At Slite, the security and privacy of customer data are foundational to our product and operations. We maintain robust technical, organizational, and administrative controls to protect the information entrusted to us and continuously evaluate our practices to meet industry standards and regulatory requirements.
Security Standards
SOC 2 Type II Compliance
Slite maintains a SOC 2 Type II certification, demonstrating that our security controls are designed and operating effectively in accordance with the AICPA Trust Services Criteria. Our audit is performed annually by an independent, accredited third-party auditor.
We leverage Vanta to support continuous monitoring of our security controls and to help ensure ongoing alignment with SOC 2 requirements.
GDPR Compliance
Slite complies with the General Data Protection Regulation (GDPR) and implements the technical and organizational measures required to protect the personal data of individuals in the European Union.
Our GDPR compliance program includes:
a comprehensive Data Processing Agreement (DPA)
support for all data subject rights (access, rectification, deletion, and export)
Standard Contractual Clauses (SCCs) for international data transfers
documented data retention and deletion procedures
a vetted and transparent list of sub-processors
periodic reviews of our privacy and data protection practices
You can access our GDPR-related documentation here:
Slite complies with the Health Insurance Portability and Accountability Act (HIPAA) and supports customers in meeting their regulatory obligations when processing Protected Health Information (PHI). As a HIPAA-compliant service provider, Slite:
implements administrative, physical, and technical safeguards required under the HIPAA Security Rule
maintains policies and procedures aligned with HIPAA requirements
ensures encryption of PHI in transit and at rest
enforces strict access controls and audit logging
conducts periodic risk assessments and workforce training
supports breach notification obligations
Slite provides HIPAA support, including execution of a Business Associate Agreement (BAA), for enterprise-tier customers. To inquire about HIPAA availability or request a BAA, please contact support@slite.com.
Accessing Our Trust Center
Slite maintains a dedicated Trust Center, hosted by Vanta, which provides customers and prospects with up-to-date security and compliance information. Through this portal, authorized viewers can access:
our SOC 2 Type II report
security policies and documentation
control monitoring summaries
relevant certifications and attestations
Certain documents require submitting an access request so that we can verify the identity and purpose of the requester. Once approved, materials can be downloaded directly from the Vanta Trust Center.
Security Overview
Security is foundational to how we design, build, and operate Slite. We align our controls with the SOC 2 framework and continuously work to strengthen our technical and organizational safeguards. This page outlines the key principles and practices that guide our security posture, offering transparency for customers and reinforcing a secure environment for all Slite employees.
Cloud Provider & Data Hosting Location
Slite’s infrastructure runs on Google Cloud Platform (GCP), with all production data hosted in the EU (St. Ghislain, Belgium). This setup aligns with European data protection expectations and supports compliance with GDPR requirements.
Within GCP, customer data benefits from advanced physical and environmental security, including perimeter protection, 24/7 on-site security personnel, biometric access controls, CCTV surveillance, and rigorous internal access policies. More information on GCP’s physical security practices is available here.
Network Communication
Slite protects all data in transit using industry-standard encryption. All communication between client applications and our servers is secured with TLS, configured according to current best practices. Our TLS configuration consistently achieves an A+ rating on SSL Labs, ensuring strong protection against common attack vectors.
Within our infrastructure, data is transferred and processed inside a restricted, private network. Access to this environment is strictly limited and controlled, and only authorized Slite employees may access internal systems for maintenance or debugging purposes.
Data Storage & Backup Practices
Slite organizes customer data into three main categories, each stored and protected using dedicated infrastructure and backup processes.
Structural Data
Structural data includes organization metadata, user information (email, protected password, display name), and document hierarchy (channels, sub-docs, and related structure).
This data is stored in a relational database with the following protections:
Daily backups replicated across multiple Google Cloud data centers within the EU
Monthly restoration tests to verify backup integrity and reliability
Document Content
Document content (including the text of your documents, real-time collaborative edits, and version history) is stored in a MongoDB database.
Because this is the core of our service, we maintain several layers of snapshot-based backups:
Every 6 hours, retained for 7 days
Weekly snapshots every Saturday, retained for 4 weeks
Monthly snapshots, retained for 12 months
These combined policies ensure resilient, redundant protection of your document content and its historical changes.
Indexed Data for Search
To provide fast and relevant search capabilities, Slite uses Elasticsearch to index textual document content.
Only textual and uncontextualized document data is indexed for search purposes.
For our Ask feature, we compute semantic vector embeddings internally using GPU resources to enhance retrieval relevance.
Use of Artificial Intelligence
Slite uses AI technologies to enhance search and content retrieval. Customer data used for AI-powered features is processed securely within our infrastructure and is not used to train external models. AI processing follows the same security, access control, and privacy protections that apply to all Slite data.
Media Files
Media assets (images, attachments, and uploaded files) are stored in Google Cloud Storage buckets within the EU.
To protect media files:
All media is stored redundantly across multiple Google Cloud data centers in Europe.
A daily replicated copy is stored in a secondary bucket, also distributed within the EU.
Encryption & Data Protection
Slite does not currently offer end-to-end encryption. However, all data transmitted between your device and our servers is protected using strong TLS encryption, following industry best practices.
All customer data stored on our infrastructure is encrypted at rest using Google Cloud’s built-in encryption mechanisms. This ensures that even if physical storage media were compromised, the data would remain unreadable without the appropriate decryption keys.
Encryption keys for data at rest are managed within GCP following industry-standard secure key management practices.
Access to data within Slite is further protected through strict authentication and authorization controls, ensuring that only properly authenticated users and authorized systems can access customer information.
Authentication & Authorization
Slite supports multiple secure authentication methods, including traditional email/password login and Single Sign-On (SSO) through Google, Slack, and Apple . For customers on our Knowledge Suite or Enterprise plans, we also offer enforced SSO and support for external identity providers via OAuth 2.0 / OpenID Connect, such as Okta, Azure AD, OneLogin, and Auth0.
Authorization in Slite is flexible and designed to support a wide range of access models. Organizations can:
Set documents as accessible to everyone within the workspace
Restrict documents to specific users or user groups
Publish documents publicly on the internet
Control read-only or read/write permissions at the document level
All authentication and authorization logic is enforced by Slite’s backend application, ensuring consistent access control across the platform.
Secure Development Practices
Slite follows secure software development practices designed to prevent, detect, and remediate vulnerabilities throughout the development lifecycle.
Developer Training & Standards
All engineers are trained in secure development principles and follow recognized industry guidelines, including the OWASP Top 10.
We rely on well-established cryptographic algorithms and trusted open-source frameworks that undergo continuous review by the security community.
Code Review & Testing
Every code change undergoes mandatory peer review to ensure quality, correctness, and security.
A suite of automated tests (unit, integration, and end-to-end) runs prior to each deployment to prevent regressions and detect unintended behavior.
Independent Security Assessments
Slite conducts annual penetration tests and code audits performed by independent security firms.
We maintain a vulnerability disclosure program and encourage responsible reporting from external researchers.
Vulnerability Management
Identified vulnerabilities, whether from penetration testers or external reporters, are tracked and addressed following strict internal SLAs aligned with industry standards (such as Google Project Zero timelines).
We use automated tools to detect outdated or vulnerable dependencies, including:
Google Cloud Container Scanning
GitHub Dependabot alerts
These combined practices help ensure that Slite’s codebase remains secure, well-maintained, and resilient against emerging threats.
Data Retention & Deletion
Slite follows documented data retention and deletion policies designed to meet operational needs, regulatory requirements, and customer expectations.
Workspace deletion: When a workspace is deleted, associated customer data is removed from active systems and scheduled for deletion from backups according to our backup retention periods.
Customer-initiated deletion: Users can delete documents or content at any time. Deleted data is removed from active databases and subsequently from backups following our standard retention cycle.
Backup retention: Backups follow the retention schedule defined in our Data Storage Integrity section and are automatically purged when the retention window expires.
Slite does not retain customer data beyond what is necessary to deliver the service or comply with legal obligations.
Logging & Audit Trails
Slite maintains detailed logs to support security monitoring, incident investigation, and access control enforcement. Logged events include:
Authentication and SSO events
Administrative and privileged actions
Application and infrastructure activity
System performance and anomaly alerts
Logs are centrally collected, protected from tampering, and retained according to internal policies. Monitoring and alerting are integrated with Datadog to enable rapid detection and response to unusual behavior.
Internal Access Controls & Operational Security
Slite applies strict internal security measures to ensure that employee access to customer data is limited, monitored, and protected against potential compromise. These controls reduce the risk of insider threats, account takeover, and unauthorized data access.
Access Management
Employee authentication is centralized through Google SSO with enforced 2FA across all internal systems.
Permissions are reviewed quarterly and follow the principle of least privilege, ensuring employees only have access necessary for their role.
Access to customer data (when required for support, debugging, or product improvement) is logged, auditable, and governed by internal policies.
Security Awareness & Training
All employees undergo regular security awareness training covering topics such as phishing, social engineering, and best practices for handling sensitive data, as well as training specific to GDPR and HIPAA requirements.
Credential & Device Security
Slite uses 1Password for secure credential management and ensures that access to sensitive credentials is limited to authorized employees.
All company-issued devices have full-disk encryption, reducing the impact of theft or loss.
These measures help ensure that access to customer data is tightly controlled and that Slite employees maintain a strong security posture in their day-to-day work.
Security of Business Operations
Payment Processing
Slite uses Stripe, a leading PCI-DSS–certified payment processor, to handle all billing and payment information. Slite does not store, process, or have access to your full payment card details at any point; all sensitive financial information is managed securely by Stripe.
Within Slite, only a limited number of authorized employees can access subscription and billing management settings in Stripe (e.g., plan changes, refunds). These permissions do not provide access to payment card data.
Availability & Reliability
Slite is designed to provide reliable access to your documents at all times. We use modern, proven infrastructure and deployment practices to ensure the platform remains stable, scalable, and resilient.
Deployment & Infrastructure
Slite’s application is deployed using ArgoCD and Kubernetes, allowing us to roll out changes safely, consistently, and with automated validation. These systems help ensure that new releases do not impact availability and can be rolled back quickly if necessary.
Monitoring & Scaling
We use Datadog to monitor application performance, databases, and infrastructure health in real time. This includes alerting, anomaly detection, and automated scaling to handle increases in usage and maintain smooth performance.
Uptime
Our operational practices and continuous monitoring help us maintain high service availability across both Slite and Super. The Slite status page is available at status.slite.com, and the Super status page is available at status.super.work.
Additional Security Controls
Incident Response
Slite maintains a documented Incident Response Plan designed to ensure rapid detection, containment, and remediation of security events. Our plan outlines clear roles, escalation paths, communication procedures, and post-incident review requirements.
Our incident response process includes:
Detection & Identification: Continuous monitoring and automated alerting help surface unusual activity or potential security issues.
Containment & Mitigation: Incidents are triaged and contained using predefined procedures and isolation mechanisms.
Eradication & Recovery: We remediate the underlying cause, validate the fix, and restore normal operations using secure deployment processes.
Post-Incident Review: Each incident undergoes a retrospective analysis to identify corrective actions and strengthen our controls.
Business Continuity & Disaster Recovery
Slite maintains Business Continuity (BCP) and Disaster Recovery (DR) plans to ensure service resilience in the event of major disruptions.
Our plans include:
Redundant infrastructure within Google Cloud to minimize single points of failure
Automated backups across EU data centers with validated restoration testing
Documented recovery procedures enabling rapid restoration of services
Annual plan reviews and updates to ensure the plans remain effective and aligned with evolving risks
These measures help ensure that Slite can continue delivering reliable service even in adverse conditions.