At Salesforce, trust is our number one value and nothing is more important to us than the privacy and security of our customers’ data. As part of this commitment, we strive to offer our customers the tools they need to meet their regulatory requirements. On September 24, Salesforce released its updated data processing addendum (“DPA”), which offers to our customers the latest set of standard contractual clauses for the transfer of personal data outside of Europe (“2021 SCCs”).
Standard contractual clauses are template contracts adopted by the European Commission that enable the legal transfer of personal data outside of Europe to third countries that have not received an adequacy decision. The Commission updated its previous set of SCCs to bring them in line with the General Data Protection Regulation and provide additional safeguards in response to the Schrems II ruling of the European Court of Justice. The 2021 SCCs include a host of new measures which, together with Salesforce's DPA, provide comprehensive and best-in-class protections for both our customers’ and their users’ data.
The new measures incorporated in our updated DPA, include enhanced audit rights, strengthened protections around government access requests, and increased operational flexibility. They build on the existing robust safeguards offered by Salesforce and together with our Transparency Report, will provide customers with the comfort and certainty they need to meet their regulatory obligations. Our customers may choose to execute a new DPA or to opt for an amendment agreement which simply incorporates the 2021 SCCs and the additional relevant terms.
The updated DPA is anchored in our long-standing commitment to privacy, offering our customers the strongest contractual protections available. In addition to the 2021 SCCs, our updated DPA will continue to offer to our customers our Binding Corporate Rules for processors (“BCRs”) as an alternative transfer mechanism. In 2015, we were the first enterprise software company to achieve approval from European data protection authorities for our BCR for Processors. Our BCRs were amended in 2018 to meet our new commitments with the GDPR.
Last week, we also announced the Hyperforce EU Operating Zone which will enable our commercial and public sector customers to process and store their data in the EU. The Hyperforce EU Operating Zone builds on the strong data residency services already provided by Salesforce and Slack, including our services that allow customers to store company data, search indexes, and encryption keys within the EU.
For more information on Salesforce’s new DPA or Salesforce’s privacy program generally, please see the following resources: