ComplianceCheckup

Is Salesforce GDPR Compliant?

Salesforce privacy and compliance overview. Last scanned: 14 days ago.

Salesforce scored 63/100 (grade D), indicating significant privacy issues. Key issues found: No CCPA/CPRA opt-out signals detected. CCPA/CPRA compliance requires more than disclosures. This score reflects observable signals only, not legal compliance. 2 security headers missing: Strict-Transport-Security (max-age >= 31536000), Content-Security-Policy. This is an automated technical assessment, not a legal compliance certification.

D

63/100

Privacy and compliance score

Scanned June 18, 2026 in browser mode.

CCPA / CPRA disclosures

0/8

No CCPA/CPRA opt-out signals detected. CCPA/CPRA compliance requires more than disclosures. This score reflects observable signals only, not legal compliance.

Security headers

4/10

2 security headers missing: Strict-Transport-Security (max-age >= 31536000), Content-Security-Policy.

Pre-consent tracking

12/23

Limited analytics detected before consent.

Cookie consent banner

8/12

Consent banner detected (OneTrust) with partial reject effectiveness.

Privacy policy

6/10

Privacy policy found but may be incomplete or outdated.

DPA and sub-processor list

3/7

No DPA or sub-processor list found.

AI training stance

5/5

No AI training disclosure found.

Hosting region disclosure

5/5

No data hosting region disclosure found.

COPPA signal

5/5

No COPPA language detected.

Accessibility (WCAG 2.x AA)

15/15

No critical or serious accessibility violations detected.

Does Salesforce self-report SOC 2, HIPAA, or PCI compliance?

The following is based on Salesforce's public documentation. ComplianceCheckup has not independently audited these claims.

StandardStatus
SOC 2Type II certified
HIPAABAA available
PCI DSSNot publicly documented for Salesforce
GDPRSee scan results above
CCPASee scan results above

Frequently asked questions about Salesforce compliance

Is Salesforce GDPR compliant?

Salesforce received a privacy grade of D (63/100) in our automated scan. No CCPA/CPRA opt-out signals detected. CCPA/CPRA compliance requires more than disclosures. This score reflects observable signals only, not legal compliance. 2 security headers missing: Strict-Transport-Security (max-age >= 31536000), Content-Security-Policy. For a complete GDPR assessment, consult a qualified privacy professional.

Does Salesforce offer a Data Processing Agreement (DPA)?

Yes. Salesforce provides a DPA linked in the Legal documents section above. Review it carefully and sign before transferring personal data.

Is Salesforce SOC 2 certified?

Salesforce holds a SOC 2 Type II certification.

Does Salesforce have a HIPAA Business Associate Agreement?

Yes. Salesforce publicly offers a HIPAA BAA. Check their legal or trust center page for the current BAA template.

What pre-consent tracking did we find on Salesforce?

Limited analytics detected before consent. Pre-consent tracking means scripts or cookies run before users accept or decline the cookie banner, which may violate GDPR Article 5(1)(a). ComplianceCheckup detected this via an automated headless browser scan.

What are Salesforce's biggest privacy risks?

Based on our automated scan, the top areas of concern are: Pre-consent tracking, Cookie consent banner, CCPA / CPRA disclosures. Limited analytics detected before consent. These findings are automated and may not capture all risks.

How does Salesforce handle CCPA?

No CCPA/CPRA opt-out signals detected. CCPA/CPRA compliance requires more than disclosures. This score reflects observable signals only, not legal compliance. CCPA requires businesses handling California residents' data to disclose data practices, honor opt-out requests, and support the Global Privacy Control (GPC) signal. Our scan checks for GPC support and CCPA-relevant cookie disclosures.

Not legal advice. The scan grade is an automated technical assessment and does not constitute legal or compliance advice. Self-reported claims have not been independently verified. Results may contain false positives or miss issues that cannot be detected programmatically. Consult a qualified attorney or compliance professional for your specific situation.