Trust and Compliance Documentation

We made seasonal updates to the Salesforce Trust and Compliance Documents.

Notices and Licenses

The following changes have been made in the Notices and Licenses Documentation:

Salesforce

  • Services Covered: Updated information
  • Account Intelligence Features: Updated information
  • Lightning for Gmail or Outlook: Updated information
  • Renamed Lightning Voice to Lightning Dialer: Updated information
  • Distributed Software: Updated links to Order Form Supplements for distributed software

Analytics Cloud

  • No updates

Commerce Cloud

  • Services Covered: Updated information
  • Third Party Features: Updated information

Data.com

  • Services Covered: Updated information

Desk.com

  • Added External-Facing Services

Einstein Data Discovery (formerly known as BeyondCore)

  • Removed External-Facing Services Policy

Einstein Vision

  • New documentation

ExactTarget

  • Removed references to BuddyMedia
  • Purpose of this Documentation: Updated information
  • Restricted Uses of Information: Updated information
  • Third Party Notices: Updated information

Heroku

  • No updates

IoT Cloud

  • No updates

Krux

  • Services Covered: Updated information
  • Added Restricted Uses of Information and Compliance with Self-Regulatory Programs
  • Changed Third Party Applications to Third-Party Platforms and Third Party Notices
  • Use of Third Party Data: Updated information

LiveMessage

  • Restricted Uses of Information: Updated information

Marketing Cloud (Radian6, Social Studio, Social.com)

  • Removed references to BuddyMedia.

Pardot

  • No updates

Predictive Intelligence

  • Services Covered: Updated information
  • Purposes of this Documentation: Updated information

Quip

  • No updates

SalesforceIQ

  • No updates

Sales Cloud Einstein

  • Services Covered: Updated information
  • Account Intelligence Features: Updated information

Work.com

  • Work.com Notice and License Information documentation combined with Salesforce Notice and License Information documentation

Security, Privacy, and Architecture

The following changes have been made in the Security, Privacy, and Architecture Documentation:

Salesforce

  • Services Covered: Clarified which services are covered by the documentation and which related services are covered by separate documentation.
  • Architecture and Data Segregation: Revised the referenced Infrastructure & Sub-processors documentation to clarify the list of services covered, provide additional details on data center infrastructure, reflect the addition of a new data center in Japan, removed HCL Technologies Limited and HCL America, Inc. as sub-processors, add a description of a new Einstein Automated Contacts feature and add an explanation of SitesRuntime pods.
  • Audits and Certifications: Added reference to Swiss-U.S. Privacy Shield certification, revised descriptions of ISO27001/27018 and TRUSTe certifications and added reference to TLS 1.1 requirement for PCI DSS.
  • Incident Management: Added description of system status notification procedures.
  • Physical Security: Added additional details on redundant systems, environmental systems and power supply systems.
  • Disaster Recovery: Added additional details on data center resiliency, disaster recovery exercises and recovery objectives.
  • Data Encryption: Added additional details on the type of encryption.
  • Deletion of Customer Data: Clarified that deletion process is triggered by termination of all licenses associated with an environment.

Buddy Media

  • Removed the Buddy Media Security, Privacy, and Architecture Documentation. The Buddy Media service has been retired.

Commerce Cloud

  • Audits and Certifications: Added reference to Privacy Shield certification and revised description of TRUSTe certification.
  • Sensitive Data: Added government-issued identification numbers to the categories of sensitive personal data that may not be submitted to the Commerce Cloud services.
  • Tracking and Analytics: Clarified the circumstances under which Salesforce may use aggregated and anonymized Customer Data.

Data.com

  • Audits and Certifications: Removed references to ISO27001/27018 certification and Service Organization Control reports.
  • Deletion of Customer Data: Clarified that deletion process is triggered by termination of the Data.com services.

Desk.com

  • Replaced the stand-alone Desk.com Security, Privacy and Architecture document with a combined document that also includes Einstein Data Discovery, LiveMessage, Quip, Salesforce Inbox and SalesforceIQ CRM. For uniformity and to enable consolidation, titles as well as descriptions in certain sections may vary from the original language. Key sections where such changes exist include: “Audits and Certifications,” “Security Controls,” “Security Policies and Procedures,” “Intrusion Detection,” “User Authentication,” and “Deletion of Customer Data.”

Einstein Data Discovery

  • Replaced the stand-alone Einstein Data Discovery Security, Privacy and Architecture document with a combined document that also includes Desk.com, LiveMessage, Quip, Salesforce Inbox and SalesforceIQ CRM. For uniformity and to enable consolidation, titles as well as descriptions in certain sections may vary from the original language. Key sections where such changes exist include: “Audits and Certifications,” “Security Controls,” “Security Policies and Procedures,” “Intrusion Detection,” “User Authentication,” and “Deletion of Customer Data.”

Einstein Vision

  • Created new Security, Privacy and Architecture document for product branded as Einstein Vision.

ExactTarget

  • Replaced the stand-alone ExactTarget Security, Privacy and Architecture document with a Marketing Cloud document that also includes Predictive Intelligence, Social Studio, and Advertising Studio (including Social.com). For uniformity and to enable consolidation, titles as well as descriptions in certain sections may vary from the original language. Key sections where such changes exist include: “Audits and Certifications,” “Security Controls,” “Security Policies and Procedures,” “Reliability and Backup,” “Disaster Recovery,” “Deletion of Customer Data,” and “Tracking and Analytics.”

Heroku

  • Audits and Certifications: Added reference to Swiss-U.S. Privacy Shield certification and added description of TRUSTe certification.
  • Security Procedures, Policies and Logging: Renamed section Security Controls.
  • Disaster Recovery: Added target recovery objectives for certain of Heroku’s services.

IoT Cloud

  • Services Covered: Added reference to privacy-related certifications.
  • Audits and Certifications: Added description of TRUSTe certification.
  • Deletion of Customer Data: Clarified process to request deletion of data after termination.

Krux

  • Services Covered: Updated to reflect description of the documentation and rebranding to “Salesforce DMP.”
  • Architecture and Data Segregation: Moved information regarding infrastructure to Infrastructure and Sub-processors documentation and added link.
  • Audits and Certifications: Clarified that SOC 2 report is SOC 2, Type II. Added reference and link to Infrastructure and Sub-processors documentation.
  • Incident Management: Clarified incident management system in place by Salesforce instead of Krux.
  • Physical Security: Added links to AWS Security Web site and AWS security processes.
  • Return of Customer Data: Updated support contact email address.
  • Deletion of Customer Data: Changed “Lookback Window” to “Term” and clarified process following the Term.
  • Personal Data: Clarified that onboarding is done through the Krux Secure Onboarding API or other agreed upon onboarding method.
  • Tracking and Analytics: Clarified that users means customers’ licensed users.

LiveMessage

  • Replaced the stand-alone Live Message Security, Privacy and Architecture document with a combined document that also includes Desk.com, Einstein Data Discovery, Quip, Salesforce Inbox and SalesforceIQ CRM. For uniformity and to enable consolidation, titles as well as descriptions in certain sections may vary from the original language. Key sections where such changes exist include: “Audits and Certifications,” “Security Controls,” “Security Policies and Procedures,” “Intrusion Detection,” “User Authentication,” and “Deletion of Customer Data.”

Marketing Cloud

  • This is a new Security, Privacy and Architecture document consolidating information about the services branded ExactTarget, Predictive Intelligence, Social Studio, and Advertising Studio (including Social.com).

Pardot

  • Services Covered: Added reference to privacy-related certifications.
  • Audits and Certifications: Added reference to Swiss-U.S. Privacy Shield certification and added description of TRUSTe certification.

Predictive Intelligence

  • Replaced the stand-alone Predictive Intelligence Security, Privacy and Architecture document with a Marketing Cloud document that also includes ExactTarget, Social Studio, and Advertising Studio (including Social.com). For uniformity and to enable consolidation, titles as well as descriptions in certain sections may vary from the original language. Key sections where such changes exist include: “Audits and Certifications,” “Security Controls,” “Security Policies and Procedures,” “Reliability and Backup,” “Disaster Recovery,” “Deletion of Customer Data,” and “Tracking and Analytics.”

Radian6

  • Audits and Certifications: Added reference to Privacy Shield certification, revised description of TRUSTe certification and removed references to ISO27001/27018 certification and Service Organization Control reports.

SalesforceIQ

  • Replaced the stand-alone SalesforceIQ Security, Privacy and Architecture document with a combined document that also includes Desk.com, Einstein Data Discovery, LiveMessage and Quip. For uniformity and to enable consolidation, titles as well as descriptions in certain sections may vary from the original language. Key sections where such changes exist include: “Audits and Certifications,” “Security Controls,” “Security Policies and Procedures,” “Intrusion Detection,” “User Authentication,” and “Deletion of Customer Data.”

Sales Cloud Einstein

  • Services Covered: Added Einstein Automated Contacts as a feature to the Service and updated names for two other features of the Service.
  • Audits and Certifications: Revised section so that it only describes audits and certifications pertaining to the Service, and does not describe other security controls.

Social.com

  • Replaced the stand-alone Social.com Security, Privacy and Architecture document with a Marketing Cloud document that also includes ExactTarget, Predictive Intelligence, and Social Studio. For uniformity and to enable consolidation, titles as well as descriptions in certain sections may vary from the original language. Key sections where such changes exist include: “Audits and Certifications,” “Security Controls,” “Security Policies and Procedures,” “Reliability and Backup,” “Disaster Recovery,” “Deletion of Customer Data,” and “Tracking and Analytics.”

Social Studio

  • Replaced the stand-alone Social Studio Security, Privacy and Architecture document with a Marketing Cloud document that also includes ExactTarget, Predictive Intelligence, and Advertising Studio (including Social.com). For uniformity and to enable consolidation, titles as well as descriptions in certain sections may vary from the original language. Key sections where such changes exist include: “Audits and Certifications,” “Security Controls,” “Security Policies and Procedures,” “Reliability and Backup,” “Disaster Recovery,” “Deletion of Customer Data,” and “Tracking and Analytics.”

Quip

  • Replaced the stand-alone Quip Security, Privacy and Architecture document with a combined document that also includes Desk.com, Einstein Data Discovery, LiveMessage, Salesforce Inbox and SalesforceIQ CRM. For uniformity and to enable consolidation, titles as well as descriptions in certain sections may vary from the original language. Key sections where such changes exist include: “Audits and Certifications,” “Security Controls,” “Security Policies and Procedures,” “Intrusion Detection,” “User Authentication,” and “Deletion of Customer Data.”