Salesforce Locked Slack for Privacy, Then Opened It for a Partner
In May 2025 Slack banned outside models from your data and called it privacy. In June 2026 it opened the same data to Anthropic and called it multiplayer.
Thirteen months ago, Slack made it a violation of its own terms to feed your company’s messages into a third-party AI model, and the reason it gave was privacy. In June it placed an AI model inside your Slack channels and called the feature multiplayer. Nothing about the data changed in between. What changed is who is allowed to read it, and what Slack decided to call the reading.
Here is the paperwork. On May 29, 2025, Salesforce wrote a new section into Slack’s API terms, under a heading called Data usage. As the provider of an application, you may not use API Data to train a large language model. Bulk export of message and file data was barred in the same stroke, and data collected from one organization could no longer benefit another. Law firms reading the full text added the rest of the cage: no persistent copies, no archives, no indexes. The stated reason was privacy and security.
What the ladder protected
The 2025 change had casualties with names. Glean, an enterprise search tool that indexes a company’s apps so staff can query across them, could no longer add Slack messages to its permanent index. Access narrowed to a query-by-query basis, and Glean emailed customers that the change would hamper their ability to use their own data with the AI platform they chose. Internal copilots built on Slack archives had to be redesigned or retired. The stated principle was privacy: your Slack conversations are yours, and outside models do not get to ingest them. That principle had a hole from the start. Slack’s own AI, shipped in 2024, already read the same message history to write summaries and answer searches, hosted on Slack’s own cloud. The 2025 rule pointed outward, stopping rival models while Slack’s own kept reading.
Not everyone bought the privacy framing at the time. Wyatt Mayham, who runs an AI consultancy, told Computerworld the move felt like Salesforce “pulling up the ladder.” He named the other reading in the same breath: a step toward Slack data becoming a monetizable asset, dressed as protection. Multiple law firms advising clients on the change reached the same conclusion, that restricting outside access let Salesforce keep valuable conversational data for its own AI position. In May 2025 that was a prediction. It is no longer.
Thirteen months later
On June 23, 2026, Anthropic and Slack launched Claude Tag. It puts a shared @Claude inside a Slack channel as a persistent member that reads history, builds memory, and works on tasks for hours. Rob Seaman, EVP and general manager of Slack, told Reuters the point is that Claude shows up in the open instead of a private back-and-forth. He called it multiplayer.
What moved between the two years was the identity of the model doing the reading. When it belonged to an outsider, Slack called the access a privacy risk and barred it. When it belongs to a partner Salesforce chose, the access becomes a feature. The exposure is identical. The only thing swapped was the reader, from a barred outsider to an invited partner.
Salesforce said the strategy out loud in 2025. Rob Seaman told Salesforce Ben that Slack was not blocking outside AI altogether, and that the aim was for Slack to become the hub for AI, whether Salesforce’s own or a partner’s. The 2026 launch is that plan arriving. Anthropic is the named partner.
What you are turning on
Tagged in a channel, Claude Tag works from the channel’s history, not only the message that summoned it, and it keeps that context over time. With an administrator’s permission it learns from other channels and connected systems on its own, and it can act without being tagged, on a schedule it sets. Cat Wu, who runs product for Claude Code at Anthropic, told Reuters she gave her own Claude Tag access to her Gmail so it reads her mail and flags the senders who matter.
So a coworker-shaped AI reads what a coworker reads: the thread where two leads stopped speaking, and the message about a manager someone wrote at the end of a bad day and assumed would scroll out of memory. That is where the real org lives, the version that never reaches a system of record. It is why the feature is useful and what it now holds.
What you are signing
When you flip it on, you become the data controller under GDPR, and Anthropic and Salesforce become your processors. The lawful basis, the notice to staff, and in most cases a Data Protection Impact Assessment under Article 35 are your obligation, not the vendor’s. For a feature launched weeks ago, I would be surprised if many teams ran it first. In March 2026 the European Data Protection Board opened a coordinated action across twenty-five authorities on a related front, whether companies tell people their data is being processed at all. There is no opt-out for the individual employee. An administrator invites Claude into the channel; the person who wrote the message has no switch.
Under commercial terms the content is not used to train, and it is held thirty days by default, with zero retention available to enterprises who ask. Read those as what they are: settings the vendor controls, not laws of physics. Not used to train does not mean not copied. What happens to a vendor’s copy when a court comes asking is its own problem, and the short version is that court orders have compelled data vendors considered deleted.
You are not signing today’s terms either. You are signing Salesforce’s right to rewrite them, which it has already used once in thirteen months. When it changes them again, two things happen. Some admins will not read the update and will click through. Others read it, understand it, and click through anyway, because by then the tool is load-bearing and ripping it out costs more than accepting the new terms. That is how lock-in works, and it is working.
The contradiction
Salesforce raised the wall in 2025 and told you it was for your protection. It lowered it in 2026 and told you it was for your productivity. It is the same company and the same data, under the opposite verdict. The model now reading your Slack is one Salesforce shook hands with, where an outsider would have been barred. I do not know the terms of that deal, and neither does anyone outside the room. Whether it was planned in 2025 or improvised when a good partner arrived, I cannot say. The contradiction I can say, because it sits in Salesforce’s own terms, written down twice, thirteen months apart.
From archive to analyst
You might say Salesforce already held all of this, and it did. The messages, the files, the shared drives sat on its servers for years, and nothing burned down. Holding data and making sense of it are two different capabilities. An archive waits for someone who knows what to look for. That person is expensive. Claude Tag removes the cost. It reads across channels, keeps what it finds in memory, and acts on it without being asked. The material is the same as it was. What changed is that pulling meaning out of it stopped being expensive. In “Cost of Reading” that cost fell to zero for the state. This is the enterprise paying to make it fall on itself.
The contract you did not sign
The exposure does not stop at your own Slack. I lead engineering at an agency, and we send other companies contracts, specifications, and source code, under agreements that bind two parties and no one else. The day a counterpart points one of these agents at the channel or drive where that file sits, a model that signed nothing starts reading it. The NDA still binds the company. It says nothing about the reader an administrator can invite into the room, and the sender is never asked.
The same shape ships at every major vendor. Microsoft calls its Teams equivalent the Channel Agent, OpenAI calls it Workspace Agents, and each operates as an admin-added member that works across channel context and acts on its own schedule. Switching vendors does not close the gap. It renames it.
So the question a partner has to answer has changed. For years it was whether their people could be trusted with what you hand them. Now it is who their administrator let into the channel, on a console you cannot see. Salesforce picks the partner, an admin picks the toggle, and the employee picks nothing, the same asymmetry of choice that falls on whoever sits furthest from the switch. You sign something with the company. You sign nothing with the model it hired to read you.
If you have turned one of these agents on, you did not only volunteer your own Slack. Depending on the channels and drives an admin connected, you may have volunteered documents that other people sent you in confidence. Your partners were not asked, and most were not told.
The document that gives orders
When a model takes in a document, it can read the words as content and also read them as instructions, the first entry on OWASP’s list of risks for LLM applications. I walked through that list from the trenches in Only Your Engineers. The indirect form is a file carrying a line written for the model, invisible to the person, that the model then executes. Claude Tag holds memory, acts through connected tools, and runs on a schedule it sets, so a planted instruction does not have to fire the moment it lands. It can wait in the agent’s context and act days later, in a session that looks clean. I traced this attack surface at length in The Security Nightmare.
So a document sent to a partner arrives as two things at once: something their model reads, and something their model can run. The sender never signed with that model. The productivity pitch does not mention that the file is now also an input.


