You can use Slack Enterprise Key Management (EKM) to control and get visibility into how your organisation’s data is accessed in Slack. It is available as a security add-on for the Enterprise Grid subscription, and is included on the GovSlack plan.

What to expect

• Use your own encryption keys (stored in Amazon's Key Management Service) to encrypt messages and files.
• To minimise disruption for members of your organisation, you can revoke granular access to encryption keys. 
• Org members can use Slack as normal, even if some data has restricted access.
• With data residency for Slack, new EKM customers can choose to create and store encryption keys in a specific data region.

How Slack EKM works

Data encrypted with customer-controlled keys

The following categories of customer data will be encrypted at rest with keys stored in the customer’s AWS account:

• Messages, canvases and snippets
• Files (e.g. images, docs, clips, etc.) uploaded to the Slack Service
• Search index of customer data
• Messages and files generated by apps or bots (except Slackbot)
• Sidebar custom sections
• Any data collected by an app deployed to Slack's managed infrastructure, as well as the app's datastores, developer secrets and logs

Data encrypted with Slack-controlled keys

The following categories of data may be encrypted at rest with keys generated and stored by Slack:

• Slack member profiles, including custom statuses
• Channel names, topics, descriptions and bookmarks
• File names
• Workspace and channel membership information
• Slackbot messages
• Data used to measure seat count, usage and revenue
• Data used for analytics and to measure quality of service, e.g. sanitised logs
• IDs generated by Slack on behalf of the customer
• Deal celebration data

Note: When you enrol in EKM, any existing data will be encrypted with customer-controlled keys.

Slack Connect

If external organisations are working together in Slack Connect, the shared contents are covered by EKM in the following ways:

• Each organisation’s messages will be encrypted with their EKM keys, if applicable.
• The search index for Slack Connect channels with be duplicated and encrypted with each customer’s EKM keys.
• If an organisation is removed from a Slack Connect channel, they'll retain an archived copy if they have permission to post, invite and more.

Ready to learn more? Contact our Sales team to get started.