Does your website use third-party services? Get GDPR compliant in minutes.

Salesforce

What does Salesforce do?

Salesforce is the world's leading CRM platform, providing Sales Cloud, Marketing Cloud, Service Cloud, Commerce Cloud, Pardot (now Marketing Cloud Account Engagement), and Einstein Analytics. GDPR compliance for Salesforce is complex because different products require different legal bases and compliance approaches. EU data residency options exist in Germany. Salesforce provides comprehensive GDPR DPAs across its product suite and offers GDPR-specific features including data subject request management.

What is Salesforce?

Salesforce is the world''s largest CRM and enterprise software company. Its product portfolio spans Sales Cloud (CRM and pipeline management), Marketing Cloud (email, SMS, social marketing automation), Service Cloud (customer service), Commerce Cloud (e-commerce), Pardot/Marketing Cloud Account Engagement (B2B marketing automation), Tableau (analytics), Slack (collaboration), MuleSoft (integration), and Einstein AI across all products. Each product processes personal data differently and requires its own GDPR assessment.

GDPR complexity: multiple products, multiple legal bases

Salesforce''s breadth means GDPR compliance is not a single exercise but a portfolio of assessments. Sales Cloud CRM contacts: legitimate interest or contract performance. Marketing Cloud email campaigns: consent for marketing. Pardot web tracking: consent for cookies. Service Cloud support tickets: contract performance or legitimate interest. Tableau analytics: depends on data analysed. Each cloud requires its own DPA annexe, legal basis documentation, and data subject rights workflow.

EU data residency

Salesforce offers EU data residency in Germany for certain products and plans. When configured, primary CRM and Marketing Cloud data remains within the EU. Not all Salesforce products support EU residency — verify per product with your Salesforce account team. For standard deployments, the Salesforce DPA and SCCs cover EU-US data transfers.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Pardot and B2B marketing compliance

Pardot (Marketing Cloud Account Engagement) tracks individual prospect behaviour across websites using cookies and form submissions. This requires consent for cookie-based tracking and a documented legal basis for prospect profiling. Pardot''s lead scoring and grading constitutes automated processing that may need disclosure. Implement Pardot cookie consent and integrate with your CMP.

Practical compliance steps

Sign Salesforce DPA covering all products in use. Request EU data residency for applicable products. Implement legal basis fields in Salesforce for each contact. Configure Marketing Cloud consent management for email. Block Pardot tracking cookies via CMP. Deploy Salesforce''s data subject request management tools. Conduct a DPIA covering the full Salesforce deployment. Add Salesforce to your privacy policy per product.

GDPR consent category

Marketing

Websites using Salesforce must obtain user consent under GDPR regulations.

Legal basisMultiple legal bases across Salesforce products. CRM contact management: legitimate interest or contract performance. Marketing Cloud email campaigns: consent. Pardot tracking and lead scoring: consent for cookies, legitimate interest assessment for B2B prospect data. Analytics and reporting: varies by data category.

Risk levelhigh

Applicable regulationsGDPR, ePrivacy Directive, SCCs for US transfers. Salesforce spans many products each requiring individual GDPR assessment.

DPIA considerations

A DPIA is strongly recommended for large-scale Salesforce deployments spanning multiple clouds and processing comprehensive EU customer profiles. The breadth and depth of personal data processed across the Salesforce platform warrants thorough documented assessment.

Sample consent text

Your contact information is managed in our Salesforce CRM system. We process this data to manage our relationship with you, provide services, and where you have consented, to send marketing communications. See our privacy policy for full details and to exercise your rights.

Technical details

Tracking methodCRM platform, Marketing Cloud tracking pixels, Pardot forms and cookies, Einstein Analytics, Sales Cloud data processing, Service Cloud communications

Server locationUnited States with EU data residency options (Germany)

Data transferred outside the EUSalesforce is a US-based CRM platform. EU data residency options are available in Germany for certain Salesforce products. Standard deployments transfer EU personal data to US infrastructure requiring SCCs. Salesforce provides comprehensive GDPR DPAs across its product suite.

Third-party domains contacted

salesforce.compardot.comexacttarget.com

Cookies placed

Name	Type	Duration	Purpose
visitor_id	persistent	2 years	Salesforce Pardot visitor identifier for website behaviour tracking and lead scoring
_mkto_trk	persistent	2 years	Salesforce Marketing Cloud / Marketo visitor tracking cookie for email and web analytics

Salesforce places tracking cookies for advertising — comply with GDPR using FlowConsent.

Get started free Scan your site

Frequently asked questions

Is Salesforce GDPR compliant?

Yes. Salesforce provides comprehensive GDPR DPAs across its product suite, EU data residency options, and GDPR-specific features including data subject request management. Compliance requires proper configuration and legal basis documentation for each Salesforce product in use.

What legal basis applies to Salesforce CRM contacts?

Depends on the contact relationship. Existing customers and contracted parties: contract performance or legitimate interest. Marketing consent records: consent. B2B prospects: legitimate interest with a documented LIA and opt-out mechanism. Use Salesforce's Lead Source and custom compliance fields to document the basis per contact.

Does Salesforce offer EU data residency?

Yes, for certain products on specific plans (Germany). Sales Cloud and Service Cloud data can be configured for EU residency. Marketing Cloud EU hosting is available separately. Contact your Salesforce account executive to configure EU data residency for your organisation.

Does Pardot require consent?

Yes. Pardot's website tracking cookie (visitor_id) requires consent under the ePrivacy Directive. Block the Pardot tracking code via your CMP until analytics consent is given. Form submissions and tracked email clicks also constitute personal data processing requiring disclosure.

Do I need a DPIA for Salesforce?

Strongly recommended for large-scale deployments spanning multiple Salesforce clouds. The combination of CRM profiling, marketing automation, and AI-driven lead scoring across many EU contacts warrants thorough documented assessment.

How do I handle data subject requests in Salesforce?

Salesforce provides the Privacy Center add-on for managing data subject requests. For access requests: use data export tools. For erasure: delete Contact and Lead records, remove from Marketing Cloud subscriber lists. Ensure deletion propagates across all connected Salesforce products.

Do I need a DPA with Salesforce?

Yes. Sign the Salesforce Data Processing Addendum covering all Salesforce products in use. The DPA is available via Salesforce's trust site or via your account team. Ensure the DPA covers both your primary CRM and any Marketing Cloud, Commerce Cloud, or other products you use.

Is there a GDPR-compliant alternative to Salesforce CRM?

EU-based CRM alternatives include HubSpot with EU hosting (US company, but EU hosting available), Brevo CRM (France), and Zoho CRM (EU data centre options). For enterprise scale, SAP CRM and Microsoft Dynamics 365 (with EU data residency) are alternatives with strong GDPR frameworks.

Get compliant — Try FlowConsent free

Free plan · 10-min setup