How Bob is secured
Last updated: 7 July 2026
Bob gets write access to real systems, so this page states plainly what he can see, where he runs, and what stops him from doing something you didn't approve. Nothing below is aspirational marketing copy — it's what's actually built.
What Bob can actually access in Slack
These are the exact bot permissions Slack grants on install — pulled straight from the install code, not a marketing summary.
| Scope | Why Bob needs it |
|---|---|
| app_mentions:read | See when someone @mentions Bob so he knows there's a job to do. |
| chat:write | Post Bob's replies, results, and receipts back into the thread. |
| chat:write.public | Reply in a public channel even before Bob's been explicitly added to it. |
| files:write | Attach the files, spreadsheets, or reports a task produces. |
| files:read | Read files you share with Bob so he can work from them. |
| channels:history | Read message history in public channels Bob's in, for context on a task. |
| channels:read | See the list and names of public channels, so Bob knows where he's been added. |
| groups:history | Read message history in private channels Bob's been added to. |
| im:history | Read prior direct-message context in a conversation with Bob. |
| im:read | See your list of DM conversations with Bob. |
| im:write | Start a direct message — onboarding notes, an approval prompt, a heads-up. |
| users:read | See workspace member names, so Bob can tell who asked and who approved. |
| commands | Respond to Bob's slash command, if you use it. |
Bob only reads messages directed at him — an @mention or a DM — never your team's wider channel traffic beyond what these scopes allow.
Sandbox architecture
Every run gets its own isolated, disposable computer in the cloud — spun up fresh for that task and torn down after. Credentials for the tools you connect (your CRM, your ledger, your drive) never live inside that sandbox. They're held in a separate OAuth vault, encrypted at rest; the vault brokers the specific tool call a task needs, server-side, without ever handing the sandbox a copy of the token. A compromised or misbehaving run has nothing to steal.
Approval gates, default-on
Writes to systems of record — your CRM, your books, your docs — pause for a visible Approve/Deny button before they happen, by default. You can loosen or tighten what's automatic per tool and per action, but the default is a human in the loop, not an opt-in.
Audit log
Every run, every tool call, every approval, and every credit is logged and exportable. If Bob touched it, it's on the record — not a black box you have to trust.
Spend caps
Workspaces can set a hard monthly spend cap. You get a warning at 80% of it, and nothing runs silently past the ceiling.
No-training commitment
We do not use your data, prompts, or connected-tool content to train external AI models, and we don't sell your data. Full detail in the Privacy Policy.
Subprocessors
To run the product we rely on a small set of vendors: a cloud hosting provider, our AI model provider (Anthropic), a payments processor (Stripe), and an integration platform (Composio) that stores OAuth credentials for third-party apps you choose to connect through Bob's extended catalog. Under BYOK, your model tokens are billed directly to you by your model provider under your own agreement. We maintain a current subprocessor list and provide it on request.
BYOK & self-host
Bring your own model API key and your token bill goes straight to your provider at your negotiated rate — we never see it, so there's nothing for us to mark up. The Enterprise tier ships as containers for your own VPC, with offline license verification that degrades gracefully: an expired license stops new runs, it never bricks an existing deployment.
Compliance, honestly
| Item | Status |
|---|---|
| Encryption in transit | TLS everywhere |
| Encryption at rest | Yes, including the OAuth vault |
| Access to production systems | Restricted and logged |
| Training on customer data | Never |
| SOC 2 Type 1 | In progress — no target date yet |
Questions about anything on this page: [email protected].