Security Practices
Publish Date: June 30, 2022
We take the security of your data very seriously at Slack. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security. If you have additional questions regarding security, we are happy to answer them. Please write to feedback@slack.com and we will respond as quickly as we can. This Security Practices Page describes the administrative, technical and physical controls applicable to (a) Slack, and (b) GovSlack. This documentation does not apply to services that may be associated or integrated with GovSlack.
Platform Controls
Architecture and Data Segregation
The Slack services and GovSlack services are operated on a multitenant architecture at both the platform and infrastructure layers that is designed to segregate and restrict access to the data you and your users make available via the Slack services or GovSlack services, as more specifically defined in your agreement with Slack (or its corporate affiliate(s)) covering the use of the Slack services or GovSlack services (“Customer Data”), based on business needs. The architecture provides a logical data separation for each different customer via a unique ID.
Public Cloud Infrastructure
The Slack services and GovSlack services are hosted over the Internet on a “Public Cloud”, which are computing services offered by third party providers to anyone who wants to use or purchase them. Like all cloud services, a public cloud service runs on remote servers that a provider manages.
Audits
To verify that our security practices are sound and to monitor the Slack services and GovSlack services for new vulnerabilities discovered by the security research community, the Slack services and GovSlack services undergo security assessments by internal personnel, and for the Slack services by respected external security firms who perform regular audits of the Slack services. In addition to periodic and targeted audits of the Slack services and GovSlack services and features, we also employ the use of continuous hybrid automated scanning of our web platform. Customers may download a copy of available applicable external audit reports here.
Certifications
Certifications are performed on the Slack services, and Customers may download a copy of available applicable certifications here.
Security Controls
Slack will implement and maintain appropriate technical and organizational measures to protect your Customer Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of or access to Customer’s personal data processed or transmitted through the Slack services and GovSlack services. The Slack services and GovSlack services have a number of security controls, including but not limited to:
- Access logging. Detailed access logs are available both to users and administrators of paid teams. We log every time an account signs in, noting the type of device used and the IP address of the connection. Team Administrators and owners of paid teams can review consolidated access logs for their whole team.
- Access Management. Administrators can remotely terminate all connections and sign out all devices authenticated to the Slack services or GovSlack services at any time, on demand.
- Data Retention. Owners of paid Slack teams can configure custom message retention policies on a team-wide and per-channel basis. Setting a custom duration for retention means that messages or files older than the duration you set will be deleted from the Slack services’ or GovSlack services’ production servers on a nightly basis.
- Host Management. We perform automated vulnerability scans on our production hosts and remediate any findings that present a risk to our environment. We enforce screen lockouts and the use of full disk encryption for company laptops.
- Network Protection. In addition to sophisticated system monitoring and logging, we have implemented two-factor authentication for all server access across our production environment. Firewalls are configured according to industry best practices, using AWS security groups.
- Product security practices. New features, significant functionality, and design changes go through a security review process facilitated by the security team. In addition, our code is audited with automated static analysis software, tested, and manually peer-reviewed prior to being deployed to production. The security team works closely with development teams to resolve any additional security concerns that may arise during development. Slack also operates a security bug bounty program. Security researchers around the world continuously test the security of the Slack services and GovSlack services, and report issues via the program. More details of this program are available at the bounty site.
- Team-wide two-factor authentication. Team Administrators can require all users to set up two-factor authentication on their accounts. Instructions for doing this are available in our Help Center.
For some of the controls, the Customer cannot disable them; others provide customization of the Slack services' or GovSlack services’ security by Customers for their own use. As such, protecting Customer Data is a joint responsibility between the Customer and Slack. At a minimum, Slack will align with prevailing industry standards such as ISO 27001, ISO 27002, and ISO 27018, or any successor or superseding standard.
Intrusion Detection
Slack, or an authorized external entity, will monitor the Slack services and GovSlack services for unauthorized intrusions.
Security Logs
Systems used in the provision of the Slack services and GovSlack services log information to their respective system log facilities or a centralized logging service (for network systems) in order to enable security reviews and analysis. Slack maintains an extensive centralised logging environment in the production environment which contains information pertaining to security, monitoring, availability, access and other metrics about the Slack services and GovSlack services. These logs are analysed for security events via automated monitoring software, overseen by the security team. For the GovSlack services, the logs are only accessible from within the GovSlack environment and only by Qualified US Persons. “Qualified US Persons” are individuals who: (a) are United States citizens or lawful permanent residents; (b) are physically located within the United States while performing support for GovSlack; and (c) have completed a background check as a condition of their employment with Slack.
Incident Management
Slack maintains security incident management policies and procedures. Slack notifies impacted customers without undue delay of any unauthorized disclosure of their respective Customer Data by Slack or its agents of which Slack becomes aware to the extent permitted by law. Slack publishes system status information on the Salesforce Trust website and/or the Slack System Status page. Slack typically notifies customers of significant system incidents by email, and for incidents lasting more than one hour, may invite impacted customers to join a conference call about the incident and Slack’s response. Security incident management for GovSlack is performed by Qualified US Persons.
Data Encryption
The Slack services and GovSlack services use industry-accepted encryption products to protect Customer Data (1) during transmissions between a customer's network and the Slack services and GovSlack services; and (2) when at rest. The Slack services and GovSlack services support the latest recommended secure cypher suites and protocols to encrypt all traffic in transit. We monitor the changing cryptographic landscape closely and work promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need for compatibility with older clients.
Reliability, Backup, and Business Continuity
We understand that you rely on the Slack services and GovSlack services to work. We’re committed to making the Slack services and GovSlack services a highly available service that you can rely on. Our infrastructure runs on systems that are fault-tolerant, for failures of individual servers or even entire data centres. Our operations team tests disaster recovery measures regularly and has a 24-hour on-call team to quickly resolve unexpected incidents. Industry standard best practices for reliability and back-up helped shape the design of the Slack services and GovSlack services. Slack performs regular backups, facilitates rollbacks of software and system changes when necessary and replication of data as needed. Where possible, Slack will assist the Customer with data recovery for Major Catastrophic Events, as limited by data residency requirements of the locality and capabilities within the region. “Major Catastrophic Event” means three broad types of occurances: (1) natural events such as floods, hurricanes, tornadoes, earthquakes, and epidemic; (2) technological events such as failures of systems and structures such as pipeline explosions, transportation accidents, utility disruptions, dam failures, and accidental hazardous material releases; and (3) human-caused events such as active assailant attacks, chemical or biological attacks, cyber attacks against data or infrastructure, and sabotage. Major Catastrophic Event does not include bugs, operational issues, or other common software related errors.
Customer Data is stored redundantly in multiple locations in our hosting provider’s data centres to ensure availability. We have well-tested backup and restoration procedures which allow recovery from a major disaster. Customer Data and our source code are automatically backed up every night. The operations team is alerted in the event of a failure in this system. Backups are fully tested at least every 90 days to confirm that our processes and tools work as expected.
Data at Rest
Slack will store Customer Data at rest within certain major geographic areas except as otherwise provided in your Order Form.
Return of Customer Data
Within 30 days post contract termination, customers may request return of their respective Customer Data submitted to the Slack services and GovSlack services (to the extent such data has not been deleted by Customer). Information about the export capabilities of the Slack services and GovSlack services can be found at the Slack Help Center.
Deletion of Customer Data
The Slack services and GovSlack services provide the option for workspace Primary Owners to delete Customer Data at any time during a subscription term. Within 24 hours of workspace Primary Owner-initiated deletion, Slack hard deletes all information from currently running production systems (excluding team names and search terms embedded in URLs in web server access logs). Slack services and GovSlack services backups are destroyed within 14 days (backups are destroyed within 14 days, except that during an on-going investigation of an incident such period may be temporarily extended).
When a customer terminates a paid subscription to Enterprise Grid or GovSlack services, if a customer does not otherwise elect to delete its account, Slack will, within 90 days following the subscription termination, delete, and ensure that all of its Affiliates and applicable third party hosting providers delete, all copies of Customer Data (excluding team names, and search terms embedded in URLs in web server access logs) within 14 days after Slack has initiated deletion of the customer's account. When a customer terminates any paid subscription to the Slack services other than Enterprise Grid or GovSlack services, the customer’s subscription will continue under the free usage tier for the Slack services subject to the then-current online Customer Terms of Service or other main online subscription agreement applicable to such free usage tier (“Free Subscription Terms”), and the Customer Data will not be deleted until (i) the Customer self deletes the workspace, (ii) the Customer otherwise instructs Slack to delete their Customer Data, or (iii) either party terminates the Free Subscription Terms. Upon the occurrence of such events, Slack shall, within 14 days, delete, and ensure that all of its Affiliates and the permitted third party hosting providers delete, all copies of Customer Data (excluding team names, and search terms embedded in URLs in web server access logs).
Confidentiality
We place strict controls over our employees’ access to Customer Data. The operation of the Slack services and GovSlack services requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with the Slack services and GovSlack services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to Customer Data is logged.
All of our employees and contract personnel are bound to our policies regarding Customer Data and we treat these issues as matters of the highest importance within our company.
Personnel Practices
Slack conducts background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of the Slack services and GovSlack services.
Infrastructure
Slack uses infrastructure provided by Amazon Web Services, Inc. (“AWS”) to host or process Customer Data submitted to the Slack services and GovSlack services. Information about security provided by AWS is available from the AWS Security website. Information about security and privacy-related audits and certifications received by AWS, including information on ISO 27001 certification and SOC reports, is available from the AWS Compliance website.