Slack and FERPA Compliance

About Slack

Slack is a layer of the business technology stack that brings together people, data and applications—a single place where people can effectively work together, find important information, and access hundreds of thousands of critical applications and services to do their best work. From global Fortune 100 companies to corner markets, businesses and teams of all kinds use Slack to bring the right people together with all the right information.

Slack is committed to keeping your data private and secure.

At Slack, our mission is to make your working life simpler, more pleasant and more productive. At the center of this mission is protecting the privacy and security of our customers’ data. We understand that customers in the education sector are subject to specific compliance obligations, including those under the Federal Education Rights and Privacy Act (FERPA). So, we have created this guide to help inform our education customers about what Slack is doing to support them with their unique compliance responsibilities. Slack’s privacy practices, technical controls, and security measures are designed to protect the data its customers submit to Slack, such as messages or files, which we call “Customer Data”.

What is FERPA?

FERPA is a United States federal law that protects the privacy of students in their educational records from unauthorized disclosure. Rights under FERPA transfer from the parents of a student to the student when the student turns 18 years of age or enrolls in school beyond the high school level at any age. FERPA applies to all academic institutions that receive funds from a Department of Education program.

What are educational records? FERPA classifies educational records as records that directly relate to a student and are maintained by an educational agency, academic institution, or by a party acting for the agency or institution.

Is there a FERPA certification? There are not currently any certification programs approved by the federal government that assess third-party compliance with FERPA. Academic institutions must perform their own assessments to determine whether a third-party product or service affects their compliance.

Here’s how Slack supports education-sector customers with their FERPA compliance.

  • Data Security. We support the latest recommended secure cipher suites and protocols to encrypt Customer Data in transit and at rest. We also perform regular vulnerability scans and application-level penetration tests by independent entities. For more information on Slack’s security visit slack.com/security.
  • Data retention and disposal. Customer Data is removed from production servers nightly following deletion by the end user or upon expiration of message retention based on customer administrator configuration, and is then permanently deleted from backup within 14 days in line with the practices described in Slack’s Security Practices Page.
  • Customer Data Privacy. We do not monitor the content of Customer Data you submit to Slack.
  • Transparent security and privacy practices. Slack’s policies and practices are customer-conscious, and transparent. Our security practices and privacy policy are publicly available. Customers can review our third-party audit reports, including our annual SOC-2 report, upon their request (and they are available to potential customers after signing an NDA).
  • Subprocessor Transparency. We are also transparent about our subprocessors —third-party data processors that help support the delivery of Slack with whom we share Customer Data. A list of our current subproccessors are available here.
  • Physical Safeguards. Amazon Web Services (AWS) is our third-party hosting provider. AWS has world-class physical and environmental security, including strictly controlled perimeters, ingress points with video surveillance, on-site security, and two-factor authentication. More on AWS’s physical and environmental security is available here.
  • Enterprise Grid features and functionality help keep customers’ data secure. Customers on the Enterprise Grid plan have access to features that enhance the ability of security-conscious, regulated customers to share their sensitive conversations, data, and files on Slack. As of the date of release of this guide, such features include, but are not limited to, the ability to establish a customer-defined terms of service message for end users, to enable Discovery API to facilitate use of approved third-party apps for eDiscovery or Data Loss Prevention (DLP), to set global message and file retention policies, to block file downloads on untrusted devices, and to utilize Enterprise Key Management (EKM) — an add-on feature available for purchase that lets the customer utilize its own encryption keys for use in Slack so that it has complete visibility and control over its data.

Slack is here for you.

Every company and team using our service expects their sensitive information and customer data to be secure and confidential. Safeguarding this data is a critical responsibility that we have to our customers, and we work hard to maintain that trust. If you are an education sector customer and would like to learn more about Slack’s plans and features and/or discuss more about how Slack can assist in your FERPA compliance obligations please contact a Slack Account Executive today.