This Privacy Statement only covers how Salesforce handles data in its own right, not the data that enterprise customers put into Salesforce's CRM or cloud products. That data is governed by separate contracts, not this document.
This analysis describes what Salesforce's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Consumers whose data is held in a company's Salesforce CRM cannot rely on this Privacy Statement for rights against Salesforce. They must look to the company that collected their data in the first place.
If your personal data is stored by a business using Salesforce as their CRM tool, this Privacy Statement does not govern that data. Your rights regarding that data must be exercised with the business that collected it, not directly with Salesforce.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
enableGpcSdk: true, gpcSetting: { privacyPolicyLink: '/Privacy-Security-Policy-a-282.html' }
We process Global Privacy Control signals as opt-out requests for the sale or sharing of personal information.
Monitoring
Salesforce has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"This Privacy Statement does not apply to the extent we process Personal Data as a processor or service provider on behalf of our customers, including where we offer to our customers various services through which our customers (or their affiliates): (i) create their own websites and applications running on our platforms; (ii) sell or offer their own products and services; (iii) send electronic communications to others.— Excerpt from Salesforce's Salesforce Privacy Statement
REGULATORY LANDSCAPE: This carve-out reflects the GDPR controller-processor distinction under applicable EU and UK data protection law. Under GDPR, a processor acts only on documented instructions from the controller and is subject to separate obligations. The statement's exclusion aligns with this framework, but compliance teams should confirm that Salesforce's Data Processing Addendum is appropriately executed and covers all relevant processing activities in each jurisdiction where enterprise customer data is processed. GOVERNANCE EXPOSURE: Medium. The carve-out is legally standard but operationally significant. Enterprise customers must ensure their own privacy notices to end-users accurately describe Salesforce as a sub-processor and that the DPA covers all data types and processing purposes. Failure to execute an appropriate DPA while transferring personal data to Salesforce would expose the enterprise customer to regulatory risk under GDPR and CCPA. JURISDICTION FLAGS: EU and UK enterprise customers face the highest exposure given GDPR's strict processor agreement requirements. California-based enterprises must also evaluate whether their use of Salesforce as a service provider satisfies CPRA's service provider contract requirements to avoid a 'sale' or 'sharing' characterization. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should verify that a current, signed Data Processing Addendum is in place with Salesforce before processing personal data through any Salesforce platform. The DPA, not this Privacy Statement, governs processor-capacity data and determines audit rights, breach notification obligations, and sub-processor approval processes. COMPLIANCE CONSIDERATIONS: Legal teams should maintain a data mapping record clearly distinguishing which personal data flows are governed by this Privacy Statement versus the DPA. Any new Salesforce product deployment should trigger a review of whether existing DPA coverage extends to the new processing activity or requires amendment.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Consumers whose data is held in a company's Salesforce CRM cannot rely on this Privacy Statement for rights against Salesforce. They must look to the company that collected their data in the first place.
If your personal data is stored by a business using Salesforce as their CRM tool, this Privacy Statement does not govern that data. Your rights regarding that data must be exercised with the business that collected it, not directly with Salesforce.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Salesforce.