Tovo
Back to home

Security

Last updated June 13, 2026

Security is foundational to a tool that lives inside your team’s conversations. Here’s how Tovo protects your data and limits its own access to only what it needs.

Encryption

All traffic to and from Tovo is encrypted in transit with TLS. Data stored in our database is encrypted at rest by our managed database provider.

Authentication & request verification

  • Installation uses Slack’s standard OAuth flow; sign-in uses Slack OIDC. We never see or store your Slack password.
  • Every inbound request from Slack (commands, interactivity, events) is verified against Slack’s signing secret before it is processed, so forged requests are rejected.
  • OAuth tokens are stored server-side and used only to perform the actions you initiate.

Least-privilege access

We request only the Slack scopes the app needs to function. Within Tovo, write access to the database is restricted to server-side code using a privileged key that is never exposed to the browser; the client has read-only access scoped to the signed-in user’s workspace. You can review and revoke the app’s permissions at any time from your Slack workspace settings.

Infrastructure & subprocessors

Tovo runs on reputable, security-conscious infrastructure providers:

  • Vercel — application hosting and serverless compute.
  • Supabase — managed PostgreSQL with encryption at rest, plus authentication.
  • Anthropic — AI parsing of messages you send to the bot; your content is not used to train models.
  • Merchant-of-Record payment processor — handles checkout and billing, so card data is processed by a PCI-compliant provider and never touches our servers.

See our Privacy Policy for the full list of subprocessors and how data is used.

Data handling & retention

We collect only the workspace, channel, user, and checklist data needed to operate the service. When you uninstall Tovo, the app’s access is revoked and we delete or anonymize your workspace data within 30 days, subject to limited legal retention. You can request export or deletion anytime — see Support.

AI processing

Plain-English authoring sends only the message text you direct to the bot to our AI provider, and only when you invoke it (by mentioning or DMing @tovo). That content is used solely to parse your request into a structured checklist and is not used to train models.

Responsible disclosure

If you believe you’ve found a security vulnerability in Tovo, please email support@tovo.runwith the details. We’ll acknowledge your report, investigate promptly, and keep you informed. Please give us a reasonable opportunity to address the issue before any public disclosure.

Contact

Security questions or compliance requests? Reach us at support@tovo.run.