Slack · Slack Sub-Processors (Salesforce) · View original document ↗

Identifying Information Storage Outside Provisioned Region

Medium severity Medium confidence Explicitdocumentlanguage Unique · 0 of 352 platforms
Share 𝕏 Share in Share 🔒 PDF
Monitor governance changes for Slack Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

This provision discloses that identifying information about customer instances and users may be stored across Salesforce's global processing locations for operational purposes including login facilitation and customer support, independent of the customer's selected region, with a specific exception for Government Cloud Plus services where such information is one-way hashed before leaving designated data centers.

This analysis describes what Slack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision establishes that a category of data, specifically identifying information about customer instances and users, may be processed across Salesforce's global infrastructure regardless of the customer's selected regional configuration, representing a processing pathway that falls outside the scope of regional selection controls disclosed elsewhere in the document.

Interpretive note: The document does not define the precise scope of 'identifying information about Customers' instance(s) and identifying information about Users,' leaving ambiguity about whether this category encompasses personal data as defined under GDPR or equivalent frameworks.

Consumer impact (what this means for users)

Under this clause, identifying information about users and customer instances may be stored outside the customer's selected processing region for operational purposes, as stated in the document. The document also states that this storage is conducted across Salesforce's processing locations, which include the global network of Salesforce affiliates and sub-processors listed in the document.

Cross-platform context

See how other platforms handle Identifying Information Storage Outside Provisioned Region and similar clauses.

Compare across platforms →

Monitoring

Slack has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
In addition to the locations identified in the below Infrastructure and Sub-processors tables, Salesforce may store across its processing locations identifying information about Customers' instance(s) and identifying information about Users for the purpose of operating the Services, such as facilitating the login process and the provision of customer support. For the Government Cloud Plus and Government Cloud Plus - Defense Services, this information (except for business address) will be encrypted with a one-way hash algorithm before it leaves the Government Cloud Plus and Government Cloud Plus - Defense-specific data centers, rendering it unreadable to Salesforce and its cloud providers.

— Excerpt from Slack's Slack Sub-Processors (Salesforce)

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: This provision engages GDPR and equivalent data protection frameworks applicable to the processing of personal data, specifically in the context of operational data flows that occur outside the primary data residency configuration. The disclosure that identifying user information may flow to processing locations globally for login and support functions may require evaluation under applicable transfer mechanisms for jurisdictions where such transfers require specific authorization. (2) GOVERNANCE EXPOSURE: Medium. Organizations with strict data localization requirements should assess whether the 'identifying information about Users' described in this provision constitutes personal data under applicable law and whether its global processing is covered by the organization's transfer impact assessment and DPA. The specific operational scope of 'identifying information' is not precisely defined in the document excerpt provided. (3) JURISDICTION FLAGS: EU and EEA organizations, UK organizations, and organizations in jurisdictions with data localization requirements face heightened exposure. The Government Cloud Plus carve-out with one-way hashing suggests that Salesforce has implemented technical controls for that specific service tier; commercial tier customers do not receive the same technical protection under the disclosed terms. (4) CONTRACT AND VENDOR IMPLICATIONS: Legal teams should assess whether their DPA explicitly addresses the global processing of user identifying information for operational purposes and whether this processing is covered by an appropriate transfer mechanism. The distinction between Government Cloud Plus and commercial service handling of this data category should be evaluated by customers in sensitive sectors who use commercial Salesforce services. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should identify whether 'identifying information about Users' in their Salesforce environment constitutes personal data, document this processing pathway in records of processing activities, and confirm that applicable transfer mechanisms cover this operational data flow.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 3 platforms — free Get Monitor

Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has authority over data handling practices affecting US consumers and businesses, relevant to disclosures about global processing of user identifying information.
    File a complaint →

Provision details

Document information
Document
Slack Sub-Processors (Salesforce)
Entity
Slack
Document last updated
July 6, 2026
Tracking information
First tracked
July 6, 2026
Last verified
July 6, 2026
Record ID
CA-P-013440
Document ID
CA-D-00931
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
c9a4265bad5be0ead8d6b94ae1851641116635e9c04e0405cd39f87622f9770f
Analysis generated
July 6, 2026 23:13 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Slack
Document: Slack Sub-Processors (Salesforce)
Record ID: CA-P-013440
Captured: 2026-07-06 23:13:04 UTC
SHA-256: c9a4265bad5be0ea…
URL: https://conductatlas.com/platform/slack/slack-sub-processors-salesforce/identifying-information-storage-outside-provisioned-region/
Accessed: July 7, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Get Compliance

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Slack's Identifying Information Storage Outside Provisioned Region clause do?

This provision establishes that a category of data, specifically identifying information about customer instances and users, may be processed across Salesforce's global infrastructure regardless of the customer's selected regional configuration, representing a processing pathway that falls outside the scope of regional selection controls disclosed elsewhere in the document.

How does this clause affect you?

Under this clause, identifying information about users and customer instances may be stored outside the customer's selected processing region for operational purposes, as stated in the document. The document also states that this storage is conducted across Salesforce's processing locations, which include the global network of Salesforce affiliates and sub-processors listed in the document.

Is ConductAtlas affiliated with Slack?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Slack.