Is Salesforce Einstein GDPR Compliant? DPA, AI Act & German Guide

Salesforce Einstein is GDPR-compliant for German companies — provided the Salesforce Data Processing Agreement (DPA) is signed, EU data residency is configured via Salesforce Hyperforce, and each Einstein AI feature is separately evaluated under the EU AI Act. Without these steps, processing personal data of EU residents through Salesforce creates meaningful legal exposure under GDPR (Regulation (EU) 2016/679). This guide covers the Salesforce DPA, Hyperforce EU data residency, Einstein sub-processors, EU AI Act risk classification, CRM-specific GDPR use case analysis, BetrVG works council requirements, and an updated deployment checklist for German businesses. For the broader landscape of enterprise AI tools, see our AI tools compliance guide.

Is Salesforce Einstein GDPR Compliant?

Yes — with conditions. Salesforce acts as a data processor under Art. 4(8) GDPR when processing personal data on behalf of your business. This means your company, as the data controller, must:

• Sign Salesforce’s Data Processing Agreement (DPA) to satisfy Art. 28 GDPR requirements
• Configure your Salesforce instance for EU data residency via Hyperforce where available under your subscription
• Review Salesforce’s sub-processor list under Art. 28(4) GDPR and assess any third-country transfers
• Establish an appropriate legal basis — typically legitimate interest or contractual necessity — for CRM data processing
• Evaluate each Einstein AI feature under the EU AI Act where automated processing at scale is involved

Salesforce maintains EU data centers and offers data residency options keeping primary personal data within the European Economic Area (EEA). However, specific Einstein AI features may route data through additional infrastructure. Always verify Salesforce’s current sub-processor list before enabling new features in your organisation.

Salesforce Data Processing Agreement (DPA)

Under Art. 28 GDPR, every business using a third-party service to process personal data must have a written Data Processing Agreement in place. In Germany, this is commonly called an Auftragsverarbeitungsvertrag (AVV).

How to access and sign the Salesforce DPA:

1. Log in to Salesforce Trust (trust.salesforce.com) or your Salesforce account dashboard
2. Navigate to the Data Processing Addendum section within your agreement documentation
3. Accept Salesforce’s standard DPA — for most Salesforce products this is a pre-signed online agreement requiring no individual negotiation
4. Download and archive the signed DPA for your compliance records

Salesforce’s DPA covers all Art. 28 GDPR requirements: description of processing activities, categories of data subjects, technical and organisational measures (TOMs), sub-processor management rules, and support for data subject rights.

What Art. 28 GDPR requires from a DPA:

• Processing only on documented instructions from the controller
• Confidentiality obligations on all persons authorised to process data
• Implementation of appropriate security measures under Art. 32 GDPR
• Sub-processor engagement subject to equivalent data protection obligations
• Assistance to the controller in responding to data subject requests
• Deletion or return of all personal data after the service relationship ends

For German companies, the Salesforce AVV should also address compliance with the Bundesdatenschutzgesetz (BDSG) — particularly where employee personal data is involved. Salesforce holds relevant compliance certifications: ISO 27001, SOC 2 Type II, EU Standard Contractual Clauses (SCCs), and certification under the EU-US Data Privacy Framework.

EU Data Residency: Salesforce Hyperforce

Salesforce Hyperforce is Salesforce’s re-architected global infrastructure platform allowing customer data to be stored and processed within specific geographic regions — including the European Union. For German companies, Hyperforce EU is the key mechanism for GDPR-compliant data localisation.

What Hyperforce EU provides:

• Primary data storage within EU-based data centers
• Processing of Einstein AI workloads within the EEA where Hyperforce EU is configured
• Contractual confirmation of data residency in your Salesforce order documentation
• Alignment with GDPR Art. 44–49 requirements for international data transfers

Confirming your data residency configuration:

1. Check your Salesforce order form or MSA for an explicit “EU Data Residency” commitment
2. Confirm with your Salesforce account team in writing whether Einstein AI features are covered within the EU residency scope
3. Review the Salesforce Trust Status page for your specific org’s data center region
4. Document your data residency configuration in your Records of Processing Activities (RoPA) under Art. 30 GDPR

Where Salesforce sub-processors are located outside the EEA, the Salesforce DPA incorporates Standard Contractual Clauses (SCCs) in the updated 2021 form. Review the sub-processor list at least annually and conduct a Transfer Impact Assessment (TIA) where transfers to high-risk third countries are identified.

Salesforce Einstein Sub-Processors — What Actually Runs Your AI

Under Art. 28(4) GDPR, Salesforce must impose equivalent data protection obligations on any sub-processor it engages to deliver Einstein AI features. Understanding who those sub-processors are — and where they operate — is essential for your GDPR compliance posture and your Records of Processing Activities.

Key categories of Einstein sub-processors:

• Cloud infrastructure providers: Salesforce uses AWS, Google Cloud, and Microsoft Azure to power parts of its infrastructure — including certain Einstein AI workloads. Some of these providers may be located outside the EEA, relying on SCCs or the EU-US Data Privacy Framework as the transfer mechanism.
• Specialised AI service providers: Certain Einstein GPT features rely on large language model infrastructure. Check whether your Einstein GPT configuration uses Salesforce’s own models or routes through third-party AI providers, and whether those providers operate within the EU.
• Analytics and data processing vendors: Einstein Analytics and CRM Intelligence features may engage additional data processing sub-processors for specific analytical workloads.

How to find and monitor the Salesforce sub-processor list:

1. Access Salesforce’s current sub-processor list at trust.salesforce.com under the Privacy section
2. Subscribe to sub-processor change notifications — you must be informed of material changes in advance under Art. 28(4) GDPR
3. Log each sub-processor in your RoPA and record the applicable legal transfer mechanism (SCC, Data Privacy Framework, or EU residency)
4. Review the list at least annually and after any significant Salesforce product update or Einstein feature release

Red flags to check:

• Einstein features marked as US-only or with documentation indicating non-EU processing that your Hyperforce configuration does not cover
• Sub-processors in countries without an EU adequacy decision where no SCC or DPF coverage is confirmed
• New sub-processors added without prior notice — this can constitute a material breach under Art. 28(4) GDPR and your DPA

Failure to monitor sub-processor changes has led to enforcement action by German Landesdatenschutzbehörden against controllers relying on outdated sub-processor documentation.

Salesforce Einstein for CRM Data — GDPR Use Case Analysis

Different Salesforce Einstein modules process different categories of personal data. Each requires a separate legal basis, retention policy, and risk assessment under GDPR.

Sales Cloud Einstein — Leads and Contacts:

Einstein Lead Scoring processes behavioural and demographic data on prospects and customers to generate predictive scores. The legal basis is typically legitimate interest (Art. 6(1)(f) GDPR) for B2B prospecting or contractual necessity (Art. 6(1)(b)) for existing customer contacts. Salesforce does not automatically enforce GDPR retention limits — define retention periods in your configuration and implement automated deletion workflows for inactive lead records.

Service Cloud Einstein — AI-Powered Customer Support:

Einstein Bots and Case Classification process customer interaction data, potentially including sensitive information shared in support tickets. Assess whether support case content contains special category data under Art. 9 GDPR — such as health information or financial data shared by customers. For regulated industries (financial services, healthcare), a DPIA under Art. 35 GDPR is typically required before enabling Service Cloud Einstein.

Marketing Cloud AI — Profiling and Consent:

Einstein-driven personalisation, send-time optimisation, and predictive audiences in Marketing Cloud constitute profiling under Art. 4(4) GDPR. For direct marketing to individuals, the legal basis is typically consent (Art. 6(1)(a) GDPR). Under German law, the UWG (Gesetz gegen den unlauteren Wettbewerb) additionally governs electronic direct marketing. Consent records must be specific to Einstein-driven profiling, and withdrawal must be honoured without degrading service quality.

HR and Recruitment Use Cases — AI Act Interaction:

Using Salesforce or Einstein features to screen job applicants, score candidates, or evaluate employee performance activates both §26 BDSG (employee data processing) and the EU AI Act high-risk threshold for employment-sector AI systems. Any Einstein feature applied to personnel decisions — including sales performance scoring in HR evaluation contexts — must be assessed under Annex III, point 4 of the EU AI Act before deployment.

Salesforce Einstein AI Act Risk Classification

The EU AI Act (Regulation (EU) 2024/1689) applies from August 2026. As a deployer, your company must assess each Einstein feature against the risk classification framework before that deadline.

Is Salesforce Einstein a high-risk AI system?

Most standard Einstein features — predictive lead scoring, product recommendations, marketing personalisation, and Einstein GPT for content generation — are not classified as high-risk under Annex III. They do not directly influence employment, creditworthiness, or law enforcement decisions in a legally significant sense.

However, specific use cases can reach the high-risk threshold:

Einstein Feature	Potential High-Risk Trigger	Annex III Point
Conversation Intelligence (call scoring)	Monitoring individual employee performance	4(a) Employment
Einstein Lead Scoring in financial services	Credit risk or insurance assessment	5(b) Credit
Recruitment feature screening candidates	HR filtering or ranking decisions	4(a) Employment
Fraud detection automation	Law enforcement-adjacent profiling	6 Law enforcement

What the August 2026 deadline means for Salesforce customers:

By August 2026, deployers of high-risk AI systems must maintain technical documentation, implement human oversight mechanisms, conduct fundamental rights impact assessments, and register high-risk systems in the EU AI Act database. For General-Purpose AI (GPAI) obligations, Salesforce as the AI provider carries the primary burden — but your company as deployer must document intended use, confirm oversight measures, and inform affected individuals where AI-generated outputs materially affect them.

For Einstein features used in financial services or insurance contexts, see our EU AI Act financial services guide and EU AI Act insurance guide.

BetrVG and Works Council Requirements for Salesforce Einstein

For German companies, §87(1) No. 6 BetrVG gives the Betriebsrat (works council) a right of co-determination over any technical systems capable of monitoring employee behaviour or performance. Salesforce Einstein features that touch employee activity trigger this obligation.

Einstein features that typically require Betriebsrat involvement:

• Conversation Intelligence: Records, transcribes, and scores sales calls — directly monitors individual employee performance
• Einstein Activity Capture: Logs emails and calendar events, creating a systematic record of employee working patterns
• Sales Analytics dashboards: Where used to track individual sales representative metrics derived from Einstein scoring, rather than aggregate team performance

What co-determination means in practice:

1. Notify your Betriebsrat of any planned Salesforce Einstein deployment before going live
2. Provide a technical description of what data Einstein collects, processes, and stores about employees
3. Negotiate a Betriebsvereinbarung (works agreement) governing the permissible use of Einstein analytics for personnel evaluation
4. Restrict access to individual employee performance data within Einstein dashboards to agreed personnel only

Beyond §87 BetrVG, employee data processed by Salesforce Einstein is also subject to §26 BDSG, requiring a specific legal basis and strict proportionality review. Engage your Datenschutzbeauftragter (DPO) and Betriebsrat in parallel before enabling employee-facing Einstein features.

Einstein vs. Copilot for M365 vs. HubSpot Breeze AI — Compliance Comparison

Criterion	Salesforce Einstein	Microsoft Copilot M365	HubSpot Breeze AI
GDPR DPA available	Yes — standard online DPA	Yes — Microsoft Products Agreement	Yes — Data Processing Agreement
EU data residency	Yes — via Hyperforce (eligible plans)	Yes — EU Data Boundary	Limited — primarily US infrastructure
AI Act risk (standard use)	Low to medium	Low to medium	Low
High-risk configurations	Conversation Intelligence, HR scoring	Copilot for HR, credit analysis	Limited
Sub-processor transparency	Published list on Trust site	Published in MPA documentation	Less granular
BetrVG relevance	High — Conversation Intelligence	High — M365 usage analytics	Lower

Microsoft Copilot for M365 and Salesforce Einstein are broadly comparable in GDPR compliance posture — both offer EU data residency and published DPAs. HubSpot Breeze AI lags on EU data residency transparency. For German enterprise procurement, Salesforce Hyperforce EU and Microsoft EU Data Boundary both provide contractual data localisation commitments, but the BetrVG obligation applies to both equally where employee-facing features are activated.

Checklist: Before You Deploy Salesforce Einstein

1. Sign the Salesforce DPA/AVV — access via Salesforce Trust and archive the completed copy; confirm the DPA covers all Einstein products you plan to use
2. Confirm EU data residency via Hyperforce — obtain written confirmation from Salesforce of your data center region and whether Einstein AI workloads fall within the EU scope
3. Review the Salesforce sub-processor list — identify sub-processors involved in Einstein AI features, log legal transfer mechanisms, and document a Transfer Impact Assessment where third-country transfers are involved
4. Update your Records of Processing Activities (RoPA) — add each active Einstein feature under Art. 30 GDPR with processing purposes, data categories, data subject groups, and retention periods
5. Assess Art. 22 GDPR obligations — determine whether Einstein-driven decisions qualify as solely automated decisions with significant effects, and implement human review processes where required
6. Classify each Einstein feature under the EU AI Act — assess high-risk thresholds, document intended purpose and oversight measures, and complete a fundamental rights impact assessment before August 2026 where high-risk thresholds are reached
7. Engage your Betriebsrat — notify and, where required, negotiate a Betriebsvereinbarung before activating Conversation Intelligence, Activity Capture, or individual performance analytics
8. Conduct a DPIA if required — large-scale customer profiling, systematic employee monitoring, or automated decisions affecting individuals at scale are common DPIA triggers under Art. 35 GDPR
9. Set up sub-processor monitoring — subscribe to Salesforce sub-processor change notifications and review the list at least annually

Frequently Asked Questions

Is Salesforce Einstein GDPR compliant?

Yes — with conditions. Salesforce Einstein is GDPR-compliant when the Salesforce DPA is signed, EU data residency is configured via Hyperforce, and each Einstein AI feature is individually assessed for Art. 22 GDPR automated decision-making risks and EU AI Act obligations. Each feature you activate requires its own compliance review, not just a single sign-off at account level.

Does Salesforce have a GDPR Data Processing Agreement?

Yes. Salesforce provides a standard DPA satisfying Art. 28 GDPR requirements, available via Salesforce Trust. Most subscriptions allow online acceptance without individual negotiation. The DPA covers sub-processor management, SCCs for third-country transfers, and technical and organisational measures. German companies should archive the signed DPA and confirm it covers all Einstein features in scope.

What is Salesforce Hyperforce and does it keep data in the EU?

Salesforce Hyperforce is Salesforce’s infrastructure platform that enables data residency in specific geographic regions including the EU. For eligible subscriptions, Hyperforce keeps primary personal data within EU data centers. Not all Einstein AI workloads are automatically covered — request written confirmation from your Salesforce account team specifying your org’s data center and whether Einstein features fall within the EU residency scope.

Is Salesforce Einstein a high-risk AI system under the EU AI Act?

Most standard Einstein features are not high-risk under Annex III. However, Conversation Intelligence used for employee performance monitoring, Einstein scoring applied to credit decisions in financial services, and any Einstein feature used in recruitment screening can reach high-risk thresholds. Assess each deployed feature against Annex III before August 2026.

What sub-processors does Salesforce use for Einstein?

Salesforce uses major cloud infrastructure providers — AWS, Google Cloud, and Microsoft Azure — as sub-processors for parts of its infrastructure including Einstein workloads. The current sub-processor list is published on trust.salesforce.com. Review it at least annually, document all third-country transfers, and confirm the legal transfer mechanism for each.

Do I need a works council agreement for Salesforce Einstein?

Yes — if you activate Einstein features that monitor employee behaviour or performance, §87(1) No. 6 BetrVG requires Betriebsrat co-determination. This applies to Conversation Intelligence, Einstein Activity Capture, and dashboard analytics used to evaluate individual employee performance. Negotiate a Betriebsvereinbarung before going live with these features.

Can German SMEs use Salesforce without signing a DPA?

No. Every business — regardless of size — that uses Salesforce to process personal data of EU residents must have the Salesforce DPA in place before processing begins. Salesforce provides a standardised online DPA that does not require individual negotiation, making the process accessible for smaller companies. The DPA obligation applies to all Salesforce products including Einstein AI features.

---

The information on this page is general guidance on Salesforce Einstein GDPR compliance and does not constitute legal advice. Your specific situation may require individual assessment. Contact Compound Law for a tailored Salesforce compliance review.