01Trust Score

Slack

Week 2026-W20 · 26 Apr 2026 Vendor-Neutral

60 /100 Mixed Signals

→ Unchanged

★ ★ ★ ★ ★

3.3/5 (3784)

↓ PDF Report

WHY THIS SCORE

Slack's overall trust score of 60 reflects a mixed risk profile. The security posture is exceptionally strong, scoring 100 due to comprehensive certifications like SOC2 Type II, ISO 27001, HIPAA, and FedRAMP, with no unpatched CVEs. However, the legal risk score is critically low at 0, driven by undisclosed policies on AI training data, IP ownership, indemnification, and data retention, which are major area warranting further due diligences for enterprise procurement. Financial health is assessed at 45, reflecting the lack of detailed market data in the breakdown. Community sentiment, at 60, is moderate, balancing positive feedback on features with concerns about app performance and free tier limitations. The most impactful action to improve this score is for Slack to publicly disclose and clarify all outstanding legal and IP policies.

AUDITOR SUMMARY

Strength: Slack demonstrates an exemplary security and compliance framework, holding SOC2 Type II, ISO 27001, HIPAA, and FedRAMP certifications, alongside robust encryption and audit logging capabilities.

Trust Score 60/100 CONDITIONAL

Est. Annual Cost $18,000/year for 100 users 100 users / yr

Top Risk CRITICAL Data Privacy Overall: Medium

Priority Action DPA Subprocessor List URL Inaccessible — Legal Review Required ↓ PDF · TCO · Hardening

Enterprise Verdict

! Conditional Approval

Risk: Medium 50 sources

The adoption recommendation is 'conditional proceed' primarily due to critical legal and IP transparency gaps, including undisclosed policies on AI training data and user IP ownership. For a more favorable 'proceed' verdict, Slack must provide explicit contractual terms addressing these legal ambiguities and ensure public accessibility of its subprocessor list and comprehensive DPA details.

Priority Action

DPA Subprocessor List URL Inaccessible — Legal Review Required

This report updates every week. Weekly AI vendor intelligence — trust scores, contract red flags, competitive shifts.

02Top Risks

Risk Assessment

Seven-category enterprise risk analysis derived from community and vendor signals. Each card shows the evidence tier and the underlying finding.

Critical Data Privacy Verified

AI training data policy is undisclosed by the vendor, posing a high risk for sensitive enterprise data. This must be explicitly addressed in a DPA.

Source

High Compliance Posture Community Data

The public URL for the DPA's subprocessor list is inaccessible, preventing verification of third-party data handlers and creating a critical compliance gap.

Source

Critical Legal Exposure Verified

IP ownership over user-generated content and AI outputs is unclear, and IP indemnification is not publicly disclosed, exposing the enterprise to legal risks.

Source

High Reliability Community Data

SLA terms are not publicly disclosed, meaning uptime commitments and recourse for downtime are not guaranteed without a custom MSA.

Source

Medium Cost Predictability Community Data

Enterprise+ pricing is 'Contact Sales', and potential overage charges for AI features are noted, introducing uncertainty in total cost of ownership.

Source

High Vendor Lock-in Community Data

Opaque data export and deletion timelines, combined with deep integration capabilities, increase the risk of vendor lock-in.

Source

Medium Support Quality Community Data

Average community support/satisfaction rating: 3.3/5.0 based on 162 user reviews.

Medium AI Transparency Verified

No training on user data detected. Code ownership terms unclear. Legal/ToS risk score: 65/100.

Source

Verified — Confirmed by vendor documentation Community — Derived from community reports

Due Diligence Alerts

Priority reviews, recommended inquiries, and verified strengths — based on 101+ community data points

Recommended Inquiry Critical DPA Subprocessor List URL Inaccessible — Legal Review Required

Sources: Web Community Evidence

Recommended Inquiry High AI Training Data Policy Not Explicitly Disclosed in ToS

Sources: Web Community Evidence

Recommended Inquiry High IP Indemnification Not Publicly Disclosed

Sources: Web Community Evidence

Recommended Inquiry High Opaque Data Lifecycle and Export Terms

Sources: Web Community Evidence

Recommended Inquiry High SLA Terms Not Publicly Disclosed — Request MSA Before Procurement

Sources: Web Community Evidence

03Security & Compliance

Security & Compliance

SOC 2 ✓ Certified

ISO 27001 ✓ Certified

GDPR ✓ DPA

HIPAA ✓ BAA

Data Security

Data Residency: EU

Encryption (At Rest): AES-256

Encryption (In Transit): TLS 1.3

Security Features

✓ SSO SAML, OAuth

✓ Audit Logs 90 days

✓ Vulnerability Disclosure

IT Hardening Guide

Deployment Checklist

Configure SAML-based SSO for all users to enforce corporate identity policies and streamline access management. Implement Enterprise Key Management (EKM) for data at rest encryption, if available on the Enterprise+ plan, to maintain control over encryption keys. Define and enforce granular data retention policies for all channels and direct messages to comply with regulatory requirements. Utilize native Data Loss Prevention (DLP) features, especially for Slack Connect channels, to prevent unauthorized sharing of sensitive information. Establish a strict app approval process and regularly review all third-party integrations to ensure they meet organizational security standards. Manage access to AI features in Slack, restricting them to specific channels, canvases, and lists as per data sensitivity policies.

Last verified: 13 May 2026

Legal & IP Risk

Legal Entity: Slack Technologies, LLC (Salesforce)

Jurisdiction: San Francisco, CA

IP Ownership

User Code: Not documented in public ToS

Training Data: Not documented in public ToS

Liability & Indemnification

IP Indemnification: Not documented in public ToS

Liability Cap: Not documented in public ToS

Warranty: Not documented in public ToS

Exit Terms

📤

Data Export Not documented in public ToS

🗑️

Deletion Not documented in public ToS

ToS Red Flags

Critical

Absence of explicit opt-out for AI training data use creates significant data privacy and intellectual property risks for sensitive enterprise data.

High

Lack of clear IP ownership terms for content created within Slack, especially with AI features, exposes enterprises to potential legal disputes.

High

Absence of public IP indemnification clauses means enterprises bear full risk for third-party IP infringement claims arising from tool usage.

High

Unspecified data retention periods and deletion commitments complicate compliance with data privacy regulations like GDPR and CCPA.

High

Lack of clear liability limits and service warranties creates unquantified financial and operational risks for enterprise deployments.

Legal Risk Score:

65/100

Data & Migration Lock-in Risk

Risk Level Medium

Data Portability JSON/CSV for messages and files (inferred, as '' in legal_ip_data)

Switching Cost Estimate 4-8 weeks of engineering and administrative effort

Lock-in Factors

Deep integration with internal workflows and third-party applications.
Proprietary message history and file storage formats, despite export options.
Reliance on custom Slack apps and Workflow Builder automations.
Institutional knowledge embedded in channels and canvases.

Migration risk is medium due to deep integration into enterprise workflows and the volume of historical data. While basic data export (JSON/CSV) is inferred, the lack of explicit data portability guarantees and deletion timelines in public documentation increases the perceived lock-in. Switching to an alternative would require significant effort to re-establish integrations, migrate historical data, and retrain users.

Enterprise Contract Intelligence

DPA availability, data residency, and contract risk signals for procurement teams

📄 Data Processing Agreement Available

View DPA ↗

A Data Processing Addendum (DPA) is publicly available. However, the provided DPA excerpt indicates a glitch, and the scraper reports no subprocessor list or SCCs, requiring direct verification from the vendor before signing.

🌐 Data Residency Customer-Controlled

Default: United States (AWS US)

United StatesEU/EEAUnited KingdomCanadaAustralia

Slack offers data residency options in multiple regions, including the EU/EEA, allowing customers to choose where certain data at rest is stored. However, the DPA's lack of explicit SCCs in the scraper data requires direct verification for GDPR compliance and cross-border transfer mechanisms.

⚠️ Contract Risk Medium Lock-in (65/100)

Data export on exit: No ⚠

⚠ 5 contract risk flags — click to review

⚠ Undisclosed IP ownership over user-generated content and AI outputs.

⚠ Undisclosed data training policies for AI models.

⚠ Opaque data retention and deletion timelines.

⚠ Lack of public indemnification and liability caps.

⚠ Absence of a publicly available Service Level Agreement (SLA).

The contract risk is elevated due to significant transparency gaps in key legal areas. The undisclosed IP ownership, data training policies, and data lifecycle management, combined with a lack of public indemnification and liability caps, create substantial unquantified risks. The absence of a public SLA further complicates risk assessment. These factors contribute to a medium lock-in score, as exiting the platform could be complex without explicit contractual terms.

New risk signals detected weekly. Weekly AI vendor intelligence — trust scores, contract red flags, competitive shifts.

04Community Signals

Community Evidence

Sentiment analysis and recurring issues from developer & enterprise community signals this week.

Recurring Issues

ci: daily LoC report to Slack (daily) and Telegram (weekly) 🟠 Community 5 mentions medium → Stable

Enterprise Impact: Reported by community on GitHub with 5 comments.

Sources: GitHub

Revert "fix(slack): route mentions/DMs by user team for Slack Connect" 🟠 Community 4 mentions medium → Stable

Enterprise Impact: Reported by community on GitHub with 4 comments.

Sources: GitHub

chore(slack): log raw event payload for Slack Connect diagnosis 🟠 Community 4 mentions medium → Stable

Enterprise Impact: Reported by community on GitHub with 4 comments.

Sources: GitHub

fix(middlewares): cache preset HTTP client; share TransportFactory in slack fallback 🟠 Community 4 mentions medium → Stable

Enterprise Impact: Reported by community on GitHub with 4 comments.

Sources: GitHub

Traceway: MIT-licensed observability stack you can self-host in ~90s 🟠 Community low → Stable

Enterprise Impact: Discussed on Hacker News.

Sources: HN

The Emacsification of Software 🟠 Community low → Stable

Enterprise Impact: Discussed on Hacker News.

Sources: HN

Source Highlights This Week

Specific signals from GitHub, Hacker News, and Reddit — what the community is actually saying

✨

Intelligence Synthesis

Slack, a Salesforce product, exhibits robust security and compliance with multiple certifications including SOC2 Type II, ISO 27001, HIPAA, and FedRAMP. However, critical legal and IP risks persist due to undisclosed policies on data training, IP ownership, indemnification, and data lifecycle. Community feedback highlights app performance issues, notification bugs, and limitations in the free tier, alongside positive sentiment for integrations and enterprise features like Enterprise Grid support.

🔗 GitHub Issues & PRs

ci: daily LoC report to Slack (daily) and Telegram (weekly)

5 comments Discussion 5 comments — high community engagement

Revert "fix(slack): route mentions/DMs by user team for Slack Connect"

4 comments Bug 4 comments — high community engagement

chore(slack): log raw event payload for Slack Connect diagnosis

4 comments Bug 4 comments — high community engagement

🔥 Hacker News

Traceway: MIT-licensed observability stack you can self-host in ~90s

Story Score 0 — active HN discussion

The Emacsification of Software

Story Score 0 — active HN discussion

Ask HN: Freelancer? Seeking freelancer? (May 2026)

Story Score 0 — active HN discussion

💬 Reddit

Enshittification?

r/Slack

Is it possible to give a URL for a slackbot within a workspace?

r/Slack

Would you use CLIs inside Slack if they had it? These guys put a shell inside the team chat.

r/Slack

🌐 Web Findings

News Introducing Today: Your Intelligent Daily Briefing in Slack

Official announcement of a new AI-powered personalized landing page in Slack, designed to summarize priorities and tasks.

News Slack Feature Drop: A Downpour of “Done”

Official blog post announcing recent feature updates and improvements to Slack's platform.

05Financial Impact

Financial Impact Panel

Cost intelligence and pricing signals for enterprise procurement decisions

Pricing data from public sources — enterprise rates differ. Verify with vendor.

TCO Calculator

Pricing Not Available

Enterprise pricing information could not be obtained for this vendor. This may be due to custom/private pricing models or limited publicly available data.

Don't evaluate blind next quarter. Weekly AI vendor intelligence — trust scores, contract red flags, competitive shifts.

Learn more about our Audit Methodology →

Independent analysis — signals aggregated from GitHub, Reddit, HN, Stack Overflow, Twitter/X, G2 & Capterra. Not affiliated with any vendor. Corrections?

Slack

Enterprise Verdict

Risk Assessment

Due Diligence Alerts

Security & Compliance

Data Security

Security Features

IT Hardening Guide

Deployment Checklist

Legal & IP Risk

IP Ownership

Liability & Indemnification

Exit Terms

ToS Red Flags

Data & Migration Lock-in Risk

Enterprise Contract Intelligence

Community Evidence

Source Highlights This Week

Intelligence Synthesis

Financial Impact Panel

TCO Calculator

Pricing Not Available

Download PDF Report