Trust & Compliance - Data Management
Overall Score
Risk by Category
Slack's Data Management policy outlines how customer data is stored, processed, retained, and protected. It emphasizes customer ownership of data, options for data residency (e.g., US, EU), data portability and deletion capabilities, use of subprocessors with listed transparency, robust security measures including encryption and certifications (SOC 2, ISO 27001), and compliance with GDPR, CCPA, and other regulations. The policy provides transparency on data handling practices tailored for enterprise use.
Slack uses third-party subprocessors for services like cloud hosting (AWS), analytics, and support, with a public list but potential for updates.
Default US storage; EU/UK/Switzerland options available but require Enterprise plans.
Data retained as long as workspace exists unless deleted; no fixed automatic deletion periods.
Slack affirms customers own and control their content, with no claim to ownership.
Supports full export and permanent deletion of data upon request.
SOC 2 Type II, ISO 27001, HIPAA BAA available, regular audits.
Spotify collects the following categories of personal data. High Risk categories are used for advertising profiling or involve sensitive personal information.
User profiles, workspace info, billing details.
Messages, files, channels, direct messages.
Logs, metadata for functionality and security.
Optional, IP-based inference only.
Your data serves the following purposes. Mandatory purposes cannot be disabled without canceling the service. Opt-out available purposes allow some user control.
Data used to provide messaging, file sharing, and collaboration features.
Aggregated anonymized data used for product improvement and analytics.
Data accessed only for legal obligations or with customer consent.
Spotify shares data with several categories of third parties. Sharing with advertising partners is extensive and represents the primary commercial use of your behavioral data.
AWS, Google Cloud, Zendesk for hosting/support.
Amplitude, Intercom for usage insights.
Salesforce (parent) may access for support/legal.
Customer-initiated app integrations share data.
The following rights may be available to you depending on your region. EU/EEA users have the broadest protections under GDPR. Non-EU users have more limited guarantees.
Users can export workspace data via tools.
Full data export available in standard formats.
Permanent deletion upon workspace deactivation or request.
Supports data subject requests through privacy controls.
Data is retained for different periods depending on category, and security disclosures vary in depth. The policy highlights the following retention and transparency points.
Retention Periods
Deleted messages/files removed within 24 hours; workspace data upon deactivation.
Retained for 7 years for legal/compliance.
Retained indefinitely in aggregated form.
Security & Transparency
TLS in transit, AES-256 at rest; customer-managed keys available.
DLP features available in Enterprise plans.
SOC 2, ISO 27001, PCI DSS; annual audits.
Notifies customers within 72 hours per GDPR.
Source Text
Slack does not claim ownership; customer grants limited license.
Interpretation
Strong protection of user IP and content rights.
Source Text
Public list of 50+ subprocessors; customers can request changes.
Interpretation
Transparency good, but broad usage increases supply chain risk.
Source Text
Details encryption, access controls, audits.
Interpretation
Enterprise-grade security practices.
Source Text
Retained per customer instructions; deleted on termination.
Interpretation
Flexible but customer must actively manage deletion.
Source Text
SCCs for non-EU transfers; data residency options.
Interpretation
Compliant with GDPR adequacy.
You (the customer) own your content. Slack only stores it for service provision.