Slack
Enterprise-Ready
Strong verifiable security and governance posture.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC3). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement A Data Processing Agreement is published and tracked.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure No product identity match in vulnerability databases — not assessed.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 11 legal/policy documents publicly tracked.
Ask This in Your Security Review 1 open items
- Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| BAA Available (HIPAA) | Stated by vendor | https://slack.com/help/articles/360020685594-Slack-and-HIPAA |
| GDPR | Stated by vendor | https://slack.com/trust/compliance/gdpr |
| HIPAA | Stated by vendor | https://slack.com/help/articles/360020685594-Slack-and-HIPAA |
| ISO 27001 | Stated by vendor | https://slack.com/trust/compliance |
| SOC 2 | Stated by vendor | https://slack.com/trust/compliance |
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Data Residency | ['Australia', 'Brazil', 'Canada', 'France', 'Germany', 'India', 'Japan', 'Singapore', 'South Korea', 'Switzerland', 'United Arab Emirates', 'United Kingdom', 'United States'] | https://slack.com/help/articles/360035633934-Data-residency-for-Slack |
| Sub-processors (published list) | View document → | https://slack.com/slack-subprocessors |
| Trains on Customer Data key clause |
Free / Pro:
does not train
Slack does not use Customer Data (messages, files) to train LLMs; generative AI runs on off-the-shelf models hosted in Slack's own VPC with no provider access.
cited →
Enterprise:
does not train
Generative AI models are never trained on customer data unless the customer gives affirmative opt-in consent. (Traditional ML like recommendations: opt-out via email.)
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| ISO 27001 | Available via Trust Center | https://slack.com/security |
| SOC3 | Available via Trust Center | https://slack.com/security |
Vendor-Claimed, Not Independently Verified treat as unconfirmed
| FEDRAMP LOW | Claimed — not independently verified | https://slack.com/security |
| FEDRAMP MODERATE | Claimed — not independently verified | https://slack.com/security |
| ISO 27017 | Claimed — not independently verified | https://slack.com/security |
| ISO 27018 | Claimed — not independently verified | https://slack.com/security |
| ISO 27701 | Claimed — not independently verified | https://slack.com/security |
Common compliance questions
Tracked Legal & Policy Documents
| Document | URL |
|---|---|
| Cookie | https://slack.com/cookie-policy |
| Dpa | https://slack.com/terms-of-service/data-processing |
| Gdpr Compliance | https://slack.com/gdpr |
| Msa | https://slack.com/main-services-agreement |
| Pricing | https://slack.com/pricing |
| Privacy | https://slack.com/privacy |
| Security | https://slack.com/trust/compliance |
| Subprocessors | https://slack.com/slack-subprocessors |
| Tos | https://slack.com/legal |
| Trust | https://slack.com/trust |
| Vuln Mgmt | https://slack.com/.well-known/security.txt |
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Business Associate Agreement (BAA) | On request (HIPAA only) | A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center → |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Continuous Monitoring change-tracking active
7 legal & policy documents under change-monitoring since 2026-05-31. Baseline captured — future revisions will be flagged.
Search the Legal Documents verbatim · cited
Search Slack's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.
Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.
Monitor Slack — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Slack changes something that affects your risk. Built for procurement & security teams.