How Slack Stores Your Data

Slack encrypts all data, both in transit and at rest, which means that all connections from Slack apps back to the Slack mothership are protected, and when your messages and files land in central storage, they’re also cryptographically locked.

However, Slack can decrypt 100% of your data. It possesses all the encryption keys, and uses security to prevent unwanted parties from gaining access to your data.

Slack has made the legally binding, somewhat convoluted statement: “Individuals authorized by Customer to access the Services…may submit content or information to the Services, such as messages or files…and Customer may exclusively provide us with instructions on what to do with it.” Although I am not a lawyer—and this doesn’t constitute legal advice—the gist is that the “Customer,” or “is the organization that you represent in agreeing to the Contract,” owns everything submitted to the workspace. All users of the workspace agree that that organization (or person) owns that content, too.

But the company also must comply with any legal processes that require it to disclose information to law enforcement or a subpoena in a civil lawsuit.

Slack complies with the European Union’s General Data Protection Regulation (GDPR), a set of privacy and disclosure rules in effect since May 2018, and which companies that do business in the EU and with EU citizens and residents have to meet.

Slack stores its data largely in the United States and has some operations in Ireland. This doesn’t put it out of the reach of authorities outside the United States and the EU, but it does set a higher bar at pursuing access to customer data.

However, starting in late 2019, Slack will allow Plus and Enterprise customers to store their own data on servers in certain regions, which will make this issue much more complex.

When Slack Reveals Private Messages

While Slack says that a customer owns everything in a workspace, it’s important to recognize who that customer is. Unless you’re a workspace owner, you are not the customer. Your relationship with Slack is indirect, and your ownership is effectively “none.”

The relationship is with one or more owners, and an owner can delegate some of these permissions to one or more admins. (Below I’ll refer just to owners for simplicity’s sake.)

Can you have any assurance that a message you post on Slack would remain private, either to the workspace with a public channel or between you and other people in a private channel or direct message?

Simply: No.

The owner of any workspace, from the free tier through a massive Enterprise Grid installation can view or export all messages in public channels. This called Standard Export.

Where it gets trickier is with private messages. As I explain later in the book, Slack lets you set up private channels, which are invisible to everyone but invited participants; messages and files attached to those channels are excluded from public search. The same is true for direct message conversations with two or more people.

Slack has essentially three scenarios in which private messages and files can be retrieved:

• For civil, criminal, or regulatory reasons: Any workspace, including those at the free tier, can have private content exported for a fairly broad set of reasons. This can include the need to conduct a workplace investigation, a financial rule for message retention, a court order, or a GDPR request by a former employee. Free and Standard plan owners have to apply each time they want an export. Slack may deny requests.

• Corporate Export: This option, available to Plus workspaces, still requires a reason for Slack to enable it, typically because of compliance in an industry. Groups in some industries may, by the same token, have to use the Plus tier instead of free or Standard, because they require routine export and storage of private messages. For Corporate Export, Slack has to validate that employment agreements have proper disclosures and that the exports meet its understanding of local law.

• Enterprise-scale content monitoring: For Enterprise Grid customers, Slack can approve access—with the same conditions as Corporate Export—to an API that lets approved third-party software directly access private and public messages to scan for misuse of sensitive and regulated data, and to meet regulatory and other compliance rules. It’s likely to be seen in highly regulated or secretive industries, like legal, financial, healthcare, and technology manufacture.

Should You Self-Censor on Slack?

How you handle yourself in Slack surely depends first on the type of group of which you’re a part. If it’s a bunch of parents managing logistics for a kids’ soccer team, that workspace’s owner has a very high bar to pass to get Slack to approve exporting private messages. The owner would likely need to present compelling indications of an illegal act—like domestic assault—in which case law enforcement would likely make the request instead of the owner.

For nonprofit organizations and small businesses outside of regulated industries, the odds are also fairly low that your private messages would ever be exported, unless a major scandal, lawsuit, or crime occurred that again passed Slack’s high bar for revealing data.

For these types of groups, I’d suggest thinking about it the same way you might your private email. How likely is it that your Gmail or other mail would be breached by lawsuit or law enforcement? That’s the same bar a Slack workspace meets, and Slack would likely fight as hard as Google and other companies to prevent an owner from gaining information to which they weren’t entitled, as well as legal authorities or courts overstretching their hands.

If you work for a relatively large company or one that works in sensitive, secure, or regulated industries, I’d use the same care you engage in with other forms of communications, written and electronic, with the assumption that any private message on Slack could easily find its way into a human resources office or be raised in a lawsuit.