Review Trust and Compliance Documentation

We made seasonal updates to the Salesforce Trust and Compliance Documents.

Infrastructure and Sub-Processors

These changes have been made in the Infrastructure and Sub-Processors Documentation.

Audience Studio

  • No updates

Sales Cloud, Service Cloud, Community Cloud, Chatter, Lightning Platform (including Force.com), IoT Explorer (including IoT Plus), Site.com, Database.com, Einstein Analytics (including Einstein Discovery), WDC, Messaging, Financial Services Cloud, Health Cloud, Sustainability Cloud, Consumer Goods Cloud, Manufacturing Cloud, Emergency Program Management, Salesforce CPQ and Salesforce Billing, Salesforce Maps, Workplace Command Center, Shift Management, and the Salesforce.org LLC ("Salesforce.org") services branded as Salesforce Advisor Link, foundationConnect (provisioned on or after August 19, 2019), Accounting Subledger, Salesforce.org Insights Platform: Data Integrity, and Nonprofit Cloud Case Management

  • Scope: Added the following additional Covered Services to the scope of this document: Emergency Program Management, Accounting Subledger, Salesforce.org Insights Platform: Data Integrity, Nonprofit Cloud Case Management, Command Center, and Shift Management. Rebranded all instances of Work.com (provisioned before May 1, 2020) as WDC. References to Einstein Discovery Classic were removed. Clarified that document does not apply to B2C Order Management. Clarified that Insights Platform is also subject to the Trust and Compliance Documentation for Heroku. Added a link to Salesforce’s Data Processing Addendum for further information on capitalized terms.
  • Sub-Processors - Customer Data Storage: In the Americas, added a GS0 (Trials only) Instance in two United States-based Data Centers, which are hosted by salesforce.com, inc. and Amazon Web Services.
  • Sub-Processors - Customer Data Processing: Insights Platform was added to the list of services that use Heroku, Inc. as a sub-processor. Bugsnag Inc. was added as a sub-processor for Salesforce Maps. Shift Management was added to the list of features that use ClickSoftware, Inc. as a sub-processor.

B2B Commerce

  • No updates

B2C Commerce/Commerce Cloud

  • Throughout the document changed “Order Management” to “B2C Commerce Order Management” to differentiate it from Salesforce Order Management.

Customer 360 Data Manager

  • Scope: Added a link to Salesforce’s Data Processing Addendum for further information on capitalized terms.
  • Sub-processors - Data Storage: Added a link to Salesforce’s Data Processing Addendum for further information on capitalized terms. Removed a reference and links to AWS security website and security processes.

Data.com

  • No updates

Desk.com

  • Product has been discontinued.

Einstein Discovery Classic

  • Product has been discontinued.

“Einstein Platform” (Sales Cloud Einstein, Pardot Einstein, Salesforce Inbox, Einstein Engagement Scoring, Einstein Vision and Language, Einstein Bots, Service Cloud Einstein, Einstein Prediction Builder, and Einstein Vision for Social Studio)

  • Scope: Einstein Reply Recommendation added as a new feature of Service Cloud Einstein.

Einstein Call Coaching added as a new feature of High Velocity Sales.

  • Branding: Einstein Vision for Social Studios changed to Einstein Vision for Social Studio throughout.
  • Sub-processors - Customer Data Storage: Separately listed sub-processor information for Einstein Object Detection as a feature of the Consumer Goods Cloud Service, distinct from Einstein Vision, and added European AWS data center location. Clarified European AWS data center locations for Einstein Prediction Builder, Einstein Article Recommendations, and Einstein Case Classification. Clarified data storage location of European-based Einstein Bots customers who enable the NLP functionality. Clarified storage location of different features for High Velocity Sales customers.

Government Cloud Plus

  • Sub-processors - Customer Data Storage: Clarified that encrypted customer data may pass through various points on its way to storage and processing on the previously specified hosts.

Heroku

  • No updates

IoT Cloud

  • No updates

LiveMessage, Quip, myTrailhead

  • Desk.com, Einstein Discover, and SalesforceIQ have been discontinued.
  • Sub-processors - Customer Data Storage: Clarified hosting location options for Quip customers who have purchased Virtual Private Cloud.
  • Sub-processors - Customer Data Processing: List of countries for Coveo (for myTrailhead) was amended by clarifying that by “European Union” we mean “European Union member states”. Also deleted “Ireland” from the list of countries in which Coveo processes customer data as the European Union was already mentioned as location of processing and that Ireland is part of the European Union. A Content Delivery Network (CDN) was added for myTrailhead.

Marketing Cloud

  • Scope: No longer includes Advertising Campaigns as part of Advertising Studio. Marketing Cloud Einstein and Measurement Platform was shortened to Marketing Cloud Einstein. Added a link to Salesforce’s Data Processing Addendum for further information on capitalized terms.
  • Sub-processors - Customer Data Processing: Israel was added to the list of countries in which salesforce.com, inc. and its associates process customer data. Datorama Technologies Ltd. was removed from the list of sub-processors.

MuleSoft

  • Sub-processors - Customer Data Processing: Great Software Laboratory Pvt Ltd and Great Software Laboratory, Inc. were removed from the list of sub-processors.

Pardot

  • No updates

SalesforceIQ

  • Product has been discontinued.

Security, Privacy, and Architecture

These changes have been made in the Security, Privacy, and Architecture Documentation.

Audience Studio

  • Deletion of Data: Terms and timelines for return and destruction or deletion of Customer data were updated.
  • Personal Data and Sensitive Data: Clarified which users and actions are under the NAI Code of Conduct. Clarified that sensitive data may not be submitted pseudonymized. Clarified that targeted advertising, based on traffic on sites directed at children, is governed by local applicable law.

Sales Cloud, Service Cloud, Community Cloud, Chatter, Lightning Platform (including Force.com), IoT Explorer (including IoT Plus), Site.com, Database.com, Einstein Analytics (including Einstein Discovery), WDC, Messaging, Financial Services Cloud, Health Cloud, Sustainability Cloud, Consumer Goods Cloud, Manufacturing Cloud, Emergency Program Management, Salesforce CPQ and Salesforce Billing, Salesforce Maps, Workplace Command Center, Shift Management, and the Salesforce.org LLC ("Salesforce.org") services branded as Salesforce Advisor Link, foundationConnect (provisioned on or after August 19, 2019), Accounting Subledger, Salesforce.org Insights Platform: Data Integrity, and Nonprofit Cloud Case Management (“Covered Services”)

  • Services Covered: Added new services including: Emergency Program Management, Salesforce Order Management, Accounting Subledger, Salesforce.org Insights Platform: Data Integrity, Nonprofit Cloud Case Management, Workplace Command Center, and Shift Management. Differentiates Salesforce Order Management from B2C Commerce Order Management and the documentation that governs each. Clarified which sections of the document apply to Scratch Orgs. Clarifies additional governing documentation for Field Service Lighting feature, the Insights Platform, and services which integrate with the Covered Services. Clarified which versions of Einstein Discovery are included in Covered Services. Rebranded all instances of Work.com (provisioned before May 1, 2020) as WDC.
  • Third-Party Functionality: Added WhatsApp to the list of over-the-top messaging services.
  • Audits and Certifications: Updated list of services excluded from each referenced certification. Updated location where customers can access SOC reports. Removed Industry Cloud from the list of products certified by Japan CS Gold. Updated list of services whose data is hosted or processed on AWS infrastructure. Added a section describing Insights Platform use of Heroku’s architecture for hosting or processing data.
  • Security Controls: Updated list of services using AWS. Added Insights Platform’s use of Heroku, and a link to Heroku’s security documentation.
  • Security Policies and Procedures: Salesforce will only provide log entry records to assist customers in forensic analysis, when available.
  • Reliability and Backup: Clarifies which Services’ data may be unrecoverable, if uninstalled by customers.
  • Disaster Recovery: Clarified that this section does not apply to Click FSL Optimizer.
  • Data Encryption: Clarifies data transmission methods between data centers.
  • Deletion of Customer Data: Clarifies duration of data retention for Insights Platform on AWS and Heroku servers.
  • Sensitive Data: Amended list of unsubmittable data types. Clarified Customer responsibilities for ensuring use of services for processing of submitted sensitive or regulated data complies with all applicable laws and regulations.
  • Interoperation with Other Services: Added description of metadata that may be captured by Salesforce when third-party systems are connected to Covered Services. Addresses protection and use of that data.

B2B Commerce

  • Sensitive Data: Amended list of unsubmittable data types. Clarified Customer responsibilities for ensuring use of services for processing of submitted sensitive or regulated data complies with all applicable laws and regulations.

B2C Commerce/Commerce Cloud

  • Throughout the document changed “Order Management” to “B2C Commerce Order Management” to differentiate it from Salesforce Order Management.
  • Added link to Salesforce Order Management documentation.
  • Audits and Certifications: Updated link locations for Salesforce’s AoC, ISO, and SOC reports.
  • Sensitive Data: Amended list of unsubmittable data types. Clarified Customer responsibilities for ensuring use of services for processing of submitted sensitive or regulated data complies with all applicable laws and regulations.

Customer 360 Data Manager

  • Audits and Certifications: Removed references to AWS infrastructure used to host Customer Data.
  • Security Controls: Removed references to AWS security policy.
  • Security Policies and Procedures: Updated method by which customers may locally save Audit Trail content.
  • Sensitive Data: Amended list of unsubmittable data types. Clarified Customer responsibilities for ensuring processing of submitted data complies with all applicable laws and regulations.

Data.com

  • No updates

Desk.com

  • Product has been discontinued.

Einstein Discovery Classic

  • Product has been discontinued.

Einstein Platform

  • Audits and Certifications: Updated list of products excepted from Salesforce’s BCR for processors. Updated list of Einstein features that meet ISO standards. Updated list of features evaluated under SOC.

Government Cloud Plus

  • Intrusion Detection: Examples of data possibly being collected were removed.
  • Data Encryption: Clarified type of symmetric encryption keys.
  • Sensitive Data: Amended list of unsubmittable data types. Clarified Customer responsibilities for ensuring use of services for processing of submitted sensitive or regulated data complies with all applicable laws and regulations.

LiveMessage, myTrailhead, and Quip

  • Services Covered: Desk.com, Einstein Discover, and SalesforceIQ have been discontinued.
  • Audits and Certifications: List of services covered by Audits and Certifications has been edited to reflect services covered by this document.
  • User Authentication: Updated types of identifiers used to manage user’s session.
  • Viruses: Updated list of services which do not scan for viruses. Added optional virus scanning for Quip customers.
  • Return of Customer Data: Removed data retrieval methods for discontinued services.
  • Deletion of Customer Data: Updated list of products for which customer data can be deleted, and the terms and timelines under which it is overwritten or deleted.
  • Sensitive Data: Amended list of unsubmittable data types. Clarified Customer responsibilities for ensuring use of services for processing of submitted sensitive or regulated data complies with all applicable laws and regulations.

Heroku

  • Audits and Certifications: Updated names of features covered under the PCI certification. Added ASIP Santé certification.
  • Disaster Recovery: Updated list of Heroku Shield services.
  • Sensitive Data: Amended list of unsubmittable data types. Clarified Customer responsibilities for ensuring processing of submitted data complies with all applicable laws and regulations.

IoT Cloud

  • Sensitive Data: Amended list of unsubmittable data types. Clarified Customer responsibilities for ensuring use of services for processing of submitted sensitive or regulated data complies with all applicable laws and regulations.

Marketing Cloud

  • Services Covered: No longer includes Advertising Campaigns as part of Audience Studio. Marketing Cloud Einstein and Measurement Platform was shortened to Marketing Cloud Einstein. Updated documentation to which Einstein Engagement Frequency is subject.
  • Audits and Certifications: Under ISO certification, changed Predictive Intelligence to Marketing Cloud Einstein and Measurement (MCEM).
  • Sensitive Data: Amended list of unsubmittable data types. Clarified Customer responsibilities for ensuring use of services for processing of submitted sensitive or regulated data complies with all applicable laws and regulations.

MuleSoft

  • User Authentication: Clarified credentials used to authenticate and manage user’s session.
  • Data Encryption: Clarified management and runtime data encryption.
  • Deletion of Customer Data: Added data retention policy for Transaction Processing Information in MuleSoft Anypoint Partner Manager.
  • Sensitive Data: Amended list of unsubmittable data types. Clarified Customer responsibilities for ensuring use of services for processing of submitted sensitive or regulated data complies with all applicable laws and regulations.

Pardot

  • Security Controls: Updated terms under which Email Login Verification is required. Clarified description of Email Login Verification.
  • Viruses: Section and subject renamed Malicious Software.
  • Data Encryption: TLS version updated.
  • Sensitive Data: Amended list of unsubmittable data types. Clarified Customer responsibilities for ensuring use of services for processing of submitted sensitive or regulated data complies with all applicable laws and regulations.

SalesforceIQ

  • Product has been discontinued.

Notices and Licenses

These changes have been made in the Notices and Licenses Documentation.

Audience Studio

  • Restricted Uses of Information and Compliance with Self-Regulatory Programs: Clarified that sensitive data may not be submitted pseudonymized. Clarified that targeted advertising, based on traffic on sites directed at children, is governed by local applicable law.
  • Use of Third Party Data: Clarified that targeted advertising, based on traffic on sites directed at children, is governed by local applicable law.

Salesforce

  • Services Covered: Added new services including: Salesforce Order Management, Emergency Program Management, Accounting Subledger, Salesforce.org Insights Platform: Data Integrity, Nonprofit Cloud Case Management, Workplace Command Center, and Shift Management. Differentiates Salesforce Order Management from B2C Commerce Order Management and the documentation that governs each. Rebranded all instances of Work.com (provisioned before May 1, 2020) as WDC.
  • Field Service Lightning: Section removed.
  • Google Maps: Simplified and clarified terms of use. Updated links to salient Google policies.
  • Insights Platform: Added terms for integrating Insights Platform and Melissa Data.
  • Workplace Command Center: Added Third Party Platforms disclosure.
  • Distributed Software: removed reference to former WDC mobile app.
  • External Resources: Clarifies Salesforce’s relationship with, and limits its liability in relation to, referenced sites or resources.

B2B Commerce

  • No updates

B2C Commerce/Commerce Cloud

  • Throughout the document changed “Order Management” to “B2C Commerce Order Management” to differentiate it from Salesforce Order Management.

Customer 360 Data Manager

  • No substantive updates

Desk.com

  • Product has been discontinued.

Einstein Analytics

  • Services Covered: Removed references to older versions of Einstein Discovery.

“Einstein Platform” (Sales Cloud Einstein, Pardot Einstein, Salesforce Inbox, Einstein Engagement Scoring, Einstein Vision and Language, Einstein Bots, Service Cloud Einstein, Einstein Prediction Builder, and Einstein Vision for Social Studios)

  • Services Covered: Updated to include additional features, Einstein Call Coaching.
  • Salesforce Inbox: Removed terms specific to Third-Party Contact Enrichment Providers.
  • Einstein Call Coaching: Added additional terms to Customer’s use of this new feature. Terms also added for integrating Call Coaching features with third-party products and services.

Einstein Discovery Classic

  • Product has been discontinued.

Data.com

  • No updates

Desk.com

  • Product has been discontinued.

Heroku

  • No updates

IoT Cloud

  • No updates

Marketing Cloud

  • ExactTarget, Advertising Studio, and Interaction Studio: Under Services Covered, removed Advertising Campaigns from the list of “Covered Services”. Clarified that Customers are responsible for any material their users provide to Third Party Platforms.
  • Predictive Intelligence: Under Services Covered, removed iGo Digital and references to iGo, LLC. Rebranded two services, and clarified which services are subject to additional documentation.
  • Social Studio: Under Command Center - Public Display, removed restrictions on syndication, on conducting analysis, or on creating derivatives from Twitter content.

Messaging and LiveMessage

  • Restricted Uses of Information: Added a link to the Acceptable Use and External Facing Services Policy. Consolidated and enhanced the list of principles, best practices or guidelines to which customer must comply to include MMA Global U.S. Consumer Best Practices for Messaging, CTIA Mobile Commerce Compliance Handbook, and U.S. Short Code Registry Best Practices.

MuleSoft

  • Third-Party Platforms: Clarified Non-SFDC Applications in Anypoint Exchange.
  • Anypoint Service Mesh: New section clarifying Istio as a Non-SFDC Application or Third Party Application.

myTrailhead

  • No updates

Pardot

  • Third-Party Platforms: Clarified that Customers are responsible for any material their users provide to Third Party Platforms.
  • Third-Party Notices: Removed FullContact as an applicable service.

Quip

  • No updates

SalesforceIQ

  • Product has been discontinued.