This provision discloses that identifying information about customer instances and users may be stored across Salesforce's global processing locations for operational purposes including login facilitation and customer support, independent of the customer's selected region, with a specific exception for Government Cloud Plus services where such information is one-way hashed before leaving designated data centers.
This analysis describes what Slack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that a category of data, specifically identifying information about customer instances and users, may be processed across Salesforce's global infrastructure regardless of the customer's selected regional configuration, representing a processing pathway that falls outside the scope of regional selection controls disclosed elsewhere in the document.
Interpretive note: The document does not define the precise scope of 'identifying information about Customers' instance(s) and identifying information about Users,' leaving ambiguity about whether this category encompasses personal data as defined under GDPR or equivalent frameworks.
Under this clause, identifying information about users and customer instances may be stored outside the customer's selected processing region for operational purposes, as stated in the document. The document also states that this storage is conducted across Salesforce's processing locations, which include the global network of Salesforce affiliates and sub-processors listed in the document.
Cross-platform context
See how other platforms handle Identifying Information Storage Outside Provisioned Region and similar clauses.
Compare across platforms →Monitoring
Slack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"In addition to the locations identified in the below Infrastructure and Sub-processors tables, Salesforce may store across its processing locations identifying information about Customers' instance(s) and identifying information about Users for the purpose of operating the Services, such as facilitating the login process and the provision of customer support. For the Government Cloud Plus and Government Cloud Plus - Defense Services, this information (except for business address) will be encrypted with a one-way hash algorithm before it leaves the Government Cloud Plus and Government Cloud Plus - Defense-specific data centers, rendering it unreadable to Salesforce and its cloud providers.— Excerpt from Slack's Slack Sub-Processors (Salesforce)
(1) REGULATORY LANDSCAPE: This provision engages GDPR and equivalent data protection frameworks applicable to the processing of personal data, specifically in the context of operational data flows that occur outside the primary data residency configuration. The disclosure that identifying user information may flow to processing locations globally for login and support functions may require evaluation under applicable transfer mechanisms for jurisdictions where such transfers require specific authorization. (2) GOVERNANCE EXPOSURE: Medium. Organizations with strict data localization requirements should assess whether the 'identifying information about Users' described in this provision constitutes personal data under applicable law and whether its global processing is covered by the organization's transfer impact assessment and DPA. The specific operational scope of 'identifying information' is not precisely defined in the document excerpt provided. (3) JURISDICTION FLAGS: EU and EEA organizations, UK organizations, and organizations in jurisdictions with data localization requirements face heightened exposure. The Government Cloud Plus carve-out with one-way hashing suggests that Salesforce has implemented technical controls for that specific service tier; commercial tier customers do not receive the same technical protection under the disclosed terms. (4) CONTRACT AND VENDOR IMPLICATIONS: Legal teams should assess whether their DPA explicitly addresses the global processing of user identifying information for operational purposes and whether this processing is covered by an appropriate transfer mechanism. The distinction between Government Cloud Plus and commercial service handling of this data category should be evaluated by customers in sensitive sectors who use commercial Salesforce services. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should identify whether 'identifying information about Users' in their Salesforce environment constitutes personal data, document this processing pathway in records of processing activities, and confirm that applicable transfer mechanisms cover this operational data flow.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that a category of data, specifically identifying information about customer instances and users, may be processed across Salesforce's global infrastructure regardless of the customer's selected regional configuration, representing a processing pathway that falls outside the scope of regional selection controls disclosed elsewhere in the document.
Under this clause, identifying information about users and customer instances may be stored outside the customer's selected processing region for operational purposes, as stated in the document. The document also states that this storage is conducted across Salesforce's processing locations, which include the global network of Salesforce affiliates and sub-processors listed in the document.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Slack.