AI Vendor Security & Compliance Brief

Slack logo Slack

Independent due-diligence summary · every fact links to the vendor's official source
8 source-cited facts
0 independently verified certs
11 legal documents tracked
Generated 2026-07-03
93/100
AI Governance Readiness

Enterprise-Ready

Strong verifiable security and governance posture.

Readiness Breakdown deterministic · evidence-only

  • Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC3). Audit report available under NDA — standard enterprise practice.
  • Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
  • Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
  • Data Processing Agreement A Data Processing Agreement is published and tracked.
  • Breach History No known breaches in Have I Been Pwned.
  • Vulnerability Exposure No product identity match in vulnerability databases — not assessed.
  • Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
  • Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
  • Web TLS Certificate Valid TLS certificate in place.
  • Legal Transparency 11 legal/policy documents publicly tracked.
Score is normalized over assessed components only — “unknown” items are shown but never silently counted against the vendor.

Ask This in Your Security Review 1 open items

  • Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).

Compliance Posture vendor-stated · cited

FrameworkStatusSource
BAA Available (HIPAA) Stated by vendor https://slack.com/help/articles/360020685594-Slack-and-HIPAA
GDPR Stated by vendor https://slack.com/trust/compliance/gdpr
HIPAA Stated by vendor https://slack.com/help/articles/360020685594-Slack-and-HIPAA
ISO 27001 Stated by vendor https://slack.com/trust/compliance
SOC 2 Stated by vendor https://slack.com/trust/compliance
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.

Data & Contract Facts deterministic · cited

AttributeValueSource
Data Residency ['Australia', 'Brazil', 'Canada', 'France', 'Germany', 'India', 'Japan', 'Singapore', 'South Korea', 'Switzerland', 'United Arab Emirates', 'United Kingdom', 'United States'] https://slack.com/help/articles/360035633934-Data-residency-for-Slack
Sub-processors (published list) View document → https://slack.com/slack-subprocessors
Trains on Customer Data key clause
Free / Pro: does not train Slack does not use Customer Data (messages, files) to train LLMs; generative AI runs on off-the-shelf models hosted in Slack's own VPC with no provider access. cited →
Enterprise: does not train Generative AI models are never trained on customer data unless the customer gives affirmative opt-in consent. (Traditional ML like recommendations: opt-out via email.) cited →
see per-tier citations

Security Posture authoritative · cited

Known Vulnerabilities (CVE / CISA KEV) Not applicable
No CVE/CPE software identity is mapped to this hosted service; known-vulnerability tracking does not apply to the service identity assessed here.
Vulnerability Disclosure Policy (security.txt) Found 1
Email Spoofing Protection (DMARC) Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate Valid
Data Breach History None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard) Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05) None found
Queried the authoritative source; no records.

Certifications Available Under NDA / Trust Center attested · report gated

CertificationStatusTrust Center
ISO 27001 Available via Trust Center https://slack.com/security
SOC3 Available via Trust Center https://slack.com/security
An independent audit report exists but is gated behind an NDA or trust-center registration. Request it directly via the vendor's trust center. These count as partial assurance — stronger than a vendor claim, but not an open third-party attestation.

Vendor-Claimed, Not Independently Verified treat as unconfirmed

FEDRAMP LOW Claimed — not independently verified https://slack.com/security
FEDRAMP MODERATE Claimed — not independently verified https://slack.com/security
ISO 27017 Claimed — not independently verified https://slack.com/security
ISO 27018 Claimed — not independently verified https://slack.com/security
ISO 27701 Claimed — not independently verified https://slack.com/security
These appear on the vendor's site but we could not confirm an independent audit report. Request the underlying attestation before relying on them.

Common compliance questions

Each answer is grounded in the cited evidence above — with an honest "no evidence on file" where nothing is published.

Tracked Legal & Policy Documents

DocumentURL
Cookie https://slack.com/cookie-policy
Dpa https://slack.com/terms-of-service/data-processing
Gdpr Compliance https://slack.com/gdpr
Msa https://slack.com/main-services-agreement
Pricing https://slack.com/pricing
Privacy https://slack.com/privacy
Security https://slack.com/trust/compliance
Subprocessors https://slack.com/slack-subprocessors
Tos https://slack.com/legal
Trust https://slack.com/trust
Vuln Mgmt https://slack.com/.well-known/security.txt

How to Obtain Non-Public Documents

These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.

DocumentAvailabilityHow to obtain
Business Associate Agreement (BAA) On request (HIPAA only) A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center →
Service Level Agreement (SLA) Enterprise tier A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center →

Continuous Monitoring change-tracking active

7 legal & policy documents under change-monitoring since 2026-05-31. Baseline captured — future revisions will be flagged.

CookieDpaMsaPrivacySlaSubprocessorsTos

View full Slack change history →

Search the Legal Documents verbatim · cited

Search Slack's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.

Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.

Monitor Slack — get alerted when this changes

This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Slack changes something that affects your risk. Built for procurement & security teams.

Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal pages and links to its source. This brief contains no scraped sentiment, forum chatter, or AI-inferred opinion — only verifiable, deterministic facts. Verify each source before procurement decisions.