Kioo Logo

Slack Integration – Technical and Security Documentation

1. Summary

Kioo is a Norwegian platform for team development and assessments. The Slack integration is an optional notification channel that lets Kioo send invitations, reminders, and results to your organization's existing Slack workspace, and lays the groundwork for an upcoming Kioo AI coach that can have conversations with users in Slack.

  • Vendor: Kioo AS, Norway
  • Slack App ID: A0AA71Q8SG7
  • Installation type: Bot app, OAuth 2.0, per Slack workspace
  • Status: Already in production at Norwegian enterprise customers
  • Approval required: both a Kioo organization admin and a Slack workspace admin

2. What the integration does

  • Sends notifications (survey invitations, reminders, results alerts) to one chosen Slack channel per Kioo team. The channel is selected by the team admin inside Kioo.
  • Sends direct messages to Kioo users who are mapped to a Slack user via their email address.
  • Delivers messages with clickable buttons that open personalized survey links in the browser.
  • Lays the groundwork for upcoming features, including a Kioo AI coach that can have conversations with users in DMs and respond to @Kioo mentions in channels.

The integration does not:

  • Read messages between humans in channels or direct messages
  • Store Slack channel messages, files, or conversation history between users
  • Send data to third parties outside Kioo
  • Act on behalf of an end user

Content a user deliberately submits to Kioo through Slack — for example, a response to an open-ended survey question, or a conversation with the Kioo AI coach — is stored in Kioo in the same way it would be if submitted through the web app or email. This content is owned by the customer and subject to the same access rules and retention policies as any other survey or response data in Kioo.

3. OAuth scopes — full list

At installation, Kioo requests the following bot scopes through Slack's standard OAuth 2.0 flow. Slack displays the same list to the Slack workspace admin during approval.

ScopePurpose
chat:writePost messages to channels the Kioo bot is a member of
chat:write.publicPost to public channels without having to be invited first
im:writeOpen DMs and send direct messages to Kioo users
im:readReceive events when a user sends a DM to the Kioo bot
im:historyRead message history in DM threads where the Kioo bot is itself a participant — used by the upcoming AI coach for conversational context
channels:readList public channels (for the channel picker inside Kioo)
groups:readList private channels the Kioo bot is a member of
users:readList workspace users
users:read.emailFetch email addresses to match Kioo users to Slack users
app_mentions:readReceive events when @Kioo is mentioned in a channel — used by the upcoming AI coach
reactions:readSee emoji reactions on messages sent by Kioo
links:writeRender URL previews for survey links
links.embed:writeEmbed video players in messages (e.g., coaching content)

Important clarification about im:history: This scope only grants access to message threads where the Kioo bot itself is a participant (i.e., direct messages between a user and the Kioo bot). Kioo never has access to DMs between two humans.

4. What Kioo does NOT request access to

The following scopes are deliberately not requested and will never be part of Kioo's access:

  • channels:history — Kioo cannot read messages in public channels
  • groups:history — Kioo cannot read messages in private channels
  • User tokens (user scopes) — Kioo cannot act on behalf of an end user. All operations are performed by the bot.
  • files:read / files:write — Kioo has no access to files
  • search:read — Kioo cannot search the workspace
  • admin.* scopes — Kioo has no administrative privileges

5. Data flow

Data sent to Slack

Kioo sends structured messages (Slack Block Kit format) that contain team name, survey type (Team Health, Individual Strengths, 360 Feedback), deadlines, response counts (e.g., "3 of 10 have responded"), clickable buttons with personalized survey URLs, and team signal alerts.

Data Kioo reads from Slack

Kioo calls only these Slack API endpoints for reading:

  • users.list and users.lookupByEmail — fetch the user list and emails to map Kioo users to Slack users
  • conversations.list — fetch the channel list for the channel picker in Kioo's UI

Kioo never reads message content, files, or conversation history between humans.

6. Data storage

The following is stored in Kioo's PostgreSQL database, hosted on Microsoft Azure in the North Europe region (EU/EEA):

  • Bot OAuth access token (bot scope only, not a user scope)
  • Slack workspace ID, workspace name, and bot user ID
  • Channel IDs and names for channels selected by team admins
  • Mapping between Kioo user ID and Slack user ID, including the email address used for matching

Outbound notifications sent by Kioo are generated at send time and are not retained in Kioo's systems after delivery. Kioo does not store Slack channel messages, files, or conversation history between users. Content a user deliberately submits to Kioo through Slack (e.g., a response to an open-ended survey question or a message to the Kioo AI coach) is stored as part of the user's response data in Kioo, under the same access rules as any other response data.

7. Security

  • OAuth 2.0 using Slack's standard authorization flow
  • CSRF protection via time-limited state cookies (10 minute lifetime)
  • HMAC-SHA256 signature verification on all incoming requests from Slack (events, button clicks)
  • Replay protection via a 5 minute timestamp window on incoming requests
  • Timing-safe signature comparison to prevent timing attacks
  • Tokens stored in an encrypted database (encryption at rest via Azure-managed database)
  • Bot tokens only, never user tokens — Kioo can never act as an end user
  • Audit trail for installation, disconnection, and channel selection

8. Governance and control

Who can install

Installation requires both a Kioo organization admin to initiate the flow, and a Slack workspace admin to explicitly approve it in Slack's OAuth dialog. Both roles are required for the integration to become active.

Who can disconnect

Either a Kioo organization admin (from within Kioo settings) or a Slack workspace admin (via Slack's app management) can disconnect at any time.

Effect of disconnection

When disconnected from the Kioo side, the OAuth token is soft-deleted immediately, all user mappings are removed, all channel associations on Kioo teams are cleared, and all future delivery stops.

9. Legal

  • Kioo AS is the data controller for data held in Kioo's systems
  • A Data Processing Agreement is available on request
  • See the Privacy Policy for full details on data processing
  • Slack Technologies LLC is the customer's own sub-processor — your existing agreement with Slack governs processing of data sent to your workspace
  • All processing performed by Kioo takes place in the EU/EEA