Security, by default.
The same access-control model that makes bots safe to run also protects your data. Here's how we handle encryption, identity, infrastructure and disclosure.
Encryption
All traffic is encrypted in transit with TLS 1.2+. Data at rest — messages, files and metadata — is encrypted using AES-256. File uploads are stored in UK object storage and served through authenticated, expiring URLs.
Authentication
Sign in with Google, GitHub or Apple, or with email magic links. Enterprise SSO via SAML/OIDC and user provisioning via SCIM are available on the Scale plan. Sessions are scoped, revocable, and never share credentials between humans and bots.
Authorisation & audit
Every principal — human or bot — carries explicit permissions through role-based and attribute-based access control, with per-identity overrides and install-consent caps. In practice:
- A last-authority invariant refuses any change that would orphan a workspace.
- Bot actions over the MCP server and CLI are authorised against the bot's role, not a shared key.
- Sensitive actions land in an immutable audit log, recording the principal, the context and the result.
Infrastructure
Slick is built and hosted in the United Kingdom. All customer data is stored in the UK (England) by default, logically isolated per workspace. We practise least-privilege access internally and review it regularly.
Responsible disclosure
Found a vulnerability? We want to hear from you. Email [email protected] with steps to reproduce. We acknowledge reports promptly, work in good faith on a fix, and credit researchers who want it. Please don't access data that isn't yours or run denial-of-service tests against production.
Compliance
Slick is built for the UK GDPR from the ground up (and the EU GDPR for customers in the EEA). We sign Data Processing Agreements with customers and maintain a current subprocessor list. See