Archive & Data Protection

    Data Retention Policies for Slack

    Data Retention Policies in Slack: Risks and Compliance

    by Emily Schwenke

    Key Points

    • This blog was originally posted on the Aware website, but with the acquisition of Aware by Mimecast, we are ensuring it is also available to visitors to the Mimecast website.
    • Retention policies help meet regulatory requirements for electronic communications.
    • Slack data may contain sensitive information, posing risks if not properly retained.

    Data backup is a crucial aspect of organizational governance in the modern digital workplace. The rise of collaborative platforms like Slack has revolutionized communication within businesses. However, managing data within these platforms is a nuanced task, requiring a deep understanding of data retention policies, compliance, and associated risks.

    Why do data retention policies matter?

    The digital transformation brought with it an unprecedented influx of data, and not all of it holds equal value to the enterprise. Data retention policies enable organizations to assign value to their information, allowing for informed decisions on what to preserve and what to purge.

    Robust data retention policies can also help businesses to meet regulatory obligations to retain or purge sensitive information. For example, in the United States, the Securities and Exchange Commission requires financial institutions to retain certain types of data for a period of seven years. Understanding the data you hold is fundamental to this process, especially for businesses in highly regulated industries or those who routinely handle sensitive or restricted information.

    Retention policies are a critical first step in any compliance or data loss prevention workflow, and supports additional functions for teams across the organization, including eDiscovery and other legal processes.

    Do data retention requirements apply to Slack?

    Regulatory bodies such as the SEC and FINRA have made it clear through fines and penalties that retention periods for highly regulated businesses apply equally to all forms of corporate communications, including collaboration tools like Slack. New rules such as SEC 17a-4 further clarify this position and affirm that covered entities must have a proactive solution in place to capture a complete record of all electronic communications, wherever they occur.

    What risks live in Slack data?

    Every business handles some forms of sensitive data, and that information is inevitably shared within collaboration tools like Slack. Some of the most common types of sensitive data shared in Slack include personally identifiable information (PII), protected health information (PHI), and payment card information (PCI). Aware research shows that 1 in 17 Slack messages contains sensitive data like PII. Without a plan to identify and secure this data, it could be compromised by hackers or other malicious actors.

    Further, Aware analysis shows that users often share company-sensitive data on Slack. One organization used Aware to identify over 20,000 instances of customer credit card numbers being shared in collaboration tools. This put the business at risk of action from the PCI Standards Council (PCI SSC), with fines for violations reaching up to $100,000 per month.

    It isn’t just regulated data that can create risk for enterprises, however. Corporate secrets, IP, and even interpersonal conflict all exist within messaging tools like Slack and can leave the business open to financial losses and legal action. Managing data retention in Slack requires understanding and mitigating these liabilities as well.

    Does Slack retain data by default?

    Slack retains data from free plans for up to a year, after which it is deleted and may not be recoverable. For paid plans, Slack will retain all user data for the lifetime of the account according to its default settings unless otherwise instructed. However, that does not mean all available data is immediately accessible to Slack administrators. Workspace admins of lower-tier accounts will often have to petition Slack to gain access of user data from private and restricted Slack channels, or that is more than 90 days old. Before granting this request, Slack requires a compelling legal reason and may notify users if their data is passed to administrators.


    Slack data retention options by account type

     Free PlansProBusiness+ & Enterprise Grid
    Retain all messages (no revisions)X*XX
    Retain all messages (with revisions) XX
    Delete after 90 daysX  
    Delete after custom time XX
    Member-level policies XX
    Admin-level policies  X

    *Free plan data is retained by Slack for up to one year.

    Slack offers a number of customizable data retention options, depending on the plan. On the Free and Pro Slack plans, admins can choose to keep all messages and files indefinitely or to delete them after a set period of time. On the Plus and Enterprise Grid plans, admins can also choose to keep or delete messages and files based on channel type and other criteria. Slack users in paid plans also have the option to configure their own message retention settings for private channels and DMs, a feature known as Member Overrides. On Business+ and Enterprise Grid plans, workspace owners can also set customized message retention policies for individual channels (Admin Overrides).

    To properly enforce retention policies throughout a Slack workspace and retain complete control of all the data it contains requires a Business+ or Enterprise Grid Slack plan, as these tiers support granular workspace settings for retention. To gain even more control over Slack data retention, administrators should consider deploying a third-party Slack retention tool such as Aware.

    Are deleted Slack messages recoverable?

    No, deleted Slack messages are not recoverable by default. This is critical to note, because users (also known as custodians) can edit or delete their Slack messages at any time. Unless a data retention policy is in place that specifically captures revisions and deletions, these messages might be lost forever.

    Should admins retain all Slack data?

    Most Slack data is low quality and does not pose much risk to the enterprise by itself. However, preserving all this data can lead to increased risk exposure simply because of the volume in which it is created—last year, employees sent over 18 trillion messages in collaboration tools. This can make it harder for legal and compliance teams to find the “needle in the haystack” during internal reviews, investigations, and eDiscovery.

    For businesses in highly regulated industries, regulations imposed by FINRA, the SEC and similar organizations often outline minimum retention policies required of all electronically stored information, including Slack data. Failure to comply with these requirements can lead to hefty fines and penalties. And even for businesses outside these industries, there are often data protection requirements to safeguard and secure sensitive information such as PII/PHI/PCI that must be addressed.

    These competing demands on the organization—to both limit exposure in large datasets, and to fulfill regulatory obligations to preserve data—present new challenges to collaboration workspace owners. Aware’s AI data platform makes it faster and easier for admins to accurately assess their risk exposure in this dataset, enforce legal holds and retention settings that meet regulatory need, and make their data actionable.

    Common Slack data retention challenges

    • Lack of visibility: Slack admins may not be able to see all messages that are shared in their workspace, especially if they are on the Free or Standard Slack plan.
    • Lack of control: Users can delete their own messages at any time, complicating data control.
    • Data sprawl: Slack data can be spread across public channels, private channels, direct messages, and files. This can make it difficult to manage and retain data effectively.
    • Regulatory compliance: Businesses must comply with a variety of message and file retention regulations, which can be complex and difficult to manage.
    • Integration issues: Understanding how third-party apps connected to Slack access and store data is fundamental to retaining control of sensitive information.

    How Mimecast supports data retention for Slack

    Aware simplifies data retention in complex collaboration datasets like Slack, supporting admins in properly evaluating the risk and value of the data they hold. Aware connects effortlessly to Slack via native APIs and webhooks to ingest a real-time record of all messages, including revisions, deletions, and secures them in a defensible, immutable archive. By enriching each message with AI-infused metadata, Aware enables admins and compliance and legal teams to quickly search, sort, and surface Slack messages to accelerate internal investigations and support regulatory compliance.

    Aware’s smart workflow automations can detect instances of unauthorized sensitive and confidential information sharing within Slack using industry-leading natural language processing and sentiment analysis models that outperform all leading competitors. Using Aware, workspace administrators can take charge of their entire collaboration ecosystem from a single, centralized platform that puts granular data retention controls at their fingertips.

    First Published Nov. 2023. Updated Jun. 2024.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top