// Trust & Security Report

    Slack Technologies, LLC (a Salesforce company) logo

    Slack Technologies, LLC (a Salesforce company)

    Slack / Slack AI / GovSlack

    Certifications held

    20

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001
    HELD

    ISO/IEC 27001 — Information Security Management System (ISMS). Download certificate.

    Verify on slack.com
    ISO/IEC 27017
    HELD

    ISO/IEC 27017 — Security Controls for the Provision and Use of Cloud Services. Download certificate.

    Verify on slack.com
    ISO/IEC 27018
    HELD

    ISO/IEC 27018 — Protection of Personally Identifiable Information (PII). Download certificate.

    Verify on slack.com
    ISO/IEC 27701
    HELD

    ISO/IEC 27701 — Privacy Information Management System (PIMS). Download certificate.

    Verify on slack.com
    ISO/IEC 42001
    HELD

    ISO/IEC 42001 — Information technology — Artificial intelligence — Management system. Download certificate.

    Verify on slack.com
    SOC 2 Type II
    HELD

    SOC 2 (Type II) — Trust Services Principles.

    Verify on slack.com
    SOC 3
    HELD

    SOC 3 — Service Organization Controls. Download report.

    Verify on slack.com
    FedRAMP Moderate
    HELD

    Slack is FedRAMP Moderate authorized to meet the compliance needs of organizations in the public sector.

    Verify on slack.com
    FedRAMP JAB High (GovSlack)
    HELD

    GovSlack is FedRAMP JAB High authorized and is also pursuing DoD CC SRG IL4 compliance.

    Verify on slack.com
    HIPAA (configurable)
    HELD

    Slack can be configured for HIPAA compliance, including electronically protected health information (e-PHI).

    Verify on slack.com
    FINRA 17a-4 (configurable)
    HELD

    Slack is FINRA 17a-4 configurable so your team can collaborate and still meet your compliance requirements.

    Verify on slack.com
    TISAX
    HELD

    Trusted Information Security Assessment Exchange — Scope-ID SHYV0T, Assessment-ID AMHN37.

    Verify on slack.com
    IRAP (Australia)
    HELD

    Slack has been assessed by an independent IRAP assessor against the requirements of the Australian Information Security Manual (ISM).

    Verify on slack.com
    ISMAP (Japan)
    HELD

    Slack was assessed for the Information System Security Management and Assessment Program (ISMAP), a Japanese Government program evaluating the security posture of cloud service providers.

    Verify on slack.com
    C5 (Germany BSI)
    HELD

    Slack completed its attestation for the Cloud Computing Compliance Criteria Catalog (C5), a standard created by the Federal Office for Information Security (BSI) in Germany.

    Verify on slack.com
    ENS High (Spain)
    HELD

    Slack has achieved ENS High, which is the highest achievable level of accreditation possible.

    Verify on slack.com
    Global CBPR Certification
    HELD

    Global CBPR Certification — Global Cross Border Privacy Rules Minimum Requirements. Download certificate.

    Verify on slack.com
    Global PRP Certification
    HELD

    Global PRP Certification — Global Privacy Recognition for Processors Minimum Requirements. Download certificate.

    Verify on slack.com
    CSA STAR
    HELD

    CSA — Cloud Security Alliance. View STAR Registry Listing.

    Verify on slack.com
    South Korea CSP Safety Assessment
    HELD

    Slack completed its evaluation for the Cloud Service Providers (CSP) Safety Assessment, a program performed by the Korean Financial Security Institute (K-FSI).

    Verify on slack.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US and EU data residency options available; enterprise customers can choose the country or region for encrypted data at rest. Other international transfers documented (Australia, Canada, Japan, India, South Korea, US).

    Slack does not train LLMs on customer data. Direct quote from AI Principles page: 'Your Customer Data in Slack (like messages and files) are not used to train LLMs.' For generative AI, 'Slack will not use Customer Data to train generative AI models unless Customer provides affirmative opt-in consent.' For traditional (non-generative) ML models such as emoji and channel recommendations, customer data may be used in aggregate/de-identified form but customers can opt out by emailing feedback@slack.com. LLMs are hosted inside Slack's own AWS environment via an escrow VPC: 'The LLMs we use are deployed inside Slack's cloud environment, so model providers do not have access to your data.' Retrieval Augmented Generation (RAG) is used, meaning data is sent only at inference time and not retained.

    // Security controls

    Encryption at rest and in transit

    Yes, by default for all plans. 'In Slack, customer data is encrypted at rest and in transit by default.'

    slack.com

    Enterprise Key Management (EKM)

    Available on Enterprise Grid plans. Customers can bring their own encryption keys via Slack EKM.

    slack.com

    Bug bounty program

    HackerOne (active since 2014). URL: https://hackerone.com/slack. Paid program with more than $210,000 in historical payouts.

    slack.com

    Native Data Loss Prevention (DLP)

    Native DLP included; also supports third-party DLP providers.

    slack.com

    Single Sign-On (SSO)

    Supported with domain claiming and enterprise mobility management (EMM) integration.

    slack.com

    Audit logs

    Available for Enterprise Grid customers.

    slack.com

    Legal hold and eDiscovery

    Global retention policies, legal holds, and eDiscovery support available.

    slack.com

    AI content safety

    Slack AI Guardrails: 'a set of built-in foundational protections including content thresholds, safety instructions, context engineering, URL filtering, and output validation.' Real-time Content Safety Filters analyze queries before reaching LLMs.

    slack.com

    LLM data isolation

    'Customer data never leaves Slack's trust boundary.' LLMs deployed inside Slack's cloud environment via AWS escrow VPC. Model providers cannot access or retain customer data.

    slack.com

    AI admin controls

    'Admins can enable or disable AI features, giving customers full control over how and whether AI is used in their workspaces.'

    slack.com

    Penetration testing

    Not explicitly disclosed on public pages. Bug bounty program via HackerOne supplements external security testing. Enterprise white paper references 'network security and server hardening, administrative access control, system monitoring, logging and alerting.'

    slack.com

    // Products & data scope

    Slack FreeTeam messaging platform

    data: Limited message history; basic workspace data. AI features limited to basic conversation summaries.

    Free tier. No DLP, no audit logs. Same encryption baseline applies. DPA still available.

    Slack ProTeam messaging platform

    data: Full message history. Basic AI: conversation and thread summaries, huddle notes.

    Paid per-user. First paid tier. No enterprise compliance controls.

    Slack Business+Team messaging / AI collaboration platform

    data: Full message and file history. Advanced AI features: channel recaps, search, translations, Slackbot, enterprise search, Salesforce integration.

    As of June 2025 pricing update, advanced AI is now bundled (previously a separate add-on). Business+ includes SSO, DLP, and audit logs. Suitable for regulated industries with correct configuration.

    Slack Enterprise+ (Enterprise Grid)Enterprise messaging / AI / agent platform

    data: Full enterprise data including Salesforce CRM data. Enterprise Key Management, full audit logs, legal holds, eDiscovery, data residency, HIPAA/FINRA/FedRAMP configuration.

    Highest tier. Includes all compliance certifications. HIPAA, FedRAMP Moderate, FINRA configurations available. Agentforce and Salesforce-native AI integrations.

    GovSlackGovernment-grade enterprise messaging

    data: Same as Enterprise Grid but with FedRAMP JAB High authorization. US government and public sector use.

    Separate product for government customers. FedRAMP JAB High authorized, pursuing DoD CC SRG IL4. Separate SOC 2 Type II and SOC 3 reports available.

    Slack AI (feature set)Embedded AI capabilities

    data: Accesses only workspace data the user already has permission to view. Uses RAG; no data retained by LLM after each request.

    Slack AI is not a standalone product but a feature layer across paid plans. Includes: channel recaps, thread summaries, AI-powered search, Slackbot agent, huddle notes, web search via Slackbot, chart generation. Available on Business+ and Enterprise+ (and some features on Pro).

    // What to watch

    • Penetration testing schedule not publicly disclosed; consider requesting via enterprise sales process.
    • Traditional ML models (non-generative, e.g., emoji/channel recommendations) do use workspace data in aggregate by default; opt-out requires emailing feedback@slack.com — admins should be aware.
    • Data residency (choosing storage region) is restricted to Enterprise Grid plans only. Free and Pro customers have no regional control.
    • Slack AI is part of a Salesforce-owned platform; Salesforce integration means CRM data may be accessible to AI features on Enterprise+ plans — review Salesforce data governance in conjunction.
    • ISO 42001 (AI management system) is confirmed on the security page; this is a notable differentiator for AI-specific compliance requirements.
    • GovSlack is a distinct SKU from commercial Slack; organizations with FedRAMP High requirements must purchase GovSlack separately.

    // At a glance

    Pricing model

    Freemium with paid tiers (Pro, Business+, Enterprise+). Enterprise Grid requires custom contract. AI features bundled in Business+ and Enterprise+ as of June 2025 (no longer a separate add-on).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Slack Technologies, LLC (a Salesforce company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    slack.com

    > Browse all vendor trust reports