Salesforce Einstein GDPR Compliance: DPA, EU Hosting & AI Act Guide
Yes, Salesforce Einstein can be GDPR-compliant for German companies — provided the Salesforce Data Processing Agreement (DPA) is signed, EU data residency is configured via Salesforce Hyperforce, and Einstein AI features are evaluated under the EU AI Act. Without these steps, processing personal data of EU residents through Salesforce creates meaningful legal exposure under GDPR (Regulation (EU) 2016/679). This guide covers the Salesforce DPA, Hyperforce EU data residency options, EU AI Act obligations, BetrVG works council requirements, and a deployment checklist for German businesses. For the broader landscape of enterprise AI tools, see our AI tools compliance guide.
Is Salesforce Einstein GDPR Compliant?
Yes — with conditions. Salesforce acts as a data processor under Art. 4(8) GDPR when processing personal data on behalf of your business. This means your company, as the data controller, must:
- Sign Salesforce’s Data Processing Agreement (DPA) to satisfy Art. 28 GDPR requirements
- Configure your Salesforce instance for EU data residency via Hyperforce where available under your subscription
- Review Salesforce’s sub-processor list and assess any third-country transfers
- Establish an appropriate legal basis — typically legitimate interest or contractual necessity — for CRM data processing
- Evaluate Einstein AI features under the EU AI Act where they perform automated processing at scale
Salesforce maintains EU data centers and offers data residency options that keep primary personal data within the European Economic Area (EEA). However, some Einstein AI features may route data through additional infrastructure. Always verify Salesforce’s current sub-processor list before enabling new features in your organisation.
Salesforce Data Processing Agreement (DPA)
Under Art. 28 GDPR, every business that uses a third-party service to process personal data must have a written Data Processing Agreement in place. In Germany, this is commonly called an Auftragsverarbeitungsvertrag (AVV).
How to access and sign the Salesforce DPA:
- Log in to Salesforce Trust (trust.salesforce.com) or your Salesforce account dashboard
- Navigate to the Data Processing Addendum section within your agreement documentation
- Accept Salesforce’s standard DPA — for most Salesforce products this is a pre-signed online agreement, requiring no individual negotiation
- Download and archive the signed DPA for your compliance records
Salesforce’s DPA covers all Art. 28 GDPR requirements: a description of processing activities, categories of data subjects, technical and organisational measures (TOMs), sub-processor management rules, and support for data subject rights.
What Art. 28 GDPR requires from a DPA:
- Processing only on documented instructions from the controller
- Confidentiality obligations on all persons authorised to process data
- Implementation of appropriate security measures under Art. 32 GDPR
- Sub-processor engagement subject to equivalent data protection obligations
- Assistance to the controller in responding to data subject requests
- Deletion or return of all personal data after the service relationship ends
- Provision of all information necessary to demonstrate compliance
For German companies, the Salesforce AVV should also address compliance with the Bundesdatenschutzgesetz (BDSG) — particularly where employee personal data is involved.
Salesforce holds several compliance certifications relevant to German procurement: ISO 27001 for information security management, SOC 2 Type II reports available under NDA, and EU Standard Contractual Clauses (SCCs) incorporated into the DPA for third-country transfers. Salesforce is also certified under the EU-US Data Privacy Framework, providing an additional legal transfer mechanism following the post-Schrems II landscape.
EU Data Residency: Salesforce Hyperforce
Salesforce Hyperforce is Salesforce’s re-architected global infrastructure platform that allows customer data to be stored and processed within specific geographic regions — including the European Union. For German companies, Hyperforce EU is the key mechanism for ensuring GDPR-compliant data localisation.
What Hyperforce EU provides:
- Primary data storage within EU-based data centers
- Processing of Einstein AI workloads within the EEA where Hyperforce EU is configured
- Contractual confirmation of data residency in your Salesforce order documentation
- Alignment with GDPR Art. 44–49 requirements for international data transfers
Confirming your data residency configuration:
Not all Salesforce subscriptions include Hyperforce EU data residency by default. To verify:
- Check your Salesforce order form or MSA for an explicit “EU Data Residency” commitment
- Confirm with your Salesforce account team in writing whether Einstein AI features are covered within the EU residency scope
- Review the Salesforce Trust Status page for your specific org’s data center region
- Document your data residency configuration as part of your Records of Processing Activities (RoPA) under Art. 30 GDPR
Data transfer safeguards: Where Salesforce sub-processors are located outside the EEA — including US-based cloud infrastructure providers — the Salesforce DPA incorporates Standard Contractual Clauses (SCCs) in the updated 2021 form. Review the Salesforce sub-processor list at least annually and conduct a Transfer Impact Assessment (TIA) where transfers to high-risk third countries are identified.
Salesforce Einstein vs. Salesforce CRM GDPR
It is important to distinguish between Salesforce CRM and Salesforce Einstein for GDPR purposes. While both operate under the same DPA framework, Einstein AI features introduce additional processing activities that require separate assessment.
| Scope | Salesforce CRM | Salesforce Einstein |
|---|---|---|
| Processing type | Storage and retrieval of customer records | AI-driven analysis, predictions, and content generation |
| Art. 22 GDPR risk | Lower — manual decisions by users | Higher — automated scoring, recommendations, decisions |
| Training data concern | Not applicable | Einstein GPT and AI models may use input data |
| EU AI Act relevance | Generally not in scope | In scope for GPAI and potentially high-risk features |
| BetrVG relevance | Limited | High — employee monitoring via conversation analytics |
Practical implication: Signing the Salesforce DPA makes your base CRM usage GDPR-compliant. Each Einstein feature you activate — Einstein Lead Scoring, Einstein GPT, Conversation Intelligence, Einstein Recommendations — requires an additional assessment against Art. 22 GDPR automated decision-making rules, your DPIA obligations, and the EU AI Act framework. Disable Einstein features you do not actively use to minimise your compliance surface area.
Salesforce Einstein and the EU AI Act
The EU AI Act (Regulation (EU) 2024/1689), applicable from August 2026, introduces obligations for deployers and providers of AI systems used in the EU. Salesforce Einstein features fall within its scope.
Is Salesforce Einstein a high-risk AI system?
Most standard Einstein features — including predictive lead scoring, product recommendations, and Einstein GPT for marketing content — are not classified as high-risk under Annex III of the EU AI Act. They do not directly influence employment, creditworthiness, or law enforcement decisions.
However, specific configurations can raise the risk classification:
- Einstein Conversation Intelligence monitoring sales representatives’ calls may engage employment-sector high-risk thresholds under Annex III, point 4
- Einstein scoring applied to credit or insurance customers may engage financial services high-risk thresholds
- Any Einstein feature used to evaluate persons in employment contexts requires documentation and, where high-risk classification applies, conformity assessment
GPAI obligations: Salesforce is the provider of Einstein’s underlying AI models and carries primary General-Purpose AI (GPAI) model obligations under the EU AI Act. As a deployer, your company must:
- Maintain documentation on the AI system’s intended purpose and deployment conditions
- Conduct a fundamental rights impact assessment where high-risk thresholds are reached
- Implement human oversight mechanisms for consequential automated outputs
- Inform affected individuals where AI-generated content or decisions materially affect them
For a broader overview of EU AI Act compliance for enterprise software, see our EU AI Act compliance guides.
BetrVG and Works Council Obligations
For German companies, §87(1) No. 6 BetrVG gives the Betriebsrat (works council) a right of co-determination over any technical systems used to monitor employee behaviour or performance. Salesforce Einstein features that touch employee activity trigger this obligation.
Einstein features that typically require Betriebsrat involvement:
- Conversation Intelligence: Records, transcribes, and scores sales calls — directly monitors individual employee performance
- Einstein Activity Capture: Logs emails and calendar events, creating a record of employee working patterns
- Sales Analytics dashboards: Where used to track individual sales representative metrics derived from Einstein scoring
What co-determination means in practice:
- Notify your Betriebsrat of any planned Salesforce Einstein deployment before going live
- Provide a technical description of what data Einstein collects, processes, and stores about employees
- Negotiate a Betriebsvereinbarung (works agreement) governing the permissible use of Einstein analytics for personnel evaluation
- Restrict access to individual employee performance data within Einstein dashboards to agreed personnel only
Beyond §87 BetrVG, employee data processed by Salesforce Einstein is also subject to §26 BDSG — the German data protection provision for employee data — which requires a specific legal basis and strict proportionality review. Engage your Datenschutzbeauftragter (DPO) and Betriebsrat in parallel before enabling employee-facing Einstein features.
Checklist: Before You Deploy Salesforce Einstein
- Sign the Salesforce DPA/AVV — access via Salesforce Trust and archive the completed copy in your compliance records; confirm the DPA covers all Einstein products you plan to use
- Confirm EU data residency via Hyperforce — obtain written confirmation from Salesforce of your data center region and whether Einstein AI workloads are covered within the EU scope
- Review the Salesforce sub-processor list — identify sub-processors involved in Einstein AI features, assess third-country transfers, and document a Transfer Impact Assessment where required
- Update your Records of Processing Activities (RoPA) — add Salesforce Einstein under Art. 30 GDPR, documenting processing purposes, data categories, data subject groups, retention periods, and international transfer mechanisms
- Assess Art. 22 GDPR obligations — determine whether any Einstein-driven decisions qualify as solely automated decisions with significant effects, and implement human review processes
- Conduct an EU AI Act deployment review — classify each Einstein feature you activate, document intended purpose and oversight measures, and complete a fundamental rights impact assessment if high-risk thresholds apply
- Engage your Betriebsrat — notify and, where required, negotiate a Betriebsvereinbarung before activating Conversation Intelligence, Activity Capture, or individual performance analytics
- Conduct a DPIA if required — large-scale customer profiling, systematic employee monitoring, or automated decisions affecting individuals at scale are common DPIA triggers under Art. 35 GDPR
Frequently Asked Questions
Does Salesforce have a GDPR Data Processing Agreement?
Yes. Salesforce provides a standard Data Processing Agreement (DPA) — also called a Data Processing Addendum — that satisfies Art. 28 GDPR requirements. It is available via Salesforce Trust and most Salesforce subscriptions allow online acceptance without individual negotiation. The DPA covers sub-processor management, Standard Contractual Clauses for third-country transfers, and technical and organisational measures. German companies should archive the signed DPA as part of their GDPR documentation.
Is Salesforce Einstein processed in the EU?
It depends on your subscription and configuration. Salesforce offers EU data residency via its Hyperforce infrastructure for customers on eligible plans. Without this configuration, Salesforce data — including Einstein AI workloads — may be processed across global infrastructure. Request written confirmation from your Salesforce account team about the specific data center region for your org and whether Einstein features fall within the EU residency scope. Document the confirmation in your RoPA.
Does the EU AI Act apply to Salesforce Einstein?
Yes. Salesforce Einstein features are AI systems within the scope of the EU AI Act. Most standard Einstein features are not classified as high-risk, but Conversation Intelligence used for employee performance monitoring and any Einstein features applied in employment, financial services, or law enforcement contexts can reach high-risk thresholds under Annex III. Salesforce as the AI provider carries the primary GPAI obligations; as a deployer, your company must document intended use, implement human oversight, and conduct a fundamental rights impact assessment where required.
Does Salesforce store CRM data in the EU?
Salesforce offers EU data residency via Hyperforce for eligible subscriptions, keeping primary personal data within EU-based data centers. Without this option, data may be stored across Salesforce’s global infrastructure. Confirm your subscription terms and enable EU data residency, or obtain written confirmation from Salesforce of the storage location for your specific org.
Is a DPIA required for Salesforce Einstein in Germany?
A Data Protection Impact Assessment (DPIA) under Art. 35 GDPR is required when processing is likely to result in a high risk to individuals. Common triggers with Salesforce Einstein include large-scale customer profiling, systematic employee monitoring via Conversation Intelligence, or automated decisions with significant effects. For standard CRM use without high-risk AI features, a DPIA may not be mandatory — but document your reasoning in writing and retain it for supervisory authority review.
Can German SMEs use Salesforce without signing a DPA?
No. Every business — regardless of size — that uses Salesforce to process personal data of EU residents must have the Salesforce DPA in place before processing begins. Salesforce provides a standardised online DPA that does not require individual negotiation, making the process accessible for smaller companies. The DPA obligation applies to all Salesforce products including Einstein AI features.
The information on this page is general guidance on Salesforce Einstein GDPR compliance and does not constitute legal advice. Your specific situation may require individual assessment. Contact Compound Law for a tailored Salesforce compliance review.
