The beginner’s guide to Slack eDiscovery

Welcome to Onna’s beginner’s guide to Slack eDiscovery — where we dive into eDiscovery for Slack, the leading channel-based messaging platform taking the modern workplace by storm. With more than 12 million daily active users, and over 600,000 businesses subscribed to the platform, Slack is quick, collaborative, and scaling at a rapid pace.
As more companies pivot to Slack as their primary means of communication, more “work happens” there, creating a hub of critical information. Slack has enabled teams to be more productive than ever before, but from an eDiscovery standpoint, many legal professionals are left wondering how to tackle the challenges of data collection, processing, and production when the time inevitably comes.
Up until now, we’ve never encountered the type of data that platforms like Slack are producing. From file sharing, to gifs, to threads of messages, Slack is loaded with dozens of intricate, multi-faceted functionalities. Gone are the days of solely sorting through discrete emails, documents, and images. The rise of dynamic tools like Slack has completely changed the way we exchange information, and consequently — how we discover it. Traditional eDiscovery methods can’t keep up, and legal teams are on the hunt for solutions that can.
Our beginner’s guide will walk you through:
- The ins and outs of the Slack platform
- The dynamic nature of its data
- Data retention in Slack
- Your options for eDiscovery
- An adaptive game plan to help you get started on your Slack eDiscovery journey
Let’s take a look at each of those in a bit more detail.
What is Slack?
The first step in understanding your Slack eDiscovery options is to understand all the bells and whistles of the platform. At its most basic level, you can think of Slack as a company-wide chatroom. It’s a collaborative workspace designed to streamline communications between teams in real-time, rather than a long chain of emails. Questions get answered faster, projects live in one centralized location, and as a result, teams are more productive. In order to understand how Slack works on a deeper level, let’s break down its components:

Fun fact: Slack is actually an acronym that stands for Searchable Log of All Communication and Knowledge.
Workspaces
A company’s Slack environment is called a “Workspace”. Small to medium-sized companies typically only have one workspace, however, larger companies might have several workspaces connected to Slack Enterprise Grid — we’ll get into what that means later.
Channels
Within a Slack workspace, members can create public or private channels for ongoing group discussions. Public channels are open to all members within the workspace, whereas private channels are invite-only and dedicated to specific working groups. For example, a channel titled “Marketing” might be dedicated to the marketing team, whereas a channel titled “Marketing Ideas” might be open to the entire organization. If you feel there is no longer a need for a channel, you can delete it or archive it.
Direct & Multi-Person Messages
Slack also offers private messaging features for one-off interactions. If you only want to reach out to one person, you can do so through direct messaging. If you want to reach out to a smaller group of people, you can create a multi-person message.

Third-party integrations
Slack’s ability to integrate with third-party applications is one of its most powerful features. With 2,000+ integrations, Slack has one of the most extensive integrations systems. This allows you to use the apps you know and love within Slack so you can collaborate more efficiently. No more switching tabs or double-checking who was shared on what, by integrating with apps available on Slack’s directory, you can create a central hub of collaboration. However, for Slack eDiscovery purposes, it’s important to keep tabs on what integrations your organization is using to get a full picture of your environment.
Roles & Permissions
Each workspace has the following roles and permissions. These are important to refer back to when it comes to collecting from Slack for eDiscovery.
Owners
Owners have the highest level of permissions. There can be multiple owners within a workspace, however, the “primary owner” is the only one that can delete a workspace or transfer it to another owner.
Admins
Admins have the second-highest level of permissions. There can be multiple admins within a workspace, and each can invite or delete members, moderate channels, and maintain general administrative tasks.
Members
Members include every other person in your organization that joins your workspace. They have access to all public channels as well as the ability to create their own, and can use Slack to communicate and collaborate.
Guests
These are users who do not have full access to public channels — only channels relevant to them. For example, if you hired a vendor or a consultant to work on a project, you might want to invite them to one or more channels as a guest temporarily.
Understanding your Slack plan
Understanding your company’s plan is critical for Slack eDiscovery. Slack offers three different types of business plans: Pro, Business+, and Enterprise Grid. Pro and Business+ are designed for smaller to medium-sized companies, while Enterprise Grid is designed for larger organizations with a more complex structure.
If you’re interested in learning more about their technical capabilities, head over to Slack’s pricing page. However, if you’re looking at these plans through a Slack eDiscovery lens, here’s an overview:
Pro
- Custom retention policies for messages and files
Business+
- Custom retention policies for messages and files
- Corporate exports for all messages
Enterprise Grid
- Custom retention policies for messages and files
- Corporate exports for all messages
- Support for integrations with data loss prevention (DLP), e-Discovery and offline backup providers
- Security, compliance, billing, and platform integration management in a single view
- Enterprise Mobility Management (EMM) integration
- Audit logs API
If you’re asking yourself, “Great — but what exactly does this all mean?” and “Which plan makes the most sense for me for eDiscovery purposes?” We have the answers you’re looking for. In the following sections, we break down what Slack eDiscovery really looks like, so you can start developing a plan to meet your eDiscovery and compliance needs.
Understanding Slack data
Before we dive into Slack eDiscovery options, it’s critical to understand the unique nature of Slack data. Like so many of today’s emerging applications, Slack’s technology is state-of-the-art. It integrates with over 2,000 apps and maximizes functionality with neat customizations, shortcuts, and file-sharing options. As if that’s not enough, Slack even allows you to build your own apps on the platform (over 700,000 developers do!)
With the click of a button, you can send a gif, share a link, start a thread, even edit and delete messages. Its ease of use and ephemeral qualities make Slack data proliferate and change like no other. All of these functions are what make Slack such an awesome tool to use, however, they’re also what makes its eDiscovery process more complex than other platforms out there.

The thing is … the more dynamic the data, the harder it is to identify, process, and export in comprehensive formats — and Slack has a lot of dynamic data. This ultimately means that unless you have a proper eDiscovery plan in place, the Slack data you export will come out as a JSON file (see above). This provides no contextual information and will take even the most diligent legal teams extended time and effort to review.
Understanding Slack data retention
Regardless of what plan you have, Slack has customizable retention policies for messages and files. It’s critical to address your retention policy right away to reinforce data loss prevention. The default retention setting will retain all of your messages and files for the full life span of your workspace. However, you can change this setting to fit your personal preferences.
For example, a 30-day message retention policy will automatically delete any message and file older than 30 days. Once deletion happens, it is permanent. However, if a file originated from an outside source like Google Workspace or Dropbox and you choose to delete it in Slack, it will still live in its original source. For more granular message and file retention settings, check out the chart below:
Message retention
- Keep everything
- Keep all messages, but don’t track edits and deletes
- Delete messages and their edits and deletes
- Let workspace members override settings
File retention
- Keep all files
- Keep all files for a certain number of days
Tip: The Slackbot will notify your entire workspace of retention policy changes.
So what are my options for Slack eDiscovery?
There are currently two ways to collect from Slack for eDiscovery:
1) A workspace admin must first request a standard or corporate export of data from Slack. A standard export will give you all public channel content from a workspace, including messages and links to files. A corporate export will give you content from both public and private channels as well as direct messages.
If you’re looking for a bigger picture of your Slack data, a corporate export will give you everything in your workspace. The downside? The export will look like the confusing JSON file you saw in the previous section.
2) The second option (and the one we recommend) is to collect Slack data via the Discovery API. The Discovery API gives you access to all resources in multiple workspaces within your account, including edits and deletions — all while using a single access token.
You can also access resources that have been shared among those workspaces. If you integrate the Slack Discovery API with an eDiscovery solution like Onna, your data will be fully searchable and ready for review.
The bottom line …
Settling for Slack exports will cause major roadblocks for the remainder of your eDiscovery process. When you can’t make sense of your Slack export (JSON file), it’s hard to determine the defensibility of information and what’s relevant to your case. Not only does this lead to unnecessary processing fees, but also a lack of clarity for review.
For this reason, we recommend working with a third-party eDiscovery solution rather than trying to do it ad hoc. If you don’t, your legal team will have to jump through hoops that will cost you time, money, and increase the risk of error.
If you’re ready to work smarter, we’re breaking down our Slack eDiscovery game plan so you can avoid expensive pitfalls, increase efficiency, and set yourself up for long-term success.
Slack eDiscovery game plan
Whether you’re just starting out on your Slack eDiscovery journey, or have already taken some kind of action, we believe each of these steps are crucial to employing a successful Slack eDiscovery plan. However, we understand that no company or legal team is the same, so we made sure that this is an adaptive guide to fit your unique needs.
Step 1: Understand your needs
It seems obvious, but the first step in launching a successful Slack eDiscovery plan is understanding your needs. It’s not uncommon for teams to second-guess the need for a proactive Slack eDiscovery plan, but you should be assessing the reason why. After all, e-mail eDiscovery solutions are a no brainer, so how is this any different? If you or others on your team find yourself in this way of thinking, it’s time to seriously examine how your organization is using Slack. To do this, you should be asking yourself questions like:

By asking yourself these questions, you can start to get a better idea of what plan of action is right for you. For example, if you come from a company of a few thousand people who regularly engage with Slack, chances are you’re dealing with a much larger data set and higher stake litigation. If this is the case, you know that solely relying on a corporate export won’t be enough and it’s time to re-assess the Slack eDiscovery plan you have in place.
Step 2: Re-assess your Slack plan & retention settings
Once you fully understand your needs, you should make sure your current Slack plan and retention settings meet those needs. Let’s build on the same scenario as before for convenience’s sake:

In this scenario, we run into two issues:
- Your legal team needs to be able to collect from multiple Slack channels and messages to detect suspicious behavior, but without the Discovery API, messages cannot be scanned with ease and become nearly impossible for a responsible legal team to understand.
- With the retention setting allowing members to override policies in channels, this group of custodians could’ve created a secret channel and then set it to delete after one day, thus, erasing all evidence of their conversations. Not to mention, one user can live in so many different channels and groups, it can be difficult to gauge the scope of their involvement on the platform in the first place.
This is just one scenario out of many that can happen when legal teams aren’t keeping track of their Slack plans and retention settings. A small oversight can cost you big time, so re-assessing your plan’s capabilities alongside your evolving needs is critical in forming a good Slack eDiscovery strategy.
Step 3: Establish a company Slack policy
There should always be a company policy in place for every new technology implemented — and Slack is no exception. It’s good to outline clear expectations about how the platform should be used and how it’ll be monitored. Maybe you indicate what channels/words should remain confidential, what words or behaviors might be flagged or reported, and what message retention policy is in place. By educating your company on these points, you have a greater chance of avoiding any misuse of the platform.
Tip: If you haven’t established one already, having an internal Slack compliance guide for your legal team is a necessary part of having a strong Slack eDiscovery plan. From outlining the capabilities of your current Slack plan to listing protocol for retention settings, a compliance guide can prevent any important information from being lost and can streamline the eDiscovery process for the future.
Step 4: Implement an eDiscovery solution
To ensure your Slack eDiscovery plan is the strongest it can be, you’ll want to implement a trusted eDiscovery solution. Since litigation happens once in a blue moon for a majority of companies, far too many legal teams feel that they’re overspending on an in-house solution. However, the opposite couldn’t be more true. In fact, companies waste millions of dollars waiting for litigation to strike rather than taking a proactive approach.
If you’re ready to take the plunge and look for a Slack eDiscovery solution, at the very minimum it should be able to:
- Connect directly to Slack’s Discovery API to ensure you’re extracting the most defensible data possible
- Give you the power to choose what Slack data you collect and preserve
- Continuously sync and archive specific workspace data if needed
- Turn those incomprehensible JSON files into contextual information
- Indicate edits and deletions in messages
- Place custodians on legal hold
Beyond these Slack-specific features, your eDiscovery solution should be able to tick off some other crucial boxes as well. The ability to collect as little or as much as you need, flexible software deployment, top-tier security measures, and advanced search capabilities are just a few of the top things to look for in an eDiscovery software. By bringing a Slack eDiscovery solution in-house, you’ll be able to increase efficiency and cut back on spending in the long run.
Step 5: Make a long-term eDiscovery and preservation plan
Ideally, litigation and internal investigations will rarely come up in a company’s life cycle. However, if and when it does arise, you’ll want to think about the big picture when shopping around for an eDiscovery solution. Maybe right now your priority is to find something cheap and easy for Slack, but down the line, you may wish you’d considered the most robust tool for Google Drive, Zendesk, Dropbox, and all the dozens of other enterprise applications your organization may use. For these reasons and more, it’s best to look for a “master tool” for your entire tech stack.
You’ll also want to think about the longevity of your eDiscovery tool. Is it API-based and built on the cloud? Is it able to scale with your company’s growth? Are you able to work it into a viable preservation plan? All of these questions and more should be considered in determining its long-term value for your company.
Moving forward
And there you have it! You now know everything there is to know about Slack eDiscovery. We hope our tips inspire you to move out with the old and in with the new when it comes to your Slack eDiscovery plan. To sum it all up, here’s a side-by-side look at the old way vs. the new way for Slack eDiscovery:


About Onna for Slack
Onna cuts the steps it takes to collect, process, and export Slack data in half. Say goodbye to manual exports and connect your workspace directly to Onna to collect data in its native format. Slack’s Discovery API and our open-ended API integrate to simultaneously collect and process the data you need in real-time — nothing more, nothing less. Our rapid ML indexing paired with our precise search capabilities makes it easier than ever to not only customize your collections and avoid unnecessary processing costs, but also find what you need when you need it. Once your Slack data is in Onna, your team has immediate access to it. Set legal holds, review and collaborate on evidence, and when you’re ready, export data into the review platform of your choice.
Sound like the solution you’re looking for? Read more about our Slack eDiscovery connector here.
