The Salesforce acquisition changed Slack's compliance profile
Slack Technologies was acquired by Salesforce in July 2021 for $27.7 billion. Before the acquisition, Slack was already US-incorporated and CLOUD Act exposed. What the acquisition changed was the scale and complexity of the data relationship.
Slack is now part of the Salesforce platform ecosystem. Salesforce integrations, Slack Connect channels between organizations, and AI-powered features all create data flows that extend beyond the Slack workspace itself. For compliance purposes, assessing Slack now means assessing its position within the broader Salesforce data architecture.
Why Slack rates "Exposed" rather than "Review Required"
Upper Harbour rates tools on a three-tier scale: exposed (US-jurisdictional with no Canadian data residency), review required (US-jurisdictional but Canadian residency available), and Canadian/non-exposed. Slack is rated exposed because it combines two risk factors: US parent jurisdiction with CLOUD Act exposure, and no option to store data in Canada.
Unlike Microsoft 365 or Google Workspace, Slack does not offer a Canadian data centre or data residency selection. Slack Enterprise Grid customers can choose between US and EU data residency regions, but Canada is not among them. All Canadian Slack data resides on US infrastructure by default.
What data Slack holds
The compliance significance of Slack exposure depends on what flows through it. In most organizations, Slack channels contain: internal strategy discussions, client and customer names, project details, shared files and documents, personal information of employees and contacts, and increasingly, sensitive business data that would previously have been communicated by email or in meetings.
Many organizations treat Slack as informal communication and underestimate what accumulates. Slack retains message history, file uploads, reactions, and metadata. For compliance purposes, this is a rich repository of personal and business information — all stored on US servers under US jurisdiction.
Slack Connect amplifies the exposure
Slack Connect allows channels shared between different organizations. When a Canadian organization shares a Slack Connect channel with a client or vendor, data from both organizations flows through Slack's US infrastructure. This creates a cross-border transfer not just for your own data, but potentially for your clients' personal information as well.
For organizations subject to Law 25, each Slack Connect channel involving personal information of Quebec residents constitutes a cross-border transfer requiring assessment.
AI features and Slack's data use
Salesforce has integrated AI capabilities into Slack, including search summarization and channel digests. These features process message content through AI models — raising the question of where that processing occurs, whether message content is used for model training, and how this interacts with data protection obligations.
Organizations should review Slack's current data processing terms to understand how AI features handle workspace content, and whether opting out of AI processing is possible for their plan tier.
What this means for Law 25 and PIPEDA compliance
Quebec organizations must produce a Transfer Impact Assessment for Slack. The assessment will document that Slack is US-incorporated, CLOUD Act exposed, stores data in the US with no Canadian alternative, and processes personal information of Quebec residents. Available safeguards include Slack's Enterprise Key Management (customer-controlled encryption keys, Enterprise Grid only), Slack's DPA and standard contractual clauses, and organizational policies limiting what personal information flows through Slack.
For organizations processing sensitive personal information through Slack — health data, financial records, legal matter details — the exposure level may warrant stronger remediation measures, including restricting certain categories of data from Slack channels entirely.
Practical options for Canadian organizations
For most organizations: Continue using Slack, complete the TIA/PIA documentation, implement Slack's Enterprise Key Management if available on your plan, and establish internal policies about what categories of information should not be shared in Slack.
For high-sensitivity environments: Consider whether Slack is the appropriate tool for communications involving regulated personal information. Canadian alternatives exist for team messaging, though none match Slack's ecosystem integration. A hybrid approach — Slack for general communication, a Canadian-hosted tool for sensitive matters — may be defensible.
For government and public sector: Slack's lack of Canadian data residency makes it difficult to satisfy sovereignty requirements in government procurement contexts. Organizations responding to RFPs with data sovereignty requirements should document this limitation clearly.
Slack is owned by Salesforce Inc. (US-incorporated) and is subject to the CLOUD Act. BC public bodies using Slack with sensitive personal information must complete a FIPPA privacy impact assessment. Slack's data is primarily stored in the US, with no dedicated Canadian data region, making the jurisdictional risk assessment particularly relevant. Read the full FIPPA SaaS compliance guide → · Download PIA template →