Our Commitment to You and the Protection of Your Data
We’re committed to partnering with Slack customers and users to help them understand and prepare for the General Data Protection Regulation (GDPR). The GDPR is the most comprehensive EU data privacy law in decades, and will come into effect on May 25, 2018. Besides strengthening and standardizing user data privacy across the EU nations, it will require new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located. On this page, we’ll explain our methods and plans to achieve GDPR-compliance, both for ourselves and for our customers.
- Preparing for the GDPR
- Security Infrastructure Standards and Certifications
- International Data Transfers
- Data Portability Solutions and Management Tools
- Stay Updated
Preparing for the GDPR
The GDPR’s updated requirements are significant and our global team is working diligently to bring Slack’s product offerings and contractual commitments in line so customers can prepare themselves before May 25, 2018. Measures to achieve this include:
- Continuing to invest in our security infrastructure
- Making sure we have the appropriate contractual terms in place. Ensuring we can support international data transfers by maintaining our Privacy Shield self-certifications, and by executing Standard Contractual Clauses through our updated Data Processing Addendum
- Changing our policies and product offerings to include new tools for data portability and data management
We’ll also continue to monitor the guidance around GDPR compliance from privacy-related regulatory bodies, and will adjust our plans accordingly if it changes. We’ll provide you with regular updates along the way so that you’re always current. You’ll find out about our upcoming product offerings as they become available in our Help Center.
Our Security Infrastructure and Certifications
Protecting our customers’ information and their users’ privacy is extremely important to us. As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security. We’ve received several security certifications from the American Institute of Certified Public Accountants such as SOC 2 and SOC 3. The International Federation of Accountants also issued our ISAE 3000, a standard for assurance over non-financial information. We are in the process of expanding our ISO 27000 standards on information security management systems, the industry standards for how organizations handle data and implement security.
Slack has invested heavily in building a robust security team, one that can handle a variety of issues — everything from threat detection to building new tools. In accordance with GDPR requirements around security incident notifications, Slack will continue to meet its obligations and offer contractual assurances.
If you’d like to learn more about Slack’s security policies and procedures, please see our security page. It provides detailed information on how we approach security, and includes a white paper on how Slack ensures user data security in particular.
International Data Transfers: Privacy Shield and Contractual Terms
To comply with E.U. data protection laws around international data transfer mechanisms, we self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. These frameworks were developed to establish a way for companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.
In addition, we offer European Union Model Clauses, also known as Standard Contractual Clauses, to meet adequacy and security requirements for our customers who operate in the E.U.
Data Portability Solutions and Data Management Tools
Customers have requested tools to help them comply with the GDPR. And we’re happy to say that over the next few months, we’ll be building those tools. Information about the features and functionalities of these tools will be shared with you as it becomes available.
Compliance-related controls will include the following:
- Customer Data portability tool: Will expand customers’ ability to export their Customer Data.
- Personal Data Tools for Admins and Users: Will provide admins the ability to modify profiles within their teams. Users may also have ability to search and modify their personal data and content submitted to Slack in certain situations.
Additionally, we do have existing tools for data exports. Read more about them in our Guide to Slack Data Exports.
Fulfilling our privacy and data security commitments is important to us. So we’re glad to help you prepare for all the changes the GDPR brings. This page will be revised to reflect GDPR-related information as it becomes available. If you have any questions about how Slack can help you with compliance, we hope you’ll reach out to us.