Data Request Overview
Slack is commited to trust and transparency
In the following documents and FAQ, you can find our policies and guidelines for requests for data from government and law enforcement entities, as well as civil third-party data requests. You can also find our annual reports on the number of requests we receive and our responses.
Data Request Policy
As part of our commitment to trust and transparency, our Data Request Policy outlines Slack’s policies and procedures for responding to requests for Customer Data. This policy guides our practices with respect to requests for third-party data, requests by legal authorities, Customer notice, and international requests for data.
Transparency Report
Salesforce publishes information annually on the law enforcement and government requests that Salesforce companies, including Slack, received in the prior calendar year. These transparency reports outline Salesforce’s guiding principles for maintaining customer confidentiality, the number of requests it receives annually, and data regarding responses. Past years’ Transparency Reports can be found in Slack’s Legal Archive.
Frequently Asked Questions
How does Slack handle requests from government and law enforcement?
Slack is an online workplace productivity platform as described in our Privacy Policy and Terms of Service. If we receive valid legal process from a government or law enforcement entity, we may have an obligation to produce user data in accordance with applicable laws. Our Data Request Policy outlines our requirements with respect to these requests, and our Transparency Report shows the type and volume of requests from government and law enforcement entities that we receive each year.
Where should I send legal process?
All requests by law enforcement and government entities (including international government and law enforcement entities) may be sent to our legal process email alias: legalprocess@slack.com
What information does Slack need to process my request?
In addition to all requisite and applicable legal requirements, all legal process requests should include the following information: (a) the government entity or law enforcement agency, (b) the relevant criminal or civil matter, and (c) identifying information about the Slack workspace, including the relevant Customer and User names, date range, the Slack workspace URL (slackname.slack.com), and the type of data sought. The request must also come from a government issued email account and include full contact information for the requesting officer.
What happens when Slack receives a law enforcement request?
We carefully review all requests for legal sufficiency and with an eye toward user privacy. Slack may reject or challenge any requests that are unclear, overbroad or inappropriate.
How often do you provide data to government and law enforcement entities?
Our Transparency Report details the number of requests we receive each year. The current report covers January 1 through December 31, 2019, and specifies the number of subpoenas, warrants and other requests for data received during that year. The report also includes the type of information we provided, including content and non-content data.
Do you assist law enforcement and government authorities in conducting surveillance of communications?
Slack does not conduct real-time surveillance of customers, nor do we voluntarily provide governments with access to any data about users for surveillance purposes. Please read our Transparency Report for more information.
Is Slack eligible to receive “upstream” or bulk surveillance orders under FISA § 702?
No. Like all other communication platforms in the United States, Slack is an electronic communications service (“ECS”) or remote computing service (“RCS”) (as defined in Sections 2510 and 2711 of Title 18 U.S.C., respectively) when it provides services to customers. It is thus possible the United States government could serve a targeted directive on Slack under FISA § 702.
However, Slack is not eligible to receive a 702 order for “upstream” surveillance. As the U.S. Government has applied FISA § 702, it uses upstream orders only to target traffic flowing through internet backbone providers that carry traffic for third parties. See Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (July 2, 2014) pp. 35-40, available at https://fas.org/irp/offdocs/pclob-702.pdf. Slack does not provide such backbone services, as it only carries traffic involving its own customers. As a result, it is not eligible to receive the type of order principally addressed in, and deemed problematic by, the Schrems II decision.
Does Slack assist U.S. authorities in their bulk collection of information under Executive Order 12333?
Slack does not provide any assistance to U.S. authorities conducting surveillance under Executive Order 12333. Further, E.O. 12333 does not provide the U.S. government the ability to compel companies to provide assistance with those activities, and Slack will not do so voluntarily. As a result, Slack does not, and cannot be ordered to, take any action to facilitate the type of bulk surveillance under E.O. 12333.
How does Slack protect data in motion and data at rest?
Slack employs a range of technical and organizational measures to defeat efforts to intercept, surveil, or otherwise access without authorization data in transit. For instance, Slack encrypts all transfers of data to prevent the acquisition of such data by third parties, such as governmental authorities who may gain physical access to the transmission mechanisms while the data is in transmission. Slack only utilizes secure data transport via TLS 1.2 over HTTPS. This feature is always enabled to limit any third parties from tampering with or tapping into the data transfers between the two end-points (Slack and our customers).
Our Enterprise Key Management workspace offers additional safeguards by creating an immutable audit log so that the customer has notice every time its data is accessed. The act of preserving or producing EKM content would trigger an observable entry in the access log available to the Customer. Customers may also revoke encryption keys to prevent access to unencrypted content.
Does the passage of the U.S. CLOUD Act affect the way that Slack responds to U.S. government legal requests?
No. The CLOUD Act, enacted in 2018, clarified the geographic scope for U.S. law enforcement requests and created a statutory basis for companies like Slack to challenge requests that conflict with foreign law in certain circumstances. The CLOUD Act did not change any of the preexisting legal and privacy protections afforded to user data and Slack applies the same rigorous review to all legal process served on it, including those issued pursuant to the CLOUD Act.
What kind of data might be disclosed in response to legal process from law enforcement or government entities?
Content data includes user generated data, for example public and private messages, posts, files and direct messages. Slack requires a search warrant to produce such data to law enforcement.
Non-content data is basic account information (such as name and email address, profile information, registration information, login history and billing information) and other non-content metadata (such as the date, time, and sender/recipient of messages or files). Depending on the type of data requested, Slack may require a compulsory subpoena or a court order to produce this data.
What is the difference between a search warrant, a court order, and a law enforcement subpoena?
A search warrant is an order issued by a judge or magistrate upon a finding of probable cause. A search warrant is required to obtain the content of communications.
A court order is when a court finds that the government has demonstrated that there are reasonable grounds to believe that the information sought is relevant and material to an ongoing criminal investigation. The government can obtain basic non-content data and metadata about a workspace with a court order, but not content.
A law enforcement subpoena is a compulsory demand issued by a governmental entity for the production of a limited set of information, such as a Customer’s name, address, length of service, or means and source of payment, in support of an authorized criminal investigation.
Can the government and/or law enforcement obtain deleted data from Slack?
Generally, no. Unless deleted data is retained by a Customer pursuant to their retention settings, it is removed from Slack’s systems immediately upon deletion. Once deleted, data may reside in our security backups for a limited period of time (up to 14 days, but often fewer). Once the backup period is over, Slack hard deletes all information from our production systems. Once fully deleted, Slack cannot retrieve the data for any purpose, including for purposes of responding to government and law enforcement requests.
How does Slack handle emergency requests?
If you have an emergency involving danger of death or serious physical injury and you believe Slack has data that may be necessary to mitigate that harm authorized law enforcement personnel should contact us at legalprocess@slack.com and we will assess the request.
Do you give Customers notice before producing data to a governmental or law enforcement entity?
Unless Slack is prohibited from doing so or there is a clear indication of illegal conduct or risk of harm, Slack will notify the Customer, typically by emailing the Primary Owner, before disclosing data so that the Customer may promptly seek legal remedies.
What about third party or civil requests for data?
Third parties seeking data should contact the Slack workspace owner directly. Wherever possible, we encourage parties to manage their requests without our involvement. Workspace owners should be able to run their own export in order to comply with an appropriate legal request. If you need assistance with those exports, the primary owner can contact us to see if they qualify for an export due to legal necessity.
Please note that the Stored Communications Act, 18 U.S.C. § 2701 et seq., strictly prohibits a provider such as Slack from disclosing the contents of communications to third parties. A civil subpoena or civil court order is not sufficient under the SCA to obtain content from a Slack workspace.