Track 3 platforms and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This is Salesforce's official sub-processor and infrastructure disclosure list, identifying every third-party entity and Salesforce affiliate authorized to process Customer Data across Salesforce's product portfolio as of June 19, 2026. The document discloses that Amazon Web Services, Microsoft Corporation (Azure), Google LLC, OpenAI, Akamai Technologies, and Cloudflare, among others, process Customer Data for hosting, generative AI inference, content delivery, and analytics purposes, with some CDN providers designated as 'Global,' meaning Customer Data may transit any country regardless of the customer's selected region. The document also states that in the event of an OpenAI service failover, Customer Data is temporarily re-routed to a Microsoft Azure endpoint, with priority given to the customer's provisioned region subject to availability, a condition that may affect data residency commitments for customers with strict localization requirements.
This document is Salesforce's sub-processor and infrastructure disclosure list, published June 19, 2026, governing the processing and storage of Customer Data across Salesforce's portfolio of covered services, with stated legal basis in Salesforce's Master Subscription Agreement and Data Processing Addendum. The document discloses that Customer Data may be processed by a global network of Salesforce-affiliated legal entities, hyperscale cloud providers including Amazon Web Services, Microsoft Azure, and Google LLC, and specialized third-party sub-processors for functions including generative AI inference, text-to-speech, speech-to-text, translation, content delivery, security scanning, and analytics, with processing locations varying by service, feature enablement, and customer-selected region. Notably, several services authorize cross-regional data flows as a function of feature enablement rather than explicit customer election: for example, Einstein Bots NLP functionality routes Customer Data to regions determined by the customer's org location rather than a separate regional selection, and OpenAI failover routing temporarily redirects Customer Data to Microsoft Azure endpoints regardless of the customer's provisioned region. The document engages the EU General Data Protection Regulation, the UK GDPR, and data residency frameworks applicable across the Asia-Pacific, Middle East, and Americas regions, with heightened compliance exposure for customers in regulated industries such as financial services, healthcare, education, and government, particularly where sub-processor chains include global CDN providers described as processing data 'in any country' and generative AI providers operating with failover routing that may cross jurisdictional boundaries.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Get ComplianceMonitoring
Slack has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Get ComplianceCross-platform context
See how other platforms handle Feature-Triggered Sub-processor Activation and Cross-Regional Data Flows and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.