encrypted RDS instances, database backups are stored on encrypted S3 volumes and deleted after 7 days, and all data in transit is encrypted. Additionally, select sensitive fields are field-level encrypted in the database.

Q6.  The retention period of the data stored by Lead app?

• • Data is retained in encrypted S3 backups, taken nightly for a rolling window of 7 days. We will purge all company data in our database upon request, with a 48 hour SLA. 7 days after deleting data from our database, it will be purged from all backups.

Q7. Is S3 leveraged for only backed up database, or also active database?  Is the S3 database public or private? 

• •  S3 backups are automatically taken every 24 hours by Amazon RDS instances. The backup is taken from our standby database so that the extra load imposed by the backup process does not negatively impact customer traffic. These S3 backups are not publicly accessible, and we do not consume them, but rather retain them for 1 week for emergency recover operations

 

Q8. Is data encrypted in transit? If so, what specific encryption methods are used? What encryption is used for data at rest? 

• • All of our hosts use Amazon EBS volume encryption (AES-256 algorithm). Our database uses Amazon RDS volume encryption (AES-256 algorithm). Our backend API supports both TLS 1.2 and TLS 1.3 (supported: TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256) for encryption in transit.

Q9. Would it be a shared or dedicated database for lead.app clients (FIS)? Same question (shared or dedicated) but for the S3 volumes. 

• • The database and S3 volumes are shared

Q10. Do you have hosting possibilities in Europe?

• • At present, we’re only able to host in the United States. We do have hundreds of European companies using us this way, however if there is sufficient customer demand we’d be able to work on regional offerings.

 

Q11. Does the LEAD.bot chat window allow users to share files or capture or record a conversation? 

• • The LEAD.Bot chat window only allows users to exchange plain text messages. For security and privacy reasons, no media (gifs, images, video), executables, documents, or other content can be shared through LEAD.Bot.

 

Q12. Will this solution be offered to all users on the platform?

• • LEAD.Bot can be added to an existing Team in Microsoft Teams, or Channel in Slack, to enable matching for a particular set of users. Some users, instead, create a new Team (in Microsoft Teams) or channel (in Slack) and announce to their users that they can join to opt-in to matching. Only users that are members of a Team (Microsoft Teams) or Channel (Slack) that LEAD.Bot has been added to will be available to LEAD.Bot for matching.

 

Q13. In the Privacy Document, there is a paragraph written as this: LEAD Collect and store content that you send and receive, the groups you belong to, and your interaction with your friends, mentors and colleagues. This content includes any information about you that you may choose to include. Examples of content we collect and store include: the title of your matching channel/Team names, surveys created and the audience you are sending them to. Content also includes the messages and links you upload to the Services. What does this actually mean? 

• • Most of what this statement covers applies to users on our web-based product, which offers more advanced functionality, but is not relevant to the Teams product.
    
    Many areas will not be relevant for the Teams product (such as surveys, group membership, interactions with other users). For our Teams product, we have access to the name of the Team that our bot has been added to, messages sent to our bot by users, and basic user profile information for users in the Team that LEAD.bot has been added to (first name, last name, email, account type).
    
    *Please scroll to the Microsoft Teams session (Session 3) at the bottom of this page, and check out  Q2 and Q3 to the question “What data does LEAD.bot collect for Microsoft Teams?“ for a complete list of data we collect, and how we use it.*

 

Q14. Is the data you collect differently between the free tier, basic tier, and enterprise tier?

• • There is no difference between the free tier and the basic tier, but there is a difference for the enterprise tier. The content detailed in this document primarily answers the privacy & security questions for our free tier and basic tier offerings in Slack and Microsoft Teams.
  • The only difference between the free tier and the basic tier is how many active users you have for each month. The basic tier starts with 30 active users. (Pricing: LEAD.bot for Slack,  Pricing: LEAD.bot for  Microsoft Teams,)
  • We are at capacity for onboarding new enterprise tier customers at the moment. However, if you would like to inquire about our enterprise tier, please email hi@lead.app with your ideal use cases, or schedule a Zoom call with our customer success department.
  • We encourage new customers to try out our free tier and basic tier first as we believe most of the frequently requested features are covered in them. 

  

Q15. Have the terms of service and privacy documents in your company reviewed and approved by legal & privacy experts?

• • Yes. Please check out the dates on the documents to see the dates they are approved. All legal documentation is built in collaboration with company lawyers who specialize in privacy.

 

Q16. Who in your organization has access to this DB and are there any security protocols (Access rights) to accessing this information?

• • Our CTO has access to the production environment, including the database. Production environments are segregated and completely isolated from each other from our stage/local environments. Engineers must schedule a meeting with the CTO who can sign off on employee production access, as outlined in our Change Management Policies. 

Q17. How is Lead Bot setup in terms of High Availability (Uptime)? 

• • We monitor our systems internally using Rollbar, Amazon Cloudwatch, and externally using Service Uptime. Our databases are always hosted in multiple availability zones with automatic failover to protect against failure. Our service had 100% uptime in 2020.

 

Session 2.  Slack related questions: 

Q1.  Is this application developed by Slack or part of their certification program?

• • No, however, LEAD went through a review process with Slack before our apps were approved to list in their store, and Slack employees are required to approve all API permissions requests for our app. 

 Q2. What are the permissions LEAD.bot gets in Slack? 

• • They are listed in the app store, please find the details in the Security & Compliance session of the app: https://slack.com/apps/ALBRU32RK-leadbot 

 

Session 3.  Microsoft Teams related questions: 

Q1.  Is this application developed by Microsoft or part of their certification program?

• • No, however, LEAD went through a review process with Microsoft before our apps were approved to list in their stores. Additionally, LEAD is part of Microsoft’s startup program.

Q2.  Does Lead.bot have access to entire Microsoft Teams calendars?

• • LEAD.Bot has no access whatsoever to calendars. We cannot read user calendars, write to user calendars, or even know if an organization has Calendar integration. All we can do is provide a hyperlink that allows users to book a meeting with each other within Microsoft Teams — we cannot know if the user clicked this link or whether they set up a meeting. The “Schedule a meeting” link we provide on our match cards is similar to when a webpage adds a mailto:hello@example.com link, which provides the author no access to an email client or indication that it’s been clicked. LEAD.Bot has no API access to calendars at all.

Q3. What data does LEAD.bot collect/store for Microsoft Teams? 

• • The user data collected is limited to first name, last name, given name, email address, account type (Administrator, etc) and messages that users send directly to LEAD.Bot. The organization data we are granted access to primarily comes in the form of randomized IDs. The sensitive organization data we collect is limited to the Team name of the Team LEAD.Bot has been added to. This is used when we match users we can send them a message in format: “<User1> you’ve been matched with <User2> because you’re both members of the Team: Coffee Matching“.

 

• • To ensure that organizations do not share additional private information with us, we recommend:

1. 1. only adding LEAD.Bot to Teams with generic names (ex. “Coffee-Matching”, “All-Employees”, “New-York”, “Remote-Meetups”, etc) and avoid adding LEAD.Bot to teams with private information, such as: “Upcoming-Sales-Deal-With-SpaceX”, “Closing-Series-B-Round”, etc.

1. 2. Informing your employees that no private company information should be sent as a direct message to LEAD.Bot. LEAD.Bot should be used exclusively to facilitate meetings through your corporate meeting system (Skype, Zoom, Hangouts, in person, etc).
   3. Only modifying the initial greeting message sent to users in a way that does not contain any personal or private information.

• • Microsoft APIs are granularly scoped, so we don’t have access to additional personal data. We would need to undergo a security review and approval for permission scope increase per company if we wanted access to more information in the future.

Q4. What are the minimum permissions the app requires in MS Teams?

• • Click LEAD.bot in Teams, then click about and move your mouse to the bot’s name. Then you will see this window show up below. The details in the screenshot are the answer.  

 

Have other questions? email security@lead.app for any technical questions, or hi@lead.app for business-related questions. Thank you very much!