Slack Ediscovery: How to Collect Slack Data for Holds & Discovery

Slack, a messaging and collaboration platform, is increasingly ubiquitous in the world of business. This has made Slack a primary data source for electronically stored information (ESI) in internal investigations and discovery – and a potential headache for legal teams.

To help you with the Slack data ingest process, I, with the extensive help of the DISCO product team, created this guide. 

Slack Ediscovery 101

Slack brings together workspaces, channels and direct messages where you can send messages, attach files, and collaborate on your work.

‍

Understanding collaboration data

In the context of ediscovery, "collaboration data" refers to the digital content generated and shared through collaborative tools and platforms, such as Slack, that facilitate communication and cooperation among team members. On platforms like Slack, collaboration data encompasses a broad spectrum of digital interactions, including text communications, shared files, linked documents, media (such as images and videos), and data generated during virtual meetings. 

Slack’s functionality as a hub for workplace communication significantly broadens the scope of what constitutes collaboration data. For instance, direct messages and conversations within public and private channels can reveal the flow of information and decision-making processes within an organization. File sharing and media sharing capabilities within Slack not only facilitate project management and team collaboration but also create records of exchanges and transactions that may be pertinent in a legal examination. The integration of various applications‌ — ‌ranging from project management tools to financial tracking apps‌ — ‌further extends the range of collaboration data, embedding external data sources directly into the communication stream.

Understanding the multifaceted nature of collaboration data in Slack is crucial for effective ediscovery. Legal teams must consider not only the content of communications but also the context provided by metadata, which includes timestamps, user information, and channel settings. This metadata can prove invaluable for authenticating data and establishing timelines in legal cases. Moreover, Slack’s comprehensive logging of user interactions and integrations allows for a detailed reconstruction of events, which is often necessary when disputes arise over actions taken or decisions made. 

Understanding key Slack terminology

‍Terms you might regularly encounter include:

Discovery API (Application Programming Interface)

Slack’s Discovery API allows ediscovery and data loss prevention (DLP) providers to connect to Slack and use approved apps to export or act on messages and files from Slack. 

Direct messages (DM)

Private conversations between two (or more) Slack users.

Channels

Chat rooms, which are private or public:

• Private channels require an invite to join. If you are not a member of a private channel, you cannot view or interact with it.
• Public channels are open, and all members of the workplace can join.

Workspaces

Slack Workspaces are the foundational digital spaces where teams within an organization collaborate. Each workspace serves as a self-contained area with its own channels, direct messages, apps, and settings, tailored to specific groups or projects. Workspaces can be department-specific, project-specific, or even temporary spaces for events and specific tasks. 

This organizational structure allows companies to manage communication and file sharing effectively, maintaining clear separations between different projects or teams. For larger organizations, multiple workspaces can be linked through an enterprise grid, enabling better control and integration across the company.

Workspace Admin

Workspace Admins are the people who can oversee members, channels, and other administrative functions in your workspace.

Workspace Owner

Workspace Owners do everything admins do, but also control the highest-level security and administrative settings (e.g., payments, authentication methods, security policies, etc).

Workspace Primary Owner

They can do everything Workspace Owners can do – plus delete the workspace.

Choose a Slack plan for ediscovery

Selecting the right Slack plan is crucial for aligning with an organization’s ediscovery needs and compliance requirements. Slack offers several plans, including free, standard, plus, and enterprise grid options, each with different features suited to varying business needs:

• Free Plan: This plan is ideal for small teams or those new to Slack. It offers access to 10,000 of the most recent messages, one-to-one voice and video calls, and 5 GB total file storage for the team. However, its limited message history and lack of audit logs and data exports restrict its usefulness in ediscovery contexts.
• Standard Plan: The standard plan is well-suited for small to medium-sized businesses that need more comprehensive features. It provides unlimited message history and cloud storage (starting at 10 GB per user), as well as user group provisioning and management. For ediscovery, the ability to perform full workspace exports of all data, including messages and files across private channels and direct messages, is particularly valuable.
• Plus Plan: Designed for larger businesses or those needing advanced functionality and security, the plus plan includes everything in the standard plan with additional benefits such as 20 GB of storage per user, SAML-based single sign-on (SSO), and real-time Active Directory sync. It also offers a more robust policy regarding data exports and access logs, which can be crucial for complex ediscovery needs.
• Enterprise Grid: For large organizations or those in heavily regulated industries, the enterprise grid plan provides a solution that supports multiple interconnected workspaces with centralized control. It includes advanced security features, such as enterprise mobility management and data loss prevention tools, as well as compliance exports of all messages across all workspaces, which are essential for comprehensive ediscovery processes.

Choosing the appropriate plan depends on factors like the size of the organization, the volume of ESI handled, and specific compliance and security requirements. For ediscovery purposes, higher-tier plans are generally preferable as they offer better control over data, more comprehensive export capabilities, and enhanced security features that ensure data integrity and accessibility during legal reviews.

Why would you need to collect Slack data?

Here are some key reasons for a business to collect Slack data:

• Litigation or investigation: Slack’s widespread adoption in the corporate world has made it a major data source for ESI in investigations and disputes.
• Compliance: Certain industries (think finance) have regulations requiring companies to retain all communication data for a certain period. 
• Backup and archiving: Regularly saving your data is a best practice to proactively prepare for accidental deletion or a malicious attack. 
• Data analysis: Companies can analyze Slack data for insights into employee productivity, communication patterns, or identify improvement areas

Read: Failure to properly preserve Slack data has serious consequences. 📚

How is Slack data different from other ESI?

Electronically stored information, or ESI, is information that is created or stored electronically. As technology continues to evolve, so does the ESI legal teams handle – from digital documents and data on hard drives in the 2000s to cloud data and mobile metadata (and beyond) today.

Slack’s mode of operation poses challenges for corporate legal teams as they think about data sources where potential litigious materials are stored and may need to be collected/preserved for litigation or investigation. 

With this in mind, legal departments and firms should educate themselves on the proper preservation of Slack data and create a reliable process for handling it. (Pro tip: One of the best ways to do so is with a partner like DISCO for ediscovery and hold needs.)

Learn more about Slack: Building the Case for Slack 📚

Slack export for discovery: How to extract Slack data

To take data from Slack, a workspace owner or admin (read: get friendly with your IT team) can export data from public channels. 

At the time of this writing (December 2024), the steps are as follows:

1. First, click the workspace name (located in the sidebar) to open the menu.
2. Mouse over Tools & Settings, then click Workspace Settings. This will open a new tab.
3. Click the Import/Export Data button on the upper right.
4. Select the Export tab. (It’s below the paragraph of text.)
5. Click the drop-down menu below Export date range and select your desired time period.
6. Click Start Export. Slack will email you once your export file is ready.
7. Open the email and choose Visit your workspace's export page.
8. Click Ready for Download to access the zip file.

Best practices: Collecting data from Slack for ediscovery

Here are our top tips to ensure your Slack data collection is compliant and efficient.

Understand Slack’s data types

Slack is a rich repository of various data types that pose unique challenges and opportunities for ediscovery. The core data type used by Slack for storing and transmitting information is JSON (JavaScript Object Notation), which structures data in an easily readable format for both humans and machines. This includes content from messages, threads, and channels, encompassing text, hyperlinks, and metadata such as timestamps and user IDs. 

In addition to text, Slack supports a wide range of media data types, including audio notes, videos, and files attached to messages. Each of these data types can be critical in litigation or investigations as they may contain pivotal information. Protecting this data involves understanding how Slack handles encryption and access controls, ensuring that sensitive information remains secure while being accessible for legal review when necessary.

Establish and regularly review your data retention policy

Make sure to set your data retention policy for Slack as soon as possible to ensure it meets your overall data retention policy needs and goals. And establish internal guidelines for use – before a hapless employee shares confidential information there.

Slack offers comprehensive options for data retention that can be tailored to meet the specific compliance and operational needs of an organization. Administrators can set custom retention policies for different types of content, such as messages and files, choosing to retain data indefinitely or automatically delete it after a certain period. These settings can be applied globally across all channels and direct messages or customized for particular channels or workspaces. 

For legal and compliance purposes, it’s crucial to align Slack’s retention settings with broader data governance policies to ensure that essential data is preserved without retaining unnecessary information that could increase liability.

Set and follow organizational requirements

Establishing clear organizational requirements for using Slack is essential for effective information governance and compliance. This includes defining acceptable use policies, setting up appropriate data retention protocols, and ensuring that all users are aware of the legal implications of their communications on the platform. 

Organizations should train employees on the appropriate use of channels and direct messages, emphasizing the distinction between public and private communications. Additionally, implementing guidelines for the use of file sharing and third-party app integrations can help mitigate the risk of data breaches or inadvertent data leaks.

Look into Slack litigation discovery tools

Ediscovery tools are designed to facilitate the efficient collection, preservation, and analysis of electronically stored information (ESI) within legal proceedings. These tools integrate with platforms like Slack to automate the extraction and processing of data, ensuring comprehensive capture of all relevant information, including deleted or edited messages, provided the data is preserved in accordance with legal requirements. 

DISCO Hold, for example, extends these capabilities by enabling seamless identification and preservation of data directly from Slack. This integration allows legal teams to place holds, collect, and review Slack data without leaving the DISCO platform, streamlining the process and reducing the risk of data spoliation or loss. By automating data collection and applying sophisticated data analytics, DISCO Hold helps legal professionals manage complex ediscovery tasks more efficiently and with greater accuracy.

How to collect Slack data with DISCO Hold

In 2022, we released an integration to simplify the process of identifying and collecting Slack data for DISCO Hold. We then expanded DIcSCO Hold capabilities to seamlessly identify, collect, and preserve not only Slack data, but also Box and Google Vault data directly from the source. 

To begin collecting Slack data with DISCO Hold, you must first integrate your Slack workspace. 

How to set up DISCO Hold’s Slack integration

Complete the following steps in the DISCO Hold interface. (Note: You must be your company’s Slack “Primary Org Owner.”)

1. On the Matters page, click the Admin Panel in the upper right corner.
2. Next, click Integrate on the Slack integration file.
3. On the next page, click Connect to Slack.
4. Enter your workspace URL, then click Continue.
5. Click Sign in here where it is for Primary Org Owners. 
6. Enter the credentials of the Primary Org Owner and then sign in.
7. Click Allow.
8. You will be redirected to the DISCO Hold Admin Panel, showing a confirmed “Integrated” message.

Once the integration is established, you can begin preserving Slack data in place and notifying relevant custodians they are on hold.

Read: Legal Hold Guide: How to Manage Custodians 📚 

Once the data is preserved, you can preview, filter, and export the relevant dataset from DISCO Hold. 

You can also directly collect and ingest Slack data into a DISCO Ediscovery database through self-service tools like the native high-speed uploader – or send via high-speed uploader or SFTP to DISCO Professional Services. 

How to ingest Slack data into DISCO Ediscovery 

Here are the steps for a Workspace Owner/Admin, Org Owner/Admin, or a member with Export Admin to export independently.

1. Within Slack Settings and Permissions, utilize the Export feature to select an export date range or schedule an export frequency.
2. Download the Slack export. 
3. In DISCO Ediscovery, navigate to Ingest > New ingest > Slack > Exported ZIP file to open the ingest wizard.
4. Complete the relevant fields to name your ingest, then browse to the file location of your Slack ZIP file (not an unzipped loose file folder) and select it. 
5. Because Slack does not automatically include file attachments in its export, you will be given the option to also download files that are attached in Slack messages, or to simply ingest the Slack messages alone. 

Note: Downloading attachments will increase the billing size of the ingest. 💵

DISCO’s Slack data capabilities make the entire process – preserving Slack data in place, collecting data on hold, and ingesting the collected data into a review platform – simpler, faster, and more effective. 

DISCO Hold automatically downloads attachments to messages, de-duplicates already-ingested messages, sends exceptions to our Professional Services team for remediation, and more. (You can also opt out of any or all of these features.)

Benefits of DISCOs Hold integration: 

With Slack’s DISCO Hold integration, DISCO exports those files for you, and makes it easy to manage your hold compliance workload: 

• Streamlined legal hold compliance 
• Instant in-place preservation (IPP) of data
• Preview and cloud collection capabilities
• Audit trails and automated reporting 
• Simplified custodian termination

💡Learn more: Manual Hold vs. In-Place Preservation 

Simplify Slack data processing with DISCO: 

I hope that this guide makes the process of collecting and processing Slack data less intimidating for you. 

Getting your Slack data into compliance for legal hold, or making it simple for your ediscovery team to examine and produce that data, doesn’t have to be complicated or consuming. If this article has piqued your interest in using DISCO, schedule a one-on-one demo. I think you’ll love it!