10 Total
0 High severity
7 Medium severity
3 Low severity
Summary

This is Salesforce's official sub-processor and infrastructure disclosure list, identifying every third-party entity and Salesforce affiliate authorized to process Customer Data across Salesforce's product portfolio as of June 19, 2026. The document discloses that Amazon Web Services, Microsoft Corporation (Azure), Google LLC, OpenAI, Akamai Technologies, and Cloudflare, among others, process Customer Data for hosting, generative AI inference, content delivery, and analytics purposes, with some CDN providers designated as 'Global,' meaning Customer Data may transit any country regardless of the customer's selected region. The document also states that in the event of an OpenAI service failover, Customer Data is temporarily re-routed to a Microsoft Azure endpoint, with priority given to the customer's provisioned region subject to availability, a condition that may affect data residency commitments for customers with strict localization requirements.

Technical / Legal Breakdown

This document is Salesforce's sub-processor and infrastructure disclosure list, published June 19, 2026, governing the processing and storage of Customer Data across Salesforce's portfolio of covered services, with stated legal basis in Salesforce's Master Subscription Agreement and Data Processing Addendum. The document discloses that Customer Data may be processed by a global network of Salesforce-affiliated legal entities, hyperscale cloud providers including Amazon Web Services, Microsoft Azure, and Google LLC, and specialized third-party sub-processors for functions including generative AI inference, text-to-speech, speech-to-text, translation, content delivery, security scanning, and analytics, with processing locations varying by service, feature enablement, and customer-selected region. Notably, several services authorize cross-regional data flows as a function of feature enablement rather than explicit customer election: for example, Einstein Bots NLP functionality routes Customer Data to regions determined by the customer's org location rather than a separate regional selection, and OpenAI failover routing temporarily redirects Customer Data to Microsoft Azure endpoints regardless of the customer's provisioned region. The document engages the EU General Data Protection Regulation, the UK GDPR, and data residency frameworks applicable across the Asia-Pacific, Middle East, and Americas regions, with heightened compliance exposure for customers in regulated industries such as financial services, healthcare, education, and government, particularly where sub-processor chains include global CDN providers described as processing data 'in any country' and generative AI providers operating with failover routing that may cross jurisdictional boundaries.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Get Compliance
Medium — 7 provisions
Low — 3 provisions

Monitoring

Slack has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Get Compliance

Cross-platform context

See how other platforms handle Feature-Triggered Sub-processor Activation and Cross-Regional Data Flows and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

CCPA/CPRA
California, USA
View official text ↗
Connecticut Data Privacy Act Amendments
US-CT
View official text ↗
CAN-SPAM
United States Federal
View official text ↗
FTC Act Section 5
United States Federal
View official text ↗
GDPR
European Union
View official text ↗
Indiana Consumer Data Protection Act
US-IN
View official text ↗
Kentucky Consumer Data Protection Act
US-KY
View official text ↗
UK GDPR
United Kingdom
View official text ↗
Universal Opt-Out Mechanism Expansion 2026
US
View official text ↗
VPPA
United States Federal
View official text ↗
Archival ProvenanceSource & Archival Record
Last Captured July 6, 2026 22:44 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000931
Version ID CA-V-004529
SHA-256 4d113b73d4233ba0547dacde980c3a4f13e8de2ae1d6a2ea3f751f0a7c60bc4e
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans