Your personal data may be stored and processed in the United States and other countries, potentially with different privacy protections than your home country. Salesforce uses approved legal tools including Standard Contractual Clauses and Data Privacy Framework certification to authorize these transfers.
This analysis describes what Salesforce's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
For EU, UK, and Swiss users, your data crossing borders to the US triggers specific legal protections. Salesforce's use of the DPF and SCCs is meant to provide those protections, but the legal landscape for transatlantic data transfers has been subject to ongoing legal challenges.
Interpretive note: The legal stability of the EU-U.S. DPF adequacy decision is subject to ongoing judicial review before the Court of Justice of the EU, and the adequacy and implementation of SCCs may vary based on data transfer impact assessments required for specific transfer contexts.
Your personal data may be transferred to and stored in the United States, where legal data protection standards differ from those in the EU or UK. Salesforce asserts it relies on approved transfer mechanisms including Data Privacy Framework certification and Standard Contractual Clauses to maintain protection standards, though the legal validity of these mechanisms may be subject to future judicial or regulatory review.
How other platforms handle this
Electronic Arts Inc., and its U.S.-based subsidiaries ("EA Inc. US"), complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. EA Inc. US has certif...
Valve and its subsidiary TR Technical Inc. comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Valve has certified to the U.S. Department of Comm...
If you are located in the European Economic Area, the United Kingdom, or Switzerland, please be aware that we may transfer your personal information to countries outside of these regions, including to the United States, where data protection laws may not provide the same level of protection as those...
Monitoring
Salesforce has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Your Personal Data may be transferred to, and stored by us, in the United States and by our affiliates and third parties (as disclosed in the full Privacy Statement) as listed in the Privacy Statement. Therefore, your Personal Data may be processed and stored outside your country or jurisdiction, including in places that may not provide the same level of protection. As described in the "International transfers of Personal Data" section of our full Privacy Statement, we have implemented safeguards to ensure an adequate level of protection where your Personal Data is transferred, including, where required, standard contractual clauses or an alternative mechanism for the transfer of Personal Data as approved by the European Commission. Salesforce also commits to comply with the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework (collectively, the "DPF") and certifies its adherence to the DPF Principles as set forth by the U.S. Department of Commerce.— Excerpt from Salesforce's Salesforce Privacy Statement
REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V requirements for international personal data transfers, which require that transfers to third countries ensure an equivalent level of protection. Salesforce's reliance on the EU-U.S. Data Privacy Framework follows the European Commission's adequacy decision adopted in July 2023. The DPF is administered by the U.S. Department of Commerce and enforceable by the FTC and the U.S. Department of Transportation. Standard Contractual Clauses, as the alternative mechanism referenced, are governed by the European Commission's 2021 SCCs and applicable supervisory authority guidance. GOVERNANCE EXPOSURE: Medium to High for EU and UK enterprise data controllers. The DPF adequacy decision has faced legal challenges before the Court of Justice of the EU in prior iterations (Schrems I and II decisions invalidated Safe Harbor and Privacy Shield). While the current DPF has a new legal foundation, ongoing legal proceedings by European privacy advocacy groups mean the DPF's long-term legal stability carries uncertainty. Organizations relying solely on DPF certification without SCCs as a fallback mechanism face higher residual risk. JURISDICTION FLAGS: EU and EEA member state residents have the strongest rights in this context, with the ability to lodge complaints with national data protection authorities if transfer mechanisms are considered inadequate. UK residents are covered by the UK Extension to the EU-U.S. DPF. Swiss residents are covered by the Swiss-U.S. DPF. Non-EU/UK/Swiss users in jurisdictions without adequacy decisions (e.g., India under the new Digital Personal Data Protection Act) should note that transfer protections may differ. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers whose contracts with Salesforce reference the DPF or SCCs as transfer mechanisms should ensure their DPA includes fallback provisions should a transfer mechanism be invalidated. Salesforce's Processor BCRs may serve as an additional or alternative mechanism for processor-capacity transfers, and procurement teams should confirm which mechanism applies to their specific engagement. COMPLIANCE CONSIDERATIONS: Legal teams should monitor the status of legal challenges to the EU-U.S. DPF and maintain contingency documentation including executed SCCs as a fallback. Data mapping exercises should identify all cross-border flows to Salesforce infrastructure, including sub-processors in third countries. Indian enterprise customers should evaluate the implications of India's DPDP Act for transfers to Salesforce infrastructure.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
For EU, UK, and Swiss users, your data crossing borders to the US triggers specific legal protections. Salesforce's use of the DPF and SCCs is meant to provide those protections, but the legal landscape for transatlantic data transfers has been subject to ongoing legal challenges.
Your personal data may be transferred to and stored in the United States, where legal data protection standards differ from those in the EU or UK. Salesforce asserts it relies on approved transfer mechanisms including Data Privacy Framework certification and Standard Contractual Clauses to maintain protection standards, though the legal validity of these mechanisms may be subject to future judicial …
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Salesforce.