This policy is being updated in support of new Slack features, including International Data Residency and Enterprise Key Management, and continues our commitment to customer privacy, trust, and transparency.
Effective: Oct 7, 2019
Slack receives requests from government agencies, users, and other third parties to disclose data other than in the ordinary operation and provision of the Services. This Data Request Policy outlines Slack’s policies and procedures for responding to such formal requests for Customer Data. Any capitalized terms used in this Data Request Policy that are not defined will have the meaning set forth in the Customer Terms of Service. In the event of any inconsistency between the provisions of this Data Request Policy and the Customer Terms of Service or written agreement with Customer, as the case may be, the Customer Terms of Service or written agreement will control.
Requests for Customer Data by Individuals
Third parties seeking Customer Data should contact the Customer regarding such requests. The Customer controls the Customer Data and generally gets to decide what to do with all Customer Data.
Requests for Customer Data by Legal Authority
Slack is committed to the importance of trust and transparency for the benefit of our Customers. Except as expressly permitted by the Contract or as described in this policy, Slack will only disclose Customer Data in response to valid legal process. Slack requires a search warrant issued by a court of competent jurisdiction or the equivalent legal process in the applicable jurisdiction to disclose the contents of Customer Data. Slack does not voluntarily disclose any data to governmental entities unless (a) there is an emergency involving imminent danger of death or serious physical injury to any person, or (b) to prevent harm to the Services or Customers. Slack also does not voluntarily provide governments with access to any data about users for surveillance purposes.
- All requests by governmental entities or parties involved in litigation seeking content data associated with Customers who are under contract with Slack Technologies, Inc. a U.S. company, should be sent to firstname.lastname@example.org.
- All requests by governmental entities or parties involved in litigation seeking content data associated with Customers who are under contract with Slack Technologies Limited, an Irish Company, should be sent to email@example.com. These requests will be processed by personnel located in Dublin, Ireland.
- All requests should include the following information: (a) the requesting party, (b) the relevant criminal or civil matter, and (c) a description of the specific Customer Data being requested, including the relevant Customer’s name and relevant Authorized User’s name (if applicable), Slack workspace url, and type of data sought.
Requests should be prepared and served in accordance with applicable law. All requests should be focused on the specific Customer Data sought. All requests will be construed narrowly by Slack, so please do not submit unnecessarily broad requests. If legally permitted, Customer will be responsible for any costs arising from Slack’s response to such requests.
Unless Slack is prohibited from doing so or there is a clear indication of illegal conduct or risk of harm, Slack will notify Customer of the request before disclosing any of Customer’s Customer Data so that the Customer may seek legal remedies. If an Enterprise Key Management is the subject of a legal process request seeking content, the production could be encrypted (based on the Customer settings), and would also trigger an observable entry in the access log available to the Customer. If Slack is legally prohibited from notifying the Customer prior to disclosure, Slack will take reasonable steps to notify the Customer of the demand after the nondisclosure requirement expires. In addition, if Slack receives legal process subject to an indefinite non-disclosure requirement (including a National Security Letter), Slack will challenge that non-disclosure requirement in court.
Domestication and International Requests
Slack requires that any individual or entity issuing legal process or legal information requests (e.g., discovery requests, warrants, or subpoenas) ensure that the process or request is properly domesticated. For data stored in the United States, Slack does not accept legal process or requests directly from law enforcement entities outside the U.S. or Canada. Foreign law enforcement agencies seeking data stored within the U.S. should proceed through a Mutual Legal Assistance Treaty or other diplomatic or legal means to obtain data through a court where Slack is located. Requests directed to Slack Technologies Limited, an Irish Company, must be issued out of or domesticated in Ireland, while requests directed to Slack Technologies, Inc., the U.S. entity, must be issued out of or domesticated in the U.S.