# Integration Permissions

***

## Integration Permissions

Kosmos uses read-only API connections to analyze your data. We never install code in your environment or modify your systems.

### Our Security Approach

**Zero-Install Architecture** Kosmos operates entirely outside your infrastructure. We connect via standard OAuth APIs—the same secure method used by thousands of enterprise integrations.

**Read-Only Access** We request only the minimum permissions needed to analyze your data. Kosmos cannot create, update, or delete records in your systems.

**No Code Deployment** Nothing is installed in your Salesforce org, Jira instance, or GitHub repos. This means:

* No security reviews of deployed packages
* No impact on your system performance
* No maintenance burden on your team

***

### Permissions by Integration

#### Salesforce Service Cloud

**Setup Required:** Salesforce requires installing our managed package before connecting. See [Connecting Salesforce](https://docs.kosmoslabs.ai/connecting-salesforce) for step-by-step instructions.

| Permission         | Why We Need It                                       |
| ------------------ | ---------------------------------------------------- |
| Read Cases         | Analyze incident and support ticket patterns         |
| Read Case Comments | Understand resolution context                        |
| Read Case History  | Reconstruct incident timelines                       |
| Read Incidents     | ITSM correlation (if Service Cloud Incident enabled) |
| Read Users         | Attribute incidents to teams                         |

**What we DON'T access:** Opportunities, financial data, custom objects (unless mapped), attachments, or files.

***

#### Jira

| Permission              | Why We Need It                            |
| ----------------------- | ----------------------------------------- |
| Read Issues             | Analyze bugs, incidents, and tasks        |
| Read Projects           | Understand team structure                 |
| Read Comments           | Context for root cause analysis           |
| Write Issues (optional) | Create follow-up tickets from RCA Reports |

**What we DON'T access:** Confluence pages, admin settings, user passwords, or billing information.

**Note:** Write access is only used when you explicitly click "Create Jira Ticket" from an RCA. Kosmos never creates tickets automatically.

***

#### GitHub

| Permission                   | Why We Need It                       |
| ---------------------------- | ------------------------------------ |
| Read Commits                 | Correlate deployments with incidents |
| Read Pull Requests           | Identify changes linked to issues    |
| Read Repositories (metadata) | Understand codebase structure        |

**What we DON'T access:** Source code contents, secrets, Actions logs, or admin settings.

***

#### ServiceNow

| Permission           | Why We Need It                   |
| -------------------- | -------------------------------- |
| Read Incidents       | Analyze ITSM incident patterns   |
| Read Change Requests | Correlate changes with incidents |

**What we DON'T access:** CMDB data, knowledge articles, admin settings, or user credentials.

**Field Mapping:** After connecting, you can map your custom ServiceNow fields to Kosmos. This ensures RCAs include context from your organization's specific incident data.

**Sandbox Support:** You can connect a sandbox instance (dev/test/uat) for evaluation before granting production access.

***

#### Zendesk

| Permission         | Why We Need It                              |
| ------------------ | ------------------------------------------- |
| Read Tickets       | Analyze support ticket patterns             |
| Read Custom Fields | Include your organization's ticket metadata |

**What we DON'T access:** User passwords, billing information, admin settings, or Guide/Help Center content.

***

#### Slack / Microsoft Teams (Notifications)

| Permission    | Why We Need It                                            |
| ------------- | --------------------------------------------------------- |
| Post Messages | Send Risk Event and RCA alerts to your configured channel |

**What we DON'T access:** Message history, user data, private channels, or any channel other than the one you configure.

**Note:** Notification integrations are optional. You can use Kosmos without connecting Slack or Teams.

***

### Data Handling

* **Encryption:** All data encrypted in transit (TLS 1.3) and at rest (AES-256)
* **Retention:** Data retained only while your account is active
* **Location:** Hosted on Google Cloud Platform (US regions)
* **Compliance:** SOC 2 Type II in progress; DPA available upon request

### Revoking Access

You can disconnect any integration at any time from Settings → Integrations. Revoking access immediately stops data sync. To request data deletion, contact <support@kosmoslabs.ai>.

### Questions?

If your security team needs additional documentation, we're happy to provide:

* Security questionnaire responses
* Data Processing Agreement (DPA)
* Architecture diagrams

Contact your Kosmos team or email <security@kosmoslabs.ai>.

***

**Questions?** Contact [support@kosmoslabs.ai ](mailto:support@kosmoslabs.ai)| [app.kosmoslabs.ai](https://app.kosmoslabs.ai/)

© 2026 Kosmos AI Labs, Inc.