Slack Data Encryption. Can Admins read your private messages?

Let's take a look at some FAQs - 1. Does Slack have end-to-end encryption? 2. Can Slack Admins read your DMs and private messages? 3. Slack Data storage limits & backups.

Slack has turned into a virtual water cooler for many companies, especially remote and hybrid ones. It is an invaluable tool that lets you communicate effectively with your team members - for work, having meetings and virtual team activities through fun apps and integrations. However, there is also a lot of sensitive information being exchanged on Slack, so naturally one might wonder “How secure are my conversations on Slack? Can anyone read my private chats on Slack?” especially if you’re using Slack for the first time. Let’s dive into this and understand how secure our information is on Slack.

In this article, we will cover the following:

  1. Does Slack have end-to-end encryption?
  2. Can Slack admins read DMs and see your messages in private channels?
  3. How and where does Slack store your data?

Are Slack messages encrypted?

Yes! Slack’s messages are encrypted, and your messages are secured. Slack has all the standard security features like single sign-on, domain claiming, support for e-discovery and integrations with data loss prevention providers. 

Slack encrypts data while in transit for all users, irrespective if they are free or paid users. For enterprise paid users, Slack provides an extra feature: EKM (Enterprise Key Management). Slack EKM allows firms to have more control over the keys used to encrypt and decrypt their data, which leads to greater visibility of their data in Slack. 

However, Slack does not have end-to-end encryption. One might wonder why Slack doesn’t have end-to-end encryption? The answer lies in the fact that organizations want to take control and be able to monitor data at their end. 

This also means that a data breach that affects Slack can be extremely disastrous for its users. Since it has happened before, there is a possibility of it happening again. 

Furthermore, EKM is different from traditional end-to-end encryption where encryption keys are stored on individual devices by users, meaning only the intended recipients can read the content. The other end of the spectrum is centrally controlled encryption key where slack would store the keys, EKM is somewhere in between the two where organizations control and store the keys in an independent AWS key server which encrypts files and messages and admins can revoke access on a team level so in case of a security threat, IT Admin team can cut off access to the content at any time if necessary. 

What are the risks of using Slack?

1. Compromise of the user device

If the user’s device is compromised, there is little that Slack can do to avoid their data being scraped or exported from that device.


2. Phishing and Spamming

Slack, like email is prone to phishing and spam attacks, users must vigilantly look out for phishing attacks and spam messages. Some Slack workspaces are invite-only, therefore, users assume that their workspace is secure. But this is not always the case, especially in public workspaces that have an invite link somewhere on the web. The only way to avoid this is for people to be careful of what they see in a workspace, just as they have done over the years with email.

3. Third-party apps

Users should be cautious when adding third-party apps to their workspace, and take extra precautions when it comes to apps that use Google Drive data and other confidential internal data. We, at Ricotta, have adhered to appropriate authentication protocols and don’t ask for Google Drive data or confidential information.


4. Malicious content

A former employee who has left the company on any bad terms can pose a risk. If they still have access to the workspace, they might deliberately post malicious content. This is a ubiquitous risk across platforms, and proper HR and IT admin policies can mitigate the risk.

Can Slack admins read DMs and see your messages in private channels?

Yes, admins can access your private messages, and they’re not the only one. Companies have traditionally been able to do this with mails, so not much changes with Slack DMs.

What is the procedure? If your firm uses the free plan of Slack, your employers need Slack’s go-ahead, where Slack will review your employer’s request and upon approval, allow them to conduct a one-time export of all DMs in JSON format. This should be done following a valid legal process under applicable laws. There are paid enterprise tiers, where employers can store messages using third-party services like Hanzo.

Ultimately, Slack isn’t responsible for the data, hence you should pay heed to what you are sharing in DMs and not share sensitive data if it might lead to issues. To check if your employers have generated a compliance report, go to https://{team_name}.slack.com/account/team and retention and exports, The other way to check it is if your workplace is connected to third party export and data retention apps via the app section in the workspace. You’ll have to then select "Can access messages" from the "Access type" drop-down menu. Scroll through every app's "App Info" and "Settings" sections. Here you’ll find if your admins have the permission to access content in the user’s DM.


How and where does Slack store your data?

Slack is mostly seen as a collaboration tool, but it has file storage capability and can be a repertoire of data as well. When users upload a doc or file to channel, it will be stored in Slack. You can store PDFs, Images, audio and video files on Slack, but there is limit on the capacity: 

Free Users - 5 GB for the entire workspace
Standard Plan($2.67 per user billed annually) - 10 GB per user
Plus subscription($5 per user billed annually) - 20 GB per user
Enterprise Plan - 1 TB per user

If members cross the data storage limit, the older files will be automatically archived and teams will have to upgrade their plans to view the archive files. For all teams in paid plans, there is an option to export data and store it externally using third party apps. Usually all data is stored on the AWS servers where Slack is hosted, but there are also options for paid tier users to choose different data residency plans, where teams can host data in different countries. 


Here are some top apps and integrations to help you with Data management and Wiki:

  1. Google Drive
  2. Obie
  3. Dropbox
  4. Onedrive

Conclusion

Slack is a very powerful tool when used to its full potential, though, we haven’t covered all the nuances included. These are some of the hygiene factors that we think will help you set up and get going with your Slack workspace. Organizations should prioritize the security of Slack and the steps they can take to ensure that their employees and sensitive data and financial information sent through Slack is safe. Everyone should also be using two-factor authentication, to minimize the risk of account compromise and sensitive data should not be frivolously shared.  Firms should also look at security vendors like Avanan, Edwin, Safeguard cyber and Riot to bolster defence against unknown threats.

Combining Slack with productivity tools like Ricotta will make your workspace focused, transparent and highly engaged.

Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

1,000+

Teams uSE
Ricotta Trivia

15+

Fun Games

2,000+

Icebreaker Questions

Try Ricotta Games & Trivia for free

Build a great team culture!