{
  "security_strand": {
    "workshop_meta": {
      "framework_version": "security-strand-v1.0",
      "source_templates": [
        "Security Philosophy",
        "Data Protection Architecture",
        "Identity & Access",
        "Application Security",
        "Infrastructure Security",
        "Compliance & Certifications",
        "Incident Response",
        "Governance & Monitoring",
        "AI-Specific Security Layer",
        "Zero Trust Policies",
        "Admin Controls",
        "Mobile & Device Security"
      ],
      "facilitation_notes": [
        "Run with Security Engineering, Product Security, IT, DevOps, Data Governance, and Compliance.",
        "Must reflect BOTH Slack core system security AND Salesforce enterprise security stack.",
        "Treat this JSON as the canonical Security OS — used across engineering, product, and AI."
      ]
    },

    "security_philosophy": {
      "question": "What is Slack’s fundamental approach to security?",
      "answer": "Security is designed as an end-to-end system combining encryption, compliance, identity, monitoring, and operational rigor. Slack follows a zero-trust model, enforces least privilege, and embeds security into the product lifecycle. Customer data is protected through encryption, access controls, secure infrastructure, and continuous monitoring.",
      "core_principles": [
        "Security-by-design in every product decision.",
        "Least privilege access everywhere.",
        "Zero Trust networking and identity gating.",
        "Customer control over data visibility and administration.",
        "Transparency: clear logging and auditing of activity.",
        "Defense-in-depth across every system layer."
      ]
    },

    "data_protection": {
      "encryption": {
        "in_transit": "TLS 1.2+ for all traffic between clients, Slack servers, and integrations.",
        "at_rest": "AWS KMS–backed AES-256 encryption for all stored data.",
        "enterprise_key_management": {
          "ekm": "Enterprise Key Management allows customers to use their own encryption keys.",
          "capabilities": [
            "Key revocation to immediately unread messages/files.",
            "Granular per-channel key control.",
            "Audit visibility via EKM logs."
          ]
        }
      },
      "data_residency": {
        "regions": [
          "US",
          "EU",
          "UK",
          "Japan",
          "Australia",
          "Canada"
        ],
        "controls": "Admins can pin default residency for all workspace data."
      },
      "data_lifecycle": [
        "Configurable retention policies per channel.",
        "Message/file deletion rules.",
        "Customer-configurable legal hold.",
        "Controlled backups with encrypted snapshots."
      ]
    },

    "identity_and_access": {
      "authentication": [
        "SAML 2.0 SSO",
        "SCIM provisioning",
        "OAuth 2.0 for apps",
        "Two-factor authentication",
        "Enterprise Mobility Management (EMM)"
      ],
      "authorization": [
        "Granular roles (Admin, Owner, Member, Guest)",
        "Channel-level access control",
        "App permission scopes with least privilege"
      ],
      "zero_trust": {
        "principles": [
          "Device posture checks for enterprise clients",
          "Continuous authentication",
          "Session invalidation on suspicious activity"
        ],
        "integrations": [
          "Okta",
          "Azure AD",
          "OneLogin"
        ]
      }
    },

    "application_security": {
      "secure_sd_lc": [
        "Threat modeling for new features",
        "Security reviews for code changes",
        "Static and dynamic code scanning",
        "Red team testing"
      ],
      "api_security": [
        "Rate limiting",
        "OAuth authorization layers",
        "Signed requests for slash commands",
        "Scoped bot tokens"
      ],
      "app_review_process": [
        "Marketplace apps go through strict review",
        "Security testing of OAuth scopes",
        "Verification of data handling practices"
      ]
    },

    "infrastructure_security": {
      "hosting": "Slack is hosted on AWS with multi-layered network segmentation.",
      "controls": [
        "Multi-tenant isolation",
        "DDoS protection",
        "Secrets management via Hashicorp Vault",
        "Automated container patching",
        "Continuous vulnerability scanning"
      ],
      "monitoring": [
        "Real-time anomaly detection",
        "SIEM alerts",
        "Intrusion detection systems",
        "Log analysis for suspicious patterns"
      ]
    },

    "compliance_and_certifications": {
      "certifications": [
        "SOC 2 Type II",
        "SOC 3",
        "ISO 27001",
        "ISO 27017",
        "ISO 27018",
        "FedRAMP Moderate",
        "HIPAA",
        "FINRA Compliance Support"
      ],
      "data_processing_agreements": [
        "GDPR compliant terms",
        "CCPA data protections",
        "Regional data privacy adherence"
      ],
      "enterprise_controls": [
        "Admin audit logs",
        "DLP (Data Loss Prevention) integrations",
        "eDiscovery integrations",
        "Legal hold enforcement"
      ]
    },

    "incident_response": {
      "question": "How does Slack respond to security incidents?",
      "answer": "Slack maintains a 24/7 incident response team, runs tabletop exercises, utilizes automated detection systems, and publishes post-incident security reports to impacted customers.",
      "process": [
        "Detection",
        "Triage",
        "Containment",
        "Eradication",
        "Recovery",
        "Post-incident analysis"
      ],
      "customer_notifications": [
        "Immediate outreach when high-risk incidents occur",
        "Impact reports for enterprise accounts",
        "Dedicated Slack Connect channels with enterprise security teams"
      ]
    },

    "governance_monitoring_and_controls": {
      "admin_controls": [
        "Granular permissions for owners/admins",
        "Session management and forced logouts",
        "IP allowlists",
        "Device restrictions",
        "Disable file uploads or external sharing"
      ],
      "logging_and_auditing": [
        "User activity logs",
        "Message access logs",
        "App installation logs",
        "Workflow execution logs",
        "AI feature usage logs"
      ],
      "risk_management": [
        "Continuous compliance automation",
        "Vendor risk reviews",
        "Penetration testing",
        "Security awareness training for employees"
      ]
    },

    "ai_security_layer": {
      "model_safety": [
        "AI models only process data users can already access.",
        "AI cannot override enterprise EKM encryption.",
        "AI decisions logged for auditability."
      ],
      "privacy_controls": [
        "Admin toggle to enable/disable AI features",
        "Workspace-level restrictions for channel summaries",
        "No training on customer data without explicit opt-in"
      ],
      "safe_outputs": [
        "Hallucination detection heuristics",
        "Tone and factuality rules",
        "AI suggestions labeled for transparency"
      ]
    },

    "mobile_and_device_security": {
      "controls": [
        "Passcode enforcement",
        "Device-level encryption",
        "EMM mobile policy enforcement",
        "Remote wipe via MDM",
        "Biometric unlock support"
      ]
    },

    "security_maturity_indicators": {
      "metrics": [
        "Time to detect",
        "Time to contain",
        "Patch deployment velocity",
        "Pen-test score improvements",
        "False positive rate on anomaly alerts"
      ],
      "north_star": "Be the most trusted enterprise collaboration platform in the world, with defensible, transparent, auditable security at every layer."
    },

    "security_archetype": {
      "primary_archetype": "Guardian",
      "secondary_archetype": "Architect",
      "rationale": "Slack security is protective, transparent, systematic, and anticipatory — balancing user freedom with enterprise-grade control."
    }
  }
}