Your user data is safe

Last updated July 9, 2024

Thank You

Whether you’re the Engineering leader trying Graph in your day-to-day, or an IT admin who has been asked to help set it up, thank you. Your trust and feedback is critical to building the future! Questions and feedback are most welcome at any time via beta@graphapp.ai.

Who We Are

Graph is a new product from the team behind LaunchNotes.

LaunchNotes helps product teams better connect, communicate, and collaborate with their stakeholders; Graph surfaces actionable insights to engineering leaders to unlock their team’s full potential. Both help organizations manage and harness change to improve and accelerate positive business outcomes and growth.

Over our 5-year journey building LaunchNotes, we encountered various challenges that led us to develop internal solutions to accelerate development and streamline our processes. Graph emerged from these innovations, and we've been using it to elevate the speed and productivity of our engineering team. Now, based on early feedback from many of our customers, we strongly believe it can do the same for engineering teams everywhere.

Graph is built by a team of product builders, backed by seasoned investors like Insight Partners, Cowboy Ventures, and Bull City Venture Partners. Our leadership team has extensive experience building software products at companies like Atlassian, FullStory, Mozilla, Stripe, and more. Learn more about the team: Tyler Davis, Jake Brereton, Evan Michner, Sal Sodano, and Adam Wardlow.

Overview of Graph

Graph is a new product for Engineering Leaders that integrates with the tools where engineering teams are working — Slack, Linear, Jira, and GitHub (with more coming).

Currently, Graph is available as a Slack application, which gives Engineering leaders the ability to query work activity across their people and projects directly from Slack.

Graph in Beta

As of July 2024, Graph is in Beta. This means:

• No billing or pricing. At this stage, we are focused on building the most powerful product for Engineering leaders — we only want your feedback.
• You’ll receive a private invitation with a link to install the Graph Slack app into Slack directly — the Slack app will not be available in the Slack directory until the “GA” release later in 2024. As a result, for the time being you’ll see a yellow message when installing the Slack app, “This app is not approved by Slack.”
• Even though Graph is an early product in Beta, we are SOC2 compliant and our development processes adhere to the highest standards of security and quality (more on this below).

Security and Compliance

We are committed to information security, which extends to our newest product, Graph. Our company adheres to industry-leading best practices, and we conduct a variety of audits to ensure continuous compliance. All SOC 2 reports, pen tests, and security and operations policies are available upon request.

Data Usage and Handling

• Graph uses data about the actions and activity around work. As an example: when a developer creates a new pull request, there’s a new comment on a ticket, or a status is changed.
• While we might expand permissions and scopes in the future, these data will never leave our system.
• Data is always encrypted—in transit and at rest—and stored in AWS within the United States, primarily the us-east-1 region.
• Graph runs entirely within our own infrastructure — we do not share data with any third parties.
• Our current data retention policy is to retain data indefinitely. However, upon request, we will close your account and delete all data. Simply email us at [beta@graphapp.ai](mailto:beta@graphapp.ai) if you wish for your data to be deleted.

Architectural overview

Graph will ask for permission to access data from the following apps:

• Slack
• GitHub
• Jira or Linear

Graph is composed of:

• A Slack app - Slack client application built using @slack/bolt
• A Backend app - Node Express application (backend)
• AWS RDS Postgres
• AWS Neptune

All data is encrypted in transit and at rest. All requests between the Slack and Backend apps are signed and verified using JWT and encrypted using TLS. Connections between the backend service and persistent storage are authenticated with rotating credentials and encrypted using TLS.

Slack

Permissions explained

Graph does not read messages or other sensitive data from your Slack instance.  This may change in the future. However, if that time comes, it will be an opt-in capability that will be clearly communicated to you as an option for enriching the capabilities Graph provides to you and your team. Until then, the scope of data Graph needs to operate is limited to Workspace and User metadata.

Content and info about channels & conversations

• Graph Matt will be able to access contents of canvases created inside Slack.
• View messages and other content in public channels that Graph has been added to

Graph will be able to read message history in channels it has been added to. This allows Graph to provide more context-aware insights and analytics based on team discussions and communication patterns. Graph will only access channels it has explicitly been invited to join.

Content and info about your workspace

• View people in your workspace
• View email addresses of people in your workspace

Perform actions in channels & conversations

• Graph will be able to create, edit and remove canvases
• Send messages as @graph

View messages that directly mention @graph in conversations that the app is in

The app is installed into its own bot channel. If the bot is mentioned outside of that channel, the contents of the mentioning message will be sent to our systems and you will have the option of inviting the bot to that channel. As a member of that channel, Graph can create and update insights in the channel’s canvas.

Perform actions in your workspace

• Add shortcuts and/or slash commands that people can use

Events and actions we consume from your Slack instance:

All requests include an authorization token including the slack user and team IDs.

On install, the installing user’s profile and workspace id and name are sent to our systems.

  
  {
    "userToken": "", // The slack bot token
    "email": "", // The installing user's email address
    "teamName": "", // Your Slack team's name
    "slackUserId": "", // The installing user's ID
    "slackTeamId": "" // Your Slack instance ID
  }
  

When the app is uninstalled, your Slack instance’s id is sent to our systems.

  
  {
    "slackUserId": "", // The installing user's ID
    "slackTeamId": "" // Your Slack instance ID
  }
  

GitHub

Permissions explained

Read access to issues, metadata, and pull requests

Graph reads metadata and comments about repositories, issues and pull requests for repositories you grant access to. These permissions are read-only and do not include access to source code or other sensitive intellectual property.

Data and events we consume from your instance

Repositories

This repository-level metadata helps Graph understand the purpose and structure of your projects. No source code or file contents are accessed.

• Repository name, description, URL, creation date
• Collaborator names and permission levels

Issues

Issue data allows Graph to track bugs, feature requests, and general discussions within your repositories. Only issue metadata and discussion content is consumed.

• Title, description, status (open/closed), labels, assignees
• Comment threads including author and timestamp
• References to related pull requests or other issues

Pull requests

• Title, description, status (open/closed/merged), labels, assignees
• Source and target branches
• Comment threads including author and timestamp
• Commit metadata (SHA, author, timestamp, commit message)

Pull request data helps Graph understand code changes and the code review process. Actual code diffs and file contents are not accessed.

Events and webhooks we consume from GitHub

*All events include repository, organization and user identifiers.*

Triggered when a repository is created, archived, unarchived, publicized, privatized, edited or deleted. Metadata about the repository is sent to Graph.

Triggered when an issue is opened, edited, deleted, transferred, pinned, unpinned, closed, reopened, assigned, unassigned, labeled, unlabeled, locked, unlocked, milestoned, or demilestoned. Issue metadata and comment content is sent to Graph.

Triggered when a pull request is assigned, unassigned, labeled, unlabeled, opened, edited, closed, reopened, synchronize, ready_for_review, locked, unlocked, or when a pull request review is requested or removed. Pull request metadata, comment content, and commit metadata is sent to Graph.

Atlassian ID / Jira

Permissions explained

When a user authenticates with Jira through our OAuth connection, Graph is given access to the same data the user has, scoped to the permissions listed below.

This permission allows Graph to read metadata and comments about projects, issues and sprints. These permissions are read-only and do not allow modifying any data in Jira.

This permission allows Graph to read user profile information, including names, email addresses, and Atlassian product access details. Graph uses this to map activity to individuals across systems.

Data and events we consume from your instance

Projects

• Project name, description, key, and category
• Associated components, versions, and issue types

Project metadata helps Graph track the structure and configuration of your Jira projects.

Issues

• Summary, description, status, priority, resolution, and labels
• Assignee, reporter, watchers, and voters
• Comments, worklogs, and history of field changes
• Issue links and subtasks
• Sprint and epic membership

Issue data provides a comprehensive view of work items, their relationships, and updates over time. Graph uses this to summarize key information and track progress.

User profiles

• Name, email, and Atlassian account ID

Linear

Permissions explained

Graph reads metadata and comments about projects, tickets, related comments, and metadata. These permissions are read-only.

Data and events we consume from your instance

Content and info we access from Teams

• Team name, description
• Associated projects and members

Team data helps Graph understand your organization's structure and map relationships between teams and the work they do.

Content and info we access from Projects

• Project name, description
• Associated teams and members

Content and info we access from Issues

• Title, description, status, priority, estimate, and labels
• Assignee
• Comment threads including author and timestamp
• Linked issues, pull requests, commits, and branches
• History of state changes and field edits

Issue data provides a detailed view into work items, their context, and updates over time. This powers Graph's ability to summarize progress and discussions.

Content and info we access from User profiles

• Name and email
• Role and status (active/inactive)

User profile data allows mapping activity to individuals across multiple systems.

Webhook events we consume

All events include identifiers for the associated issue, project, team and acting user

Triggered when a new issue is created. The issue's initial metadata and description is sent to Graph.

Triggered when any issue field is modified, including title, description, status, assignee, labels, and more. The updated issue metadata is sent to Graph.

Triggered when a comment is added to an issue. The new comment's content and author is sent to Graph.

Triggered when an issue changes status in the workflow (e.g. To Do -> In Progress). The old and new statuses are sent to Graph.

How Graph Uses AI

We are committed to leveraging the power of artificial intelligence (AI) while maintaining the highest standards of data security and privacy. We understand the importance of protecting our customers' data and ensuring that it is never misused or compromised.

Our models

We run private instances of Anthropic's Foundational Model on AWS Bedrock in a secure and isolated environment. This means that your data will never leave our infrastructure and is never shared or transmitted to external parties. Furthermore, we have implemented strict access controls and encryption protocols to safeguard the data at every step of the process.

AI Model Deployment

Our AI models are deployed within our private infrastructure, ensuring that your data is never exposed or transmitted outside our secure environment. Furthermore, we have implemented robust monitoring and logging systems to track and audit all interactions with the AI models, providing transparency and accountability.

Model Training

Our AI models are pre-trained by Anthropic, and we will never perform any additional training or fine-tuning using your data. This ensures that your data is never used to improve or modify the AI models, further protecting your privacy and confidentiality.

Questions and feedback are most welcome at any time via beta@graphapp.ai.