No message or file storage
We never store any message content or files - only minimal metadata (IDs, timestamps) is retained.
Security
Security at convly
Your conversations stay yours. convly is engineered to process the bare minimum, encrypt everything in transit, and never store data beyond what's needed to deliver a message.
Our security commitments
Encrypted in transit
Inter-service messages are encrypted with AES-256 and deleted immediately after delivery.
Hosted on AWS
Infrastructure runs on AWS in the US (Ohio), with hardened, private-network deployment.
Minimal permissions
Only the scopes strictly necessary for Slack ↔ Teams interoperability.
Every scope we request, with the specific use case for each:
Application security
How the convly service handles your data
No message content storage
Message content is never persisted - only operational metadata (message ID, timestamps, status) is retained.
Log redaction enforcement
All message content is automatically redacted in application logs.
AES-256 message encryption
Inter-service messages are encrypted end-to-end with AES-256, using a randomly generated IV per message. The messaging infrastructure runs in private subnets, with no public-internet exposure.
Webhook signature verification
All inbound Slack and Microsoft Teams events are verified with HMAC signatures, with replay-attack protection via timestamp validation, before any processing occurs.
Infrastructure security
AWS · Terraform
Encryption at rest
All data stores are encrypted using customer-managed keys with automatic rotation.
Secrets management
No credentials in code or environment files. All secrets (DB credentials, API keys, Slack tokens...) live in AWS Secrets Manager, KMS-encrypted.
IAM least privilege
Every service uses scoped IAM roles via OIDC - no long-lived credentials.
Database hardening
SSL/TLS enforced on all connections, deployed in private subnets only (no public access), deletion protection enabled.
Container security
ECR image scanning on every push. Container images are accessible only to authorized runtime environments.
Deployment & observability
GitOps · ArgoCD · OpenTelemetry
GitOps-enforced deployments with ArgoCD
All infrastructure and application changes go through Git. ArgoCD keeps production in sync with the Git source of truth.
Hardened pod security
All containers run as non-root users.
Full observability
All services emit traces and metrics with OpenTelemetry.
Questions about security?
We're happy to walk you through our setup or answer specific compliance questions.