Slack is committed to trust and transparency
In the following documents and FAQ, you can find our policies and guidelines for requests for data from government and law enforcement entities, as well as civil third-party data requests. You can also find our annual reports on the number of requests that we receive and our responses.
Data request policy
As part of our commitment to trust and transparency, our Data request policy outlines Slack’s policies and procedures for responding to requests for customer data. This policy guides our practices with respect to requests for third-party data, requests by legal authorities, customer notice and international requests for data.
Salesforce publishes information annually on the law enforcement and government requests that Salesforce companies, including Slack, received in the prior calendar year. These transparency reports outline Salesforce’s guiding principles for maintaining customer confidentiality, the number of requests that it receives annually and data regarding responses. Past years’ Transparency Reports can be found in Slack’s Legal archive.
Frequently asked questions
How does Slack handle requests from government and law enforcement?
Where should I send legal process?
All requests by law enforcement and government entities (including international government and law enforcement entities) may be sent to our legal process email alias: firstname.lastname@example.org
What information does Slack need to process my request?
In addition to all requisite and applicable legal requirements, all legal process requests should include the following information: (a) the government entity or law enforcement agency, (b) the relevant criminal or civil matter and (c) identifying information about the Slack workspace, including the relevant customer and user names, date range, the Slack workspace URL (slackname.slack.com) and the type of data sought. The request must also come from a government-issued email account and include full contact information for the requesting officer.
What happens when Slack receives a law enforcement request?
We carefully review all requests for legal sufficiency, keeping user privacy in mind. Slack may reject or challenge any requests that are unclear, overly broad or inappropriate.
How often do you provide data to government and law enforcement entities?
Our Transparency report details the number of requests that we receive each year. The current report covers 1st January to 31st December 2019 inclusive, and specifies the number of subpoenas, warrants and other requests for data that were received during that year. The report also includes the type of information that we provided, including content and non-content data.
Do you assist law enforcement and government authorities in conducting surveillance of communications?
Slack does not conduct real-time surveillance of customers, nor do we voluntarily provide governments with access to any data about users for surveillance purposes. Please read our Transparency report for more information.
Is Slack eligible to receive ‘upstream’ or bulk surveillance orders under Section 702 of the American Foreign Intelligence Surveillance Act (FISA)?
No. As with all other communication platforms in the United States, Slack qualifies as an electronic communications service (‘ECS’) or remote computing service (‘RCS’) (as defined in Sections 2510 and 2711 of Title 18 of the United States Code, respectively) when it provides services to customers. It is thus possible that the United States government could serve a targeted directive to Slack under FISA Section 702.
However, Slack is not eligible to receive a 702 order for ‘upstream’ surveillance. In the sense in which FISA Section 702 has been applied by the US government, upstream orders are used only to target traffic flowing through Internet backbone providers that carry traffic for third parties. See the Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (2nd July 2014) pp. 35-40, available at https://fas.org/irp/offdocs/pclob-702.pdf. Slack does not provide such backbone services, as it only carries traffic involving its own customers. As a result, it is not eligible to receive the type of order principally addressed in, and deemed problematic by, the Schrems II decision.
Does Slack assist US authorities in their bulk collection of information under Executive Order 12333?
Slack does not provide any assistance to US authorities conducting surveillance under Executive Order 12333. Furthermore, EO 12333 does not grant the US government the ability to compel companies to provide assistance with those activities, and Slack will not do so voluntarily. As a result, Slack does not and cannot be ordered to take any action to facilitate the type of bulk surveillance under EO 12333.
How does Slack protect data in motion and data at rest?
Slack employs a range of technical and organisational measures to defeat eﬀorts to intercept, surveil or otherwise access without authorisation data in transit. For instance, Slack encrypts all transfers of data to prevent the acquisition of such data by third parties, such as governmental authorities, who may gain physical access to the transmission mechanisms while the data is in transmission. Slack only utilises secure data transport via TLS 1.2 over HTTPS. This feature is always enabled to limit any third-party efforts to tamper with or tap into the data transfers between the two end-points (Slack and our customers).
Our Enterprise Key Management workspace offers additional safeguards by creating an immutable audit log so that the customer is notified every time its data is accessed. The act of preserving or producing EKM content would trigger an observable entry in the access log available to the customer. Customers may also revoke encryption keys to prevent access to unencrypted content.
Does the passing of the US CLOUD Act affect the way that Slack responds to US government legal requests?
No. The CLOUD Act, enacted in 2018, clarified the geographic scope for US law enforcement requests and created a statutory basis for companies like Slack to challenge requests that conflict with foreign law in certain circumstances. The CLOUD Act did not change any of the pre-existing legal and privacy protections afforded to user data and Slack applies the same rigorous review to all legal process served on it, including those issued pursuant to the CLOUD Act.
What kind of data might be disclosed in response to legal process from law enforcement or government entities?
Content data includes user generated data, for example public and private messages, posts, files and direct messages. Slack requires a search warrant to produce such data to law enforcement.
Non-content data is basic account information (such as name and email address, profile information, registration information, login history and billing information) and other non-content metadata (such as the date, time and sender/recipient of messages or files). Depending on the type of data requested, Slack may require a compulsory subpoena or a court order to produce this data.
What is the difference between a search warrant, a court order and a law enforcement subpoena?
A search warrant is an order issued by a judge or magistrate upon finding of probable cause. A search warrant is required to obtain the content of communications.
A court order is when a court finds that the government has demonstrated that there are reasonable grounds to believe that the information sought is relevant and material to an ongoing criminal investigation. The government can obtain basic non-content data and metadata about a workspace with a court order, but not content.
A law enforcement subpoena is a compulsory demand issued by a governmental entity for the production of a limited set of information, such as a customer’s name, address, length of service or means and source of payment, in support of an authorised criminal investigation.
Can the government and/or law enforcement obtain deleted data from Slack?
Generally, no. Unless deleted data is retained by a customer pursuant to their retention settings, it is removed from Slack’s systems immediately upon deletion. Once deleted, data may reside in our security backups for a limited period of time (up to 14 days, but often fewer). Once the backup period is over, Slack hard deletes all information from our production systems. Once fully deleted, Slack cannot retrieve the data for any purpose, including for purposes of responding to government and law enforcement requests.
How does Slack handle emergency requests?
If you have an emergency involving danger of death or serious physical injury and you believe Slack has data that may be necessary to mitigate that harm, authorised law enforcement personnel should contact us at email@example.com and we will assess the request.
Do you give customers notice before producing data to a governmental or law enforcement entity?
Unless Slack is prohibited from doing so or there is a clear indication of illegal conduct or risk of harm, Slack will notify the customer, typically by emailing the primary owner, before disclosing data so that the customer may promptly seek legal remedies.
What about third-party or civil requests for data?
Third parties seeking data should contact the Slack workspace owner directly. Wherever possible, we encourage parties to manage their requests without our involvement. Workspace owners should be able to run their own export in order to comply with an appropriate legal request. If you need assistance with those exports, the primary owner can contact us to see if they qualify for an export due to legal necessity.
Please note that the Stored Communications Act, section 2701 et seq. of Title 18 USC, strictly prohibits a provider such as Slack from disclosing the contents of communications to third parties. A civil subpoena or civil court order is not sufficient under the SCA to obtain content from a Slack workspace.