Donut: Data Access, Security, and Privacy

Learn more about Donut's information security and user privacy practices.

Jeff Manian (he/him) avatar
Written by Jeff Manian (he/him)
Updated over a week ago

Slack Permissions

Donut uses Slack's Granular Permissions in order to request only the permissions we need to make the app function. When you install Donut on your Slack workspace Slack will present you with a list of the specific permissions that Donut requests, and you will have an opportunity to approve or reject those permissions.

Channel and Message Access

Donut's access to messages in Slack is quite limited, for two main reasons:

  1. Donut only can read messages in channels or DMs where Donut is a member.

  2. Donut only needs to be in the channel(s) where you want to use Donut. Consequently Donut will only be a member of channels that a user invites it to or where a user explicitly sets up Donut features.

This means that Donut does not have access to anyone's private DMs (unless it's a DM with Donut), nor does Donut have access to any public or private channel content unless someone from your team has explicitly added Donut to the channel.

Security Practices

Donut is hosted on Heroku and AWS and benefit from their world-class security. We leverage Slack’s OAuth for signing into our website, making Donut as secure as Slack. Our website and servers use HTTPS over SSL (TLS 1.3) to protect user data. Donut is built on Ruby on Rails and benefits from the same Rails security that is trusted by industry. Donut is used by Fortune 500, FinTech, and cloud-security companies, among others.

Additionally, Donut is SOC 2 compliant, demonstrating our commitment to maintaining the highest standards of security and privacy. For more information about our SOC 2 compliance, please contact our support team at

SSO Support

We use Slack's OAuth authentication for signing into Donut — this is the only way to sign into our site. Therefore we indirectly support any SSO that Slack supports.

Data Storage & Encryption

We store our application data in Heroku Postgres and benefit from their world-class safety and security, which includes encryption at rest. We use Heroku PGBackups for backing up our Postgres database.

Data Retention

Our bot receives messages that are sent in channels, DMs, and groups where it is a member. However the only messages that we store in our database are those that are sent in the multiparty DMs that the Donut bot creates when it pairs people up, those sent in DM with the Donut bot, and those sent in channels where Donut is explicitly set up. We store the messages from these DMs in order to collect feedback and improve the product.

Data Use

For our pairing algorithm, we look at who is in which channels — we do not look at or analyze any messages (and we cannot see any messages from channels we are not in). For analytics, the only other relevant data we pay attention to is how many people are in each Slack team.

Privacy Policy

We take user privacy seriously. Terms are outlined here, and our DPA can be found here.

Did this answer your question?