Security Policy

Last updated May 3, 2026

Pookie is a Slack-native AI teammate built by Million Software, Inc. Slack workspaces trust Pookie with conversations, files, and credentials for connected tools, so we treat security as a product requirement, not an afterthought. This page describes what we do today, what data we handle, and how to report a problem.

1. What Slack data Pookie sees

Pookie is read-on-demand, not an indexer. We do not crawl your workspace, we do not build a long-running search index of your messages, and we do not pull message history into background jobs.

  • Channels: Pookie can only read channels it has been explicitly invited to. Inviting Pookie is a per-channel decision made by a workspace member.
  • Direct messages and threads: Pookie reads a conversation only when a user opens a DM with it, mentions it with @pookie, or invokes one of its slash commands.
  • Search: Slack search scopes (search:read.public, search:read.users, and related) are used to fulfill a user's explicit request. Searches run live against Slack's API; results are not persisted beyond the lifetime of the request that asked for them.
  • Files: File scopes are used only when a user shares a file with Pookie or asks it to operate on one. Files are streamed, processed, and discarded.
  • User profiles: Pookie reads user profile data (display name, profile email when needed) so it can refer to people by name in responses.

The full list of OAuth scopes Pookie requests is published in our Slack app manifest in the source repository, so you can audit it before installation.

2. Encryption

  • In transit: All traffic between Slack, Pookie, model providers, and connected services is over HTTPS using TLS 1.2 or higher. We do not accept plaintext connections.
  • At rest: State, OAuth tokens, MCP server credentials, memory entries, and configuration are stored in a managed Redis instance (Upstash) with disk encryption enabled by the provider. Self-hosted deployments inherit the encryption guarantees of whatever Redis they configure.
  • Secrets:Slack signing secrets, OAuth client credentials, model-provider keys, and similar values live only in the deployment's environment variables, never in the repository or in logs.

3. Authentication and request integrity

  • Slack OAuth:Pookie installs to a workspace via Slack's standard OAuth 2.0 flow. We never ask for, accept, or store user passwords.
  • OAuth state verification: The OAuth flow is CSRF-protected via a signed state cookie tied to the installing browser session.
  • Webhook signing: Every inbound request from Slack (events, slash commands, interactivity) is verified against SLACK_SIGNING_SECRET before any handler runs. Requests with a missing, malformed, or stale signature are rejected with a 401.
  • No long-lived bot tokens by default: The managed deployment relies on per-workspace OAuth tokens issued by Slack at install time. Self-hosted deployments may optionally configure a single static bot token for single-workspace use.

4. AI models and your content

Pookie sends your message and the relevant context to OpenAI so a large language model can produce a reply. Self-hosted deployments may configure additional or alternative providers.

  • No training on Inputs or Suggestions:We do not use your messages or Pookie's replies to train any AI model. OpenAI does not train on data submitted through its API by default, and Pookie sends API traffic with that posture. See our Privacy Policy for the narrow exceptions (security review, explicit user feedback, explicit consent).
  • Provider data handling: OpenAI acts as a subprocessor and is bound by its own DPA and data-usage policies. Inference requests carry only the data needed to answer the current turn. Pookie does not bundle unrelated workspace history into the prompt.
  • Image generation and code execution: When you ask Pookie to generate an image or run code, those requests are sent to the corresponding OpenAI tool with the same no-training posture and are scoped to the current turn.

5. Subprocessors

Pookie's managed deployment relies on the following subprocessors. Each is contractually bound to handle Customer Data only as needed to provide its service.

  • Slack: Source of all conversations, files, and OAuth-scoped access to your workspace.
  • Vercel: Application hosting.
  • Upstash: Managed Redis for OAuth tokens, state, memory, and per-workspace configuration.
  • OpenAI:LLM inference, image generation, and code execution. Bound by OpenAI's API data usage policy, which excludes API traffic from model training by default.
  • Connected MCP servers (optional, customer-controlled): Any third-party tool a workspace administrator or user connects via /mcp. Credentials and scopes are supplied by the installing user; Pookie acts as a client.

6. Memory, retention, and deletion

  • Memory is explicit:Pookie's long-term memory is only written when it (or a user, via the assistant) decides a fact is worth remembering. Each entry is scoped to a person, a channel, or the workspace, and the scope determines who can recall it.
  • User control: Workspace members can ask Pookie to recall, list, or forget memories at any time. Workspace admins can also tune behavior with /pookie-config.
  • Conversation history: Pookie keeps the minimum rolling context needed to maintain a coherent conversation; older turns are aged out as new ones arrive.
  • Uninstall = deletion: When you remove Pookie from a Slack workspace, we delete the OAuth tokens, memories, MCP credentials, and configuration tied to that workspace. You can also request deletion at any time by emailing founders@million.dev from a verified workspace-admin email.

7. MCP and connected services

Pookie can connect to Model Context Protocol (MCP) servers (for example, GitHub, Linear, PostHog, or any custom MCP) to read and write data on your behalf. These connections are opt-in and customer-driven.

  • You bring the credentials: The installing user provides OAuth tokens or API keys for each MCP server. Pookie does not embed shared credentials for third-party services.
  • Scoping: Each MCP connection can be scoped to a single channel or to the whole workspace via /mcp-add. Removing a connection (/mcp-remove) deletes the stored credential.
  • Action transparency:Tool calls, including MCP tool invocations, are surfaced inline in Pookie's replies so you can see what was read or written and where.

8. Open source and self-hosting

Pookie's source is published at github.com/millionco/pookie. You can audit every Slack scope, every webhook handler, every system prompt, and every tool definition before you install it. Workspaces that need full data residency or air-gapped operation can self-host on their own infrastructure (Vercel, Railway, Fly, Cloud Run, AWS, or Docker on any VPS). See the self-hosting guide for details.

9. Vulnerability disclosure

If you discover a security vulnerability in Pookie, please report it privately so we can fix it before disclosure. Email founders@million.dev with the subject prefix [security]. Include a description, reproduction steps, the affected version or deployment, and any proof-of-concept code.

We will acknowledge the report within two business days and aim to provide a remediation timeline within five business days. We will keep you updated as we work on a fix and credit you in the release notes if you would like.

Safe harbor. We will not pursue or support legal action against researchers who, in good faith, follow this policy. Please do not access, modify, or exfiltrate data that does not belong to you, do not run automated scans against the production deployment, and do not degrade service for other users.

In scope:

  • The Pookie web application and its public APIs
  • The Slack app at the addresses Pookie ships with
  • Source code published in the Pookie repository

Out of scope:

  • Findings against third-party services (Slack, Vercel, Upstash, model providers, customer-connected MCP servers). Please report those to the respective vendor
  • Volumetric denial-of-service tests, social engineering of Million Software employees, and physical attacks
  • Self-hosted deployments operated by third parties. Please report to the operator of that deployment

10. Incident response

If we learn of an incident affecting the confidentiality, integrity, or availability of customer data, we will: (1) contain the incident, (2) investigate the scope and root cause, (3) notify affected workspace administrators by email without undue delay and within the timelines required by applicable law, and (4) publish a post-incident summary where appropriate.

11. Compliance posture

Pookie is a young product and we are upfront about it. We are not currently SOC 2, ISO 27001, or HIPAA certified. We follow the practices described on this page, our infrastructure providers (Vercel, Upstash, Slack, OpenAI) maintain their own SOC 2 and equivalent certifications, and self-hosting is available for workspaces with stricter compliance requirements. If your organization needs a security questionnaire, DPA, or sub-processor list under your name, email founders@million.dev.

12. Contact

For all security questions, reports, or data-deletion requests, email founders@million.dev. Thank you for helping us keep Pookie safe.