This Privacy Statement only covers how Salesforce handles data in its own right, not the data that enterprise customers put into Salesforce's CRM or cloud products. That data is governed by separate contracts, not this document.
This analysis describes what Salesforce's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Consumers whose data is held in a company's Salesforce CRM cannot rely on this Privacy Statement for rights against Salesforce. They must look to the company that collected their data in the first place.
If your personal data is stored by a business using Salesforce as their CRM tool, this Privacy Statement does not govern that data. Your rights regarding that data must be exercised with the business that collected it, not directly with Salesforce.
How other platforms handle this
This Privacy Policy does not apply where Anthropic acts as a data processor and processes personal data on behalf of commercial customers using Anthropic's Commercial Services – for example, your employer has provisioned you a Claude for Work account, or you're using an app that is powered on the ba...
Our Service allows customers to submit, manage or otherwise use content relating to others, such as end users of applications built and managed through the Service or their employees and contractors ("Customer Data"). We use such Customer Data primarily as a processor, meaning we process such Custom...
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
Monitoring
Salesforce has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"This Privacy Statement does not apply to the extent we process Personal Data as a processor or service provider on behalf of our customers, including where we offer to our customers various services through which our customers (or their affiliates): (i) create their own websites and applications running on our platforms; (ii) sell or offer their own products and services; (iii) send electronic communications to others.— Excerpt from Salesforce's Salesforce Privacy Statement
REGULATORY LANDSCAPE: This carve-out reflects the GDPR controller-processor distinction under applicable EU and UK data protection law. Under GDPR, a processor acts only on documented instructions from the controller and is subject to separate obligations. The statement's exclusion aligns with this framework, but compliance teams should confirm that Salesforce's Data Processing Addendum is appropriately executed and covers all relevant processing activities in each jurisdiction where enterprise customer data is processed. GOVERNANCE EXPOSURE: Medium. The carve-out is legally standard but operationally significant. Enterprise customers must ensure their own privacy notices to end-users accurately describe Salesforce as a sub-processor and that the DPA covers all data types and processing purposes. Failure to execute an appropriate DPA while transferring personal data to Salesforce would expose the enterprise customer to regulatory risk under GDPR and CCPA. JURISDICTION FLAGS: EU and UK enterprise customers face the highest exposure given GDPR's strict processor agreement requirements. California-based enterprises must also evaluate whether their use of Salesforce as a service provider satisfies CPRA's service provider contract requirements to avoid a 'sale' or 'sharing' characterization. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should verify that a current, signed Data Processing Addendum is in place with Salesforce before processing personal data through any Salesforce platform. The DPA, not this Privacy Statement, governs processor-capacity data and determines audit rights, breach notification obligations, and sub-processor approval processes. COMPLIANCE CONSIDERATIONS: Legal teams should maintain a data mapping record clearly distinguishing which personal data flows are governed by this Privacy Statement versus the DPA. Any new Salesforce product deployment should trigger a review of whether existing DPA coverage extends to the new processing activity or requires amendment.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Consumers whose data is held in a company's Salesforce CRM cannot rely on this Privacy Statement for rights against Salesforce. They must look to the company that collected their data in the first place.
If your personal data is stored by a business using Salesforce as their CRM tool, this Privacy Statement does not govern that data. Your rights regarding that data must be exercised with the business that collected it, not directly with Salesforce.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Salesforce.