Question 1

Does Cookie Jar actually grant access in GitHub, Jira, Figma — or does someone still need to do it manually?

Accepted Answer

Cookie Jar runs the workflow: request, route, approve, audit. The owner who clicks "Approve" goes to GitHub (or wherever) and adds the user themselves. It's a 30-second step they're already in the headspace for, since they just made the decision. This is deliberate. We never integrate with Jira, Figma, Bitbucket, or your other SaaS apps. Cookie Jar tracks who should have access — humans do the granting. No AI touching your accounts, no stored credentials, no third-party tool integrations. Cookie Jar is the source of truth for who's been approved; the human action is honest and visible in the Slack flow.

Question 2

Who can install Cookie Jar in our Slack workspace?

Accepted Answer

Only Slack workspace admins or owners. Cookie Jar checks at OAuth time — if the installer isn't a Slack admin, the install is rejected with a clear "ask your workspace admin to install this for you" message. Whoever installs becomes the first Cookie Jar admin. They can promote other employees to admin from the dashboard (head of engineering, head of design, etc.). The installer doesn't have to manage everything alone.

Question 3

How long does setup take?

Accepted Answer

About five minutes from "Add to Slack" to first access request flowing through Cookie Jar. The flow: install → Cookie Jar pre-loads 24 common tools (GitHub, Jira, Figma, Notion, AWS, and more) → assign owners to the tools that have specific managers → done. Auto-approve rules, team channel mapping, and everything else can come later, configured from Slack with no dashboard required. There's no HRIS to connect, no IdP to wire up, no agent to install on anyone's machine.

Question 4

What if a tool we use isn't in your catalog?

Accepted Answer

Type /cookie shelf add notion (or whatever the tool is) and it's on the shelf. Cookie Jar doesn't care what the tool actually is — the catalog is just a list of names you decide on. Internal tools, niche SaaS, custom apps, all welcome. The owner-routing and approval flow work identically regardless of whether the tool is "popular" or one you invented internally.

Question 5

Do you integrate with our HRIS or IdP?

Accepted Answer

No, and that's deliberate. Cookie Jar is built for 10–100-person companies that don't have a Workday, BambooHR, Okta, or AzureAD setup yet — exactly the segment that's too small for AccessOwl ($250/mo minimum) or Cakewalk (requires HRIS). Slack is the source of truth for "who works here." Cookie Jar runs on top of that. Once your team grows past the point where this makes sense, you'll graduate to a heavier tool — that's the right outcome.

Question 6

What happens when someone leaves? How do we make sure their access is actually gone?

Accepted Answer

Today, an admin types /cookie revoke @sarah all. Cookie Jar lists every tool Sarah has access to, then with one click clears all of them from her jar. The leaver gets a DM. The audit log records the revoke with actor, target, tool, and timestamp. The leave flow (Pro, shipping next) takes this further: a per-tool checklist where each tool moves through pending → checked → removed, daily reminders if anything stalls past 24h, and a final "Remove forever" gate that only enables when every seat has been verified removed in the actual SaaS app. Closes the "did the human actually remove the seat?" gap that one-button bulk revoke leaves open.

Question 7

What happens to our data if we uninstall Cookie Jar?

Accepted Answer

Uninstalling immediately removes our access credentials to your Slack workspace — we can't post or read anything in your Slack as soon as you click "Remove." Your historical access records, audit log, and member profiles stay in Cookie Jar's database until you request deletion. To delete everything, email us. Full details in our Privacy Policy.

Question 8

Are you SOC 2 certified?

Accepted Answer

Not yet. We follow the controls that lead to SOC 2 — encryption, signed webhooks, workspace isolation, RBAC, audit logging — and will pursue formal certification when a customer's procurement requires it. We won't claim a certification we don't hold.

Question 9

Where is data stored?

Accepted Answer

United States, on Google Cloud infrastructure. If you're in the EEA or UK, we rely on standard contractual clauses for cross-border transfer.

Question 10

Can you sign a DPA?

Accepted Answer

Yes. Email us and we'll send our standard DPA. For larger customers, we can negotiate.

Question 11

Why do you need email permission from Slack?

Accepted Answer

The users:read.email scope is used to map Slack users to Google SSO sign-ins on the dashboard. We don't use it for anything else.

Question 12

What happens if Slack tokens leak?

Accepted Answer

Tokens are encrypted at rest with rotation support. If a leak is suspected, admins can rotate by reinstalling the app — that revokes the old token immediately. We notify affected workspaces within 24 hours of confirming an incident involving your data.

Question 13

Can a regular employee install Cookie Jar to give themselves admin?

Accepted Answer

No. Cookie Jar checks at OAuth time — only Slack workspace admins or owners can install. Employee installs are rejected with a "ask your workspace admin" message.

Frequently asked questions

The questions we actually get.

Built on industry-standard practices —
not bolted on later.

Security questions buyers actually ask

Frequently asked questions

The questions we actually get.

Built on industry-standard practices —not bolted on later.

Security questions buyers actually ask

Built on industry-standard practices —
not bolted on later.