We help our customers around the world protect the privacy and security of their customers’ data.

Helping our customers operate on a global scale is something we do every day. We continuously monitor the global privacy landscape and adapt our privacy program accordingly. Whether it is the European Union’s GDPR, the US’s healthcare-focused privacy law (HIPAA), California’s new privacy law (CCPA), or the new Brazilian privacy law (LGPD), we are here to assist our customers on their compliance journeys. The trusted Salesforce Cloud makes it possible for companies to go beyond compliance and leverage the world’s #1 CRM to turn privacy into an opportunity to enhance the customer experience.

Europe, the Middle East, and Africa

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that regulates the use of personal data of EU residents  and provides individuals rights to exercise control over their data. The GDPR does not only apply to European companies, it extends to any organization worldwide that targets or offers services or products to EU residents.

The GDPR requires companies to be transparent and accountable for their use of personal data, and to be able to demonstrate this to both regulators and the individuals concerned. There is no requirement for personal data to stay in the EU, but transfers outside of the European Economic Area are restricted, meaning that unless the European Commission has assessed the country’s privacy regime and declared it to be “adequate”, the data must be further protected by contract, or other EU-approved means. For any transfers to non-adequate countries, Salesforce’s data processing addendum incorporates such EU-approved means, namely our Processor Binding Corporate Rules and the European Commission’s standard contractual clauses. Customers can rely on these protections to transfer EU personal data using our services. 

Watch the video below, then take our “EU Privacy Law Basics” Trailhead module to learn more about GDPR and how it affects your company.

We have been working hard to ensure our services and data flows will not be impacted following the UK’s departure from the European Union, otherwise known as “Brexit”. Salesforce customers can rest assured that their Salesforce services will function as normal, and they do not need to take any action to ensure the continuity of our services. If you have further questions about how Brexit may affect the services you receive from Salesforce, please see our Brexit FAQs below.

Asia-Pacific and Japan

Japan and countries throughout the Asia-Pacific region (APAC) have their own data protection laws, which vary from light-touch to more prescriptive. 

Despite the patchwork of laws and regulations, there is a common non-binding baseline formed by the APEC Privacy Framework. The Asia-Pacific Economic Cooperation (APEC) is a regional economic forum aimed at increasing prosperity for the region by promoting balanced, inclusive, sustainable, innovative and secure growth and accelerating regional economic integration.  As part of this cooperation, the APEC Privacy Framework was adopted. The Framework sets out a series of privacy principles to ensure continued trade and economic growth and, in particular, free flow of personal data within the APEC region. Companies can certify under the Privacy Recognition for Processors (PRP) Framework to demonstrate compliance with the APEC Privacy Framework and help their customers on their privacy journey. 

Salesforce was one of the first companies globally to obtain PRP certification. Find more information here.

Japan’s Act on the Protection of Personal Information (APPI)  is based on principles similar to the GDPR. In 2019, Japan and the EU acknowledged each other’s data protection frameworks to be “adequate”, thus allowing personal data to flow freely between the two economies without the need for further protections such as binding corporate rules or the European Commission’s standard contractual clauses.

Since 2008, Salesforce has also been PrivacyMark certified. PrivacyMark is a Japanese privacy certification that focuses on enhancing individuals' awareness of the protection of personal data and incentivizing businesses to build trusted connections with their customers. To obtain the certification, companies must show they take appropriate measures to protect personal data of individuals. The requirements for PrivacyMark certification are governed by the Japan Institute for Promotion of Digital Economy and Community.


North America

In the United States, there is no comprehensive privacy law that applies across all industries and types of personal data. Rather, a patchwork of federal and state laws govern how businesses must manage personal data. These include federal laws that focus on certain industries, sensitive data types, or processing activities like direct marketing. For example, health-related data about patients and individuals collected by businesses in the healthcare industry is regulated by the federal Health Insurance Portability and Accountability Act (HIPAA), personal data collected and used by financial institutions is covered by the Gramm-Leach-Bliley Act (GLBA), and the sending of commercial emails is covered by the CAN-SPAM Act. Additionally, US state laws, such as the California Consumer Privacy Act (CCPA), impact how companies conduct business by regulating how they process and protect the personal data of individuals that reside in those states.
Salesforce Chairman and Co-CEO Marc Benioff has advocated for a national privacy law to be implemented in the United States, so that a US individual’s privacy is not dependent on their ZIP code. Similar to the GDPR in the EU, a national US privacy law would require that companies disclose how they collect and use personal data and recognize individuals’ rights to have a say in how businesses manage their data.
Salesforce’s cloud services are designed to help customers comply with this patchwork of US federal and state laws, including for some services—like Health Cloud and Financial Services Cloud—complying with the special requirements of HIPAA and GLBA.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s national privacy law that regulates how private-sector organizations collect, use, and disclose personal data when engaged in commercial activities. PIPEDA provides specific protections for individuals’ personal data, including individuals’ rights to consent to the collection, use or disclosure of their personal data, to access their personal data held by an organization, and to challenge the accuracy of that personal data.

“At Salesforce, trust is our #1 value. The protection of our customers’ data is paramount.”


Latin America and the Caribbean

In Latin America and the Caribbean, a number of national and local laws govern how organizations use personal data.  Several Latin American and Caribbean countries have enacted privacy rules that are loosely based on European requirements, but sectoral and industry-specific rules still remain throughout the region. Brazil has enacted a national law (LGPD) which is similar to the GDPR but with its own Brazil-specific requirements. Salesforce is closely monitoring developments around LGPD and other laws in Latin American and Caribbean countries.  Salesforce’s data processing addendum, other privacy and product documentation, as well as our internal practices are designed for global use and we update them as necessary to continue to deliver our services to customers in Latin America and the Caribbean in accordance with legal requirements.

Privacy Resources




Salesforce understands better customer experiences start with
data privacy.

Contact us if you have questions, comments, or requests related to Salesforce’s Privacy Statement, our data privacy practices, or how Salesforce embraces privacy and data protection laws.