2026 Independent Security Review
Slack is a useful collaboration tool with solid compliance credentials on its Enterprise Grid tier: SOC 2, ISO 27001, and HIPAA BAA availability. But messages in Slack are not end-to-end encrypted, meaning Slack (and by extension Salesforce, its parent company) holds the encryption keys and can technically access message content. For most small businesses, the bigger risk is not encryption architecture but the tendency to share sensitive information in Slack channels without considering who has access or how long messages are retained.
78
out of 100
AES-256 at rest, TLS 1.2 in transit; no end-to-end encryption for messages; Slack holds encryption keys
Admin-enforced MFA, SSO via SAML, channel-level permissions, guest access controls
SOC 2 Type II, SOC 3, ISO 27001, HIPAA (Enterprise Grid only), FedRAMP Moderate (GovSlack)
Trust Center, security whitepaper, transparency reports; subprocessor list available
2022: Slack disclosed unauthorized access to its GitHub repositories via stolen employee tokens; no customer message data was exposed
Widely adopted; HIPAA BAA limited to Enterprise Grid which is priced for larger organizations
| Category | Max Points |
|---|---|
| Encryption | 20 |
| Access Controls | 20 |
| Compliance Certifications | 20 |
| Transparency | 15 |
| Breach History | 15 |
| SMB Fit | 10 |
Slack HIPAA BAA is available only on Enterprise Grid, which is priced for organizations with hundreds or thousands of users. For a small medical practice or law firm with 5 to 20 employees, Enterprise Grid is likely cost-prohibitive. This means that most small businesses using Slack are on Pro or Business+ plans, where no BAA is available and where messages containing PHI or client-privileged information create compliance exposure. If your team discusses patients, clients, or sensitive business matters in Slack, understand that those messages are stored on Slack servers, encrypted with keys Slack controls, and retained according to your workspace retention policy.
Slack is a strong communication tool with reasonable security for general business use. The admin controls on Business+ and Enterprise Grid are solid. The limitation for small businesses is that the HIPAA BAA and the most advanced security features are gated behind Enterprise Grid pricing. If your business handles regulated data, either budget for Enterprise Grid or establish clear policies about what can and cannot be discussed in Slack, and enforce those policies through training.
Law firms should be cautious about discussing client matters in Slack. Messages are stored on Slack servers and are not end-to-end encrypted. If a discovery request or subpoena targets your Slack workspace, those messages are producible. Set clear firm policies about what can be discussed in Slack versus what must stay in secure email or your document management system. On Enterprise Grid, firms can configure retention policies and DLP rules to reduce risk.
Do not discuss patient information in Slack unless you are on Enterprise Grid with a signed BAA. On Pro or Business+ plans, any message mentioning a patient by name alongside a health condition, diagnosis, or treatment constitutes PHI in an unsecured environment. If your practice uses Slack for team communication, restrict its use to scheduling, administrative logistics, and general announcements.
GovSlack holds FedRAMP Moderate authorization and operates in a separate environment from commercial Slack. Standard commercial Slack should not be used for discussions involving CUI. For non-CUI internal communication, commercial Slack with SSO and enforced MFA is adequate, but establish channel naming conventions and access controls that prevent CUI from entering the workspace.
Enforce MFA for all workspace members through the admin console. This is available on Pro plans and above.
Configure message retention policies. By default, Slack retains all messages indefinitely. Set retention limits appropriate for your industry.
Establish written policies about what can and cannot be discussed in Slack. Client names, patient information, and sensitive financial data should stay out of Slack unless you are on Enterprise Grid with a BAA.
Review guest access quarterly. External collaborators with guest access to your channels may retain access long after the project that justified their invitation.
If your business requires HIPAA compliance for messaging, evaluate whether Enterprise Grid pricing is feasible. If not, use a HIPAA-compliant messaging alternative for clinical or privileged discussions.
Only on Enterprise Grid. Slack will sign a BAA for Enterprise Grid customers. Pro and Business+ plans do not include BAA availability and should not be used to transmit PHI.
Slack encrypts messages at rest using AES-256 and in transit using TLS. However, Slack does not offer end-to-end encryption. Slack holds the encryption keys, which means the company can technically access message content.
In 2022, Slack disclosed that an unauthorized party accessed its externally hosted GitHub repositories using stolen employee tokens. The company stated that no customer data, including messages and files, was affected.
Want to assess your full security posture, not just one vendor?
Take the free assessment