Important: there are two different Slack AI things
"Slack AI" can refer to two distinct products with different defaults and different privacy postures, and the May 2024 controversy conflated them in ways that still confuse SMB owners.
Slack's general-purpose ML models (channel recommendations, emoji suggestions, search ranking). These have used de-identified aggregate customer data for training by default since at least September 2023. Opt-out exists but requires a workspace owner to email feedback@slack.com with a specific subject line — not a self-serve toggle.
Slack AI add-on product (the paid generative AI features: conversation summaries, channel recaps, AI-powered search). This product uses third-party LLMs (primarily Anthropic's Claude via AWS Bedrock) and does NOT train its underlying LLMs on customer data per Slack's documentation.
The May 2024 backlash was about the first product. Slack's clarification was substantially about the second product. The two are different. Most SMB owners conflate them.
Plain-English risk rating: 3 of 5
Mid-range risk for the Slack workspace as a whole. The May 2024 "email to opt out" controversy was a transparency and UX failure rather than a fundamental data-handling failure — the general-purpose ML models do use de-identified aggregate data, not raw message content. But the opt-out posture (workspace-owner-email-required) remained in place even after the policy clarification, which is a deliberate choice that signals where Slack/Salesforce stands on consent defaults.
The inherited Salesforce Einstein Trust Layer for tenant-isolated AI workloads brings the paid Slack AI tier closer to a 2 of 5. But the bundled product where most SMBs encounter Slack AI is the workspace itself, where the default ML training applies.
Recommended for
- Sole proprietor: If you use Slack at all, the default applies. The marginal harm is low for individual users (de-identified aggregate metadata, not message content), but the consent default is worth flagging.
- Small team (2-10 people): If you handle client data in Slack DMs or private channels, have your workspace owner email feedback@slack.com with the opt-out request. Pay for Slack AI separately only if the productivity uplift justifies the cost.
- Regulated industry: Slack Enterprise Grid with Enterprise Key Management (EKM) for tenant-controlled encryption, plus the workspace-owner opt-out from general-purpose ML training, plus restriction of Slack AI add-on to non-regulated channels only.
- The honest answer for most 1-10 employee businesses: Slack is the workplace messaging substrate for most SMBs and switching is impractical. The right posture is: opt out via the workspace owner email, treat Slack DMs as not-end-to-end-encrypted business communication (because they aren't), and decide whether the Slack AI add-on is worth the additional money based on actual usage patterns rather than feature lists.
Data retention default
- General-purpose ML models: De-identified, aggregate customer data used for training (channel recommendations, emoji suggestions, search ranking) unless workspace owner opts out via email request
- Slack AI add-on (paid product): Third-party LLMs (Anthropic Claude via AWS Bedrock) process content per request; not used for LLM training
- Standard message retention: Per workspace plan and admin configuration (workspace owners control retention policy)
- Free tier: 90-day message visibility limit (older messages hidden but retained per Slack's retention policy)
Training opt-out
General-purpose ML — TRAINING IS ON BY DEFAULT using de-identified aggregate data. Opt-out is workspace-owner-only and requires emailing feedback@slack.com with the subject line "Slack global model opt-out request" and the workspace/org URL.
Individual users cannot opt out for themselves. The opt-out is workspace-wide and must be initiated by an admin.
Slack AI add-on — NO TRAINING ON CUSTOMER DATA BY DEFAULT. Third-party LLM agreements prohibit training on Slack customer content.
Zero Data Retention availability
- Slack AI add-on uses zero-retention API arrangements with Anthropic via AWS Bedrock for the generative features
- Enterprise Grid with EKM provides tenant-controlled encryption keys for additional data sovereignty
Plan tiers and pricing (as of early 2026)
| Tier | Price (USD) | General ML opt-out? | Slack AI included? | Suitable for |
|---|---|---|---|---|
| Free | $0 | Workspace owner must email | No | Personal/small use; 90-day message visibility |
| Pro | $8.75/user/month | Workspace owner must email | Add-on extra | Small teams |
| Business+ | $15/user/month | Workspace owner must email | Add-on extra | Growing teams with admin needs |
| Enterprise Grid | Custom | Admin controls | Add-on extra | Larger orgs needing EKM, SSO, compliance |
| Slack AI (add-on) | ~$10/user/month additional | No training on customer data | N/A (this IS the add-on) | Productivity uplift for teams that will use summaries |
Jurisdiction
- Primary processor: Slack Technologies LLC, a subsidiary of Salesforce, San Francisco, California, USA
- Cloud infrastructure: AWS primarily; Anthropic Claude via AWS Bedrock for Slack AI features
- EU Data Residency available for qualifying customers
- Subject to Salesforce-level governance per its SEC filings (Cybersecurity & Privacy Committee oversight formalised December 2025)
Breach history (public incidents)
May 2024 — "Email to opt out" controversy and policy clarification
A Slack user posted on Hacker News in May 2024 highlighting that Slack's published privacy principles stated workspace data could be used to train Slack AI models, and that opting out required emailing feedback@slack.com. The post went viral. Industry analysts (Irwin Lazar at Metrigy among others) criticised the consent default. Slack updated its privacy principles to clarify that (a) only de-identified aggregate data is used for general-purpose ML, not raw message content, and (b) the Slack AI add-on product does not train LLMs on customer data. The clarification did not change the opt-out mechanism — it remains workspace-owner-email-required.
The incident is important not as a security breach but as a consent-default case study: a policy in place since at least September 2023 only became visible to users when one developer flagged it publicly.
Sources: TechCrunch (May 17, 2024); Polymer analysis; Salesforce Ben coverage; Computerworld policy update reporting (April 2025)
Note on the broader Slack platform: Slack itself has had a substantial history of security incidents that affect Slack AI indirectly (since Slack AI inherits the platform's security posture). The October 2023 EA Sports / Activision Slack breach (social engineering via Slack credentials) and ongoing concerns about session token theft via infostealer malware are baseline platform risks. Slack AI does not introduce new infrastructure-level breach exposure, but it does increase the value of compromising a Slack account (because the AI summarises everything the user has access to).
Note on inherited Salesforce risk: Salesforce-wide breaches (ShinyHunters campaigns against Salesforce Experience Cloud sites during 2025-2026) affect Slack indirectly through the shared infrastructure and identity stack.
What this means in plain English for SMB owners
Three honest takeaways:
- Your workspace owner needs to send the opt-out email. Individual users cannot do this. The email goes to feedback@slack.com with subject "Slack global model opt-out request" and includes your workspace/org URL. If your workspace owner has not done this, your aggregate metadata is in Slack's general ML training pool.
- The Slack AI paid add-on is a different product with different defaults. It does not train LLMs on your data. Whether it's worth the additional ~$10/user/month depends on whether your team will actually use channel summaries and AI-powered search. Most teams do not get full value from it.
- Slack is workplace messaging infrastructure for most SMBs. The realistic posture is configure-and-stay rather than migrate-away. Opt out via the workspace owner email, treat DMs as business records (not private), and decide on the Slack AI add-on based on usage rather than marketing.
Sources
- Slack privacy principles: https://slack.com/trust/data-management/privacy-principles (verified 2026-05-24)
- TechCrunch: Slack under attack over sneaky AI training policy (May 17, 2024)
- Polymer: Inside Slack's AI training controversy (May 2024)
- Salesforce Ben: What's Brewing at Slack controversy coverage (May 2024)
- Computerworld: Slack updates AI privacy principles after user backlash (April 2025)
- Network Right: How to Opt Out of Slack's AI Training Program guide
- Redact.dev: How To Opt Out of Slack AI Training (April 2026)
- AgainstData: How To Opt Out of Slack AI guide (December 2025)
- Salesforce 2026 Proxy Statement (SEC DEF 14A): Cybersecurity & Privacy Committee charter
Related on AI Leakage
- Compare all 29 AI tools in the risk directory — see how Slack AI (Salesforce) stacks up against the rest, tier by tier.
- Take the 5-minute “Am I Leaking?” check — a personalised view of your business’s AI exposure.
- Check a prompt before you paste it — our free Data-Safe Prompt Rewriter.
- Shadow AI vs AI leakage — why even approved tools like Slack AI (Salesforce) can leak data.
- Get plain-English AI Leakage Alerts — we email you when an AI tool you use changes its data policy or has an incident.
- Get the free AI Acceptable Use Policy template — a plain-English policy with the tool-by-tool risk guide built in.