Karma

Publisher Attestation: The information on this page is based on a self-assessment report provided by the app developer on the security, compliance, and data handling practices followed by this app. Microsoft makes no guarantees regarding the accuracy of the information.

Last updated by the developer on: September 13, 2020

General information

Information provided by Sliday LTD to Microsoft:

Information Response
App name Karma
ID 9ff28b02-ccc5-4cac-9d17-4cf6987c371f
Capabilities Bot, Tab, Messaging Extension
Office 365 clients supported Microsoft Teams
Partner company name Sliday LTD
Physical address level 7, 2 Kitchener street, Auckland, New Zealand, 1010
Contact information for this app david@sliday.com
URL of partner website https://karmabot.chat/ms
URL of Teams application info page https://karmabot.readme.io/
URL of Privacy Policy https://karmabot.readme.io/v3.0/docs/privacy-policy-for-mic...
URL of Terms of Use https://karmabot.readme.io/docs/karma-end-user-license-agre...
Main telephone number +61411277666
Description of available licensing options, if any $2 per person per month subscription in Teams
Licensing contact 1 month
Licensing telephone number +61411277666

Feedback

Questions or updates to any of the information you see here? Contact us!

How the app handles data

Information provided by Sliday LTD on how this app collects and stores organizational data, and what control an organization has over this data.

Data access using Microsoft Graph

List any Microsoft Graph permissions this app requires, and for each, whether they are delegate or application permissions, the justification and purpose for this permission (what does the app use this information for?), and whether the app stores any of this information in its databases.

Permission Delegated/Application Justification/Purpose Is any of this data stored in app database(s)? Azure AD App ID
User.Read Application Admin consent display name.Sign in and read user profile.Admin consent description.Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.User consent display nameSign you in and read your profile.User consent description.Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information. First name, last name and company email address.First name, last name for admin facing reporting.Email address for communication in regards to Karma, billing purposes and herarchy. 9ff28b02-ccc5-4cac-9d17-4cf6987c371f

Non-Microsoft Services Used

If the app transfers or shares organizational data with non-Microsoft service(s), list the non-Microsoft service(s) the app uses, what data is transferred, and include a justification for why the app needs to transfer this information.

No

Data access via bots

If this app contains a bot or a messaging extension, it can access the roster (first name, last name, display name, email address) of any team member in a team or chat it's added to. Does this app make use of this capability?

| Access team/chat roster? | Justification/Purpose | Is any of this data stored in app database(s)? | |:--------------------------------|:---------------------|:--------------------------| | Yes | First name, last name and company email address First name, last name for admin facing reporting email address for communication in regards to Karma. Roster is required for billing purposes and to split users massive into separate departaments. | First name, last name and company email address First name, last name for admin facing reporting. Email address for communication in regards to Karma, billing purposes and Karma users hierarchy. |

Telemetry data

Does any organizational information, including EUII (end-user identifiable information) and OII (organizational identifiable information), appears in this application's telemetry/logs? If yes, describe what data is present and what controls/processes an organization has in place to archive and/or delete it. If no, describe the controls/processes in place to prevent EUII and OII from appearing in telemetry/logs.

We store tenant ID's and user ID's in logs. Both are no identifiable.

Storing and securing organizational data

Describe where/how is this application's data is stored and how access to it is controlled. Is it encrypted? Who can access it? How do you ensure that only authorized systems/individuals can access it? Examples: 2FA for all admins, Privileged Access Management (PMA), partitioning service admin accounts from Azure AD/corporate user accounts, protected IP ranges between systems, etc.

Organisation admins can delete data via billing part of our product.

Organizational controls for data stored by partner

Describe any capabilities an organization's administrators have to control their information residing in partner systems, e.g. deletion, retention, auditing, archiving, end-user policy, etc.

  1. Is any DLP solution in place? What is implemented to prevent data leaks?

YES, data is encrypted both in transit and at rest.

  1. What type of mechanisms do you implement to make sure Data Integrity is protected against errors, corruption or misuse and how frequently are they controlled

All servers run hardware RAID with different RAID levels, but in each case, it requires multiple drive failures at the same time for any data loss to occur. We go extra safe and have both automatic and manual backups. Databases are automatically backed up every day and stored for seven days. VMs are automatically backed up every week and stored for 1 month.

Snapshots and Backups are stored on an internal non-publicly visible network.

  1. Describe how you make sure that the customer's data is properly segregated from other customers' in multi-tenant solutions and how you control that production data is not replicated or used in non-production environments

Stored in different databases.

  1. What type of encryption do you propose (algorithms, protocols, key lengths) for data in transit and data at rest

All in-transit data are encrypted by TLS or SSL. HTTP is encrypted by TLS 1.2 or TLS 1.3 Database traffic encrypted by SSL.

Data is stored in Digital ocean cloud centre in US data centres.

  1. Describe how you manage unique encryption keys (process, storage, usage, RACI, SOD) for your own use and for each of your tenants

Handled by Digital Ocean.

  1. Describe the Access management process in place at the provider's end pointing out how you ensure timely removal of accesses that are no longer required and how you control the adequacy of the privileges to the job role. Also describe the revalidation processes and the frequency of its execution

We use two-factor authentication to access the control panel. Only 3 people have access to that, we change passwords every month, keep access logs audited and making sure that people no longer working with us have their accounts removed from the platform.

  1. Provide the procedure implemented at your end to manage your Shared Ids (e.g. root, Sys, System, etc.), Group IDs (generic accounts used by several individuals belonging to the same team for example) and Local accounts. Describe how you restrict, log and monitor privileged accounts usage and access to security devices (E.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.), how you ensure users changing team or leaving can no longer access the Group ID and what is the level of traceability of such IDs

We use 1Password to share sharable ID’s, we have a separate activity feed every time the shared resource was accessed from a shared password depository. Unless absolutely necessary we do not use shared accounts and use individual accounts instead. No information at Karma database could be accessed via a shared login. 2FA is used to access 1Password to retrieve an individual login.

  1. Describe the process to ensure and monitor that Segregation of Duties is respected and how frequently it is controlled

We ran monthly meetings that cover duty segregation, the importance of dedicated login use and 2FA every login possible.

Our SIEM contains: firewall logs, web server logs and application logs. SIEM is getting analyzed daily and upon receiving. Logs are retained for 1 month and securely removed after that.

Human review of organizational information

Are humans involved in reviewing or analyzing any organizational data that is collected or stored by this app?

Yes

Feedback

Questions or updates to any of the information you see here? Contact us!

Information from the Microsoft Cloud App Security catalog appears below.

Note

The information on this page is based on a self-attestation report provided by the app developer on the security, compliance and data handling practices followed by the app. Microsoft makes no guarantees regarding the accuracy of the information. Contact us if you believe information about an app is outdated.

View in a new tab

Feedback

Questions or updates to any of the information you see here? Contact us!