Private & Secure

Our commitment to the ethical use of technology and protecting our users’ privacy lies at the core of what we do. We're happy to answer important questions about Spoke’s approach to Data Privacy and Security – if you have any questions, please do not hesitate to contact us. To request and sign our Data Processing Agreement, please reach out to us:

Request our DPA via email ->
white lock Icon on green and purple gradient

What is your approach to data privacy?

A strong commitment to the ethical use of technology and protecting our users’ privacy lies at the core of what we do. We are especially focused on data minimisation, i.e. we constantly challenge what the minimum necessary amount and retention period of any data is to create a great user experience and whether each data point in our databases creates user value.

Which data do you process?

To provide AI-generated summaries to our users, we process Slack messages, from message threads in public and private Slack channels (only after Spoke has proactively been added to a channel). We process data only based on proactive summarization requests by an authenticated user and all data is fully pseudonymized and/or anonymized before processing.

We generally minimise the collection of any Personally Identifiable Information (PII) and therefore do not collect or save any explicit user information. Any indirect PII data included in the Slack messages pulled into Spoke for summarization (e.g. name or email address mentioned in a message) is fully anonymized or pseudonymized via Named Entity Recognition before being processed by any of our internal APIs or LLMs (large language models).

We are headquartered in Germany and fully comply with GDPR. You can find a high level overview of GPDR requirements here.

You can read more in our Privacy Policy here or reach out to us directly at any time at or if you have questions or concerns.

Which technologies do you work with and what about 3rd parties?

We work with a combination of different technologies, leveraging pre-trained models such as OpenAI’s GPT-3.5 or Aleph Alpha's Luminous, as well as developing and fine-tuning our own models (e.g. to identify and pseudonymize PII or to avoid any gender bias / other harmful content).

We use Slack solely as a data input and user interface. When working with third parties (such as large pre-trained language models), we always have Data Processing Agreements (DPAs) in place and we ensure to only push pseudonymized or anonymized PII data to such 3rd parties, who generally have no read/write access to any of our data. We’re constantly working on improving our models to ensure full data anonymization.

You can find additional information in our Privacy Policy.

How do you deal with gender bias and/or other harmful content?

One of our core values at Spoke focuses on building AI-products in a human-centred and responsible manner. For example, we remove all gendered pronouns from all content we generate and we’re constantly reviewing our models to diminish the possibility of any harmful content. Users always have the possibility to give direct feedback and report harmful or inappropriate content.

What are your policies around data retention and data deletion?

We follow the GDPR guidelines proactively, as we will only process your data for as long as is necessary for the respective purposes or as long as there are legal retention obligations. After the respective processing purpose ceases to apply and the retention obligations end, your data will be routinely deleted.

Specifically, this means that following the churning of a workspace (all users have stopped using the Spoke app for Slack for a period > 6 months) or the deletion of a workspace and proactive flag by the company, we will delete all data related to a company's usage of Spoke from our databases.

Data Deletion requests or requests to be forgotten can be sent to and will be answered unduly, but the latest within 2 weeks. After a data deletion request is submitted, we will remove all data relating to this company or anonymize all PII data stored in our databases (if other users in the workspace are still active). We log the request for data deletion for 2 years, keeping only the data subject’s email address to verify to authorities that we complied with the deletion request.

What about data storage and application security?

We only store anonymised input data from Slack (e.g. messages from a thread or channel) and summarised data that we create for our users based on anonymised inputs. We also store anonymous user feedback (e.g. summary ratings) to improve our summarisation capabilities over time.

Our technical infrastructure is hosted using AWS Managed Services, which allows us to adopt & maintain best-in-class security and compliance practices. Data at rest is fully encrypted using the 256-bit Advanced Encryption Standard (AES-256) and stored on AWS Servers in Germany (Region eu-central-1 → Frankfurt, Germany). Detailed information about AWS security is available at here and here, AWS SOC Reports are available here.

Additionally, all Spoke applications and website are SSL encrypted. We work with virtual private clouds (VPCs) with IP whitelisting and conduct regular internal audits.

What about certifications?

We are currently working on our SOC2 (type 2) and ISO 27001 certifications. Although these processes take some time, we are proud to apply highest information security standards from day one.

What is your approach to operational security within Spoke?

All team members at receive the appropriate tools & training to ensure best in class security protocols. We have strict controls for access management via AWS Identity and Access Management (IAM) as well as device management.

In order to protect the confidentiality of all data, team members are required to take reasonable measures to safeguard and prevent unauthorized access or disclosure of confidential information. This includes, but is not limited to, ensuring that all confidential information is kept in a secure location and that only authorized personnel have access to it.

All team members must follow certain requirements, like encrypting storage media and using two-factor authentication (2FA). Usage of strong passwords is enforced and centrally managed. All communication is done through securely encrypted channels.

We have a thorough access removal process that helps to ensure that all company property is returned and that access to company systems is properly removed.