Our founding team has run security teams and built secure products at Box, Google and Checkr. Okay is built from the ground up with the latest security-first design principles.
What we store
Okay mainly relies on metadata, such as state change events in your issue tracking system.
We use OAuth-based APIs in most cases, and we pro-actively select the minimal scopes needed to provide the service. In particular, we never access source code.
Data is stored encrypted in Google Cloud Platform. Keys are securely managed and regularly rotated with Google Key Management Service.
Data in transit is encrypted with a minimum of TLS 1.2.
Authentication and Authorization
We exclusively authenticate users using SSO, provided by Google Firebase. We do not store user passwords.
We enforce access controls to sensitive data and we regularly conduct security awareness training for our all our employees.
Okay is SOC 2 Type II compliant. Please email security@[our domain] for a copy of the report.
We regularly conduct external penetration tests against our systems, with detailed reports available.
Do you offer an on-premise version of Okay?
We only offer Okay as a cloud product at this time.
Do you have a bug-bounty program?
We do not have a bug-bounty program. Please contact us at security@[our domain] for security questions or concerns.