Salesforce Trust

Global Privacy Law Landscape
Over the past several years, numerous laws and frameworks have emerged globally that govern the handling of personal information, including the following:
United States
  • Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Financial Modernization Act of 1999 or Gramm-Leach-Bliley Act (GLB)
  • Numerous state breach notification laws
  • Personal Information Protection and Electronic Documents Act of 2000 (PIPEDA)
  • Numerous provincial privacy laws affecting the public and private sectors
European Union
  • Directive 95/46/EC of the European Parliament and of the Council of 24 October1995 on the protection of individuals with regard to the processing of personal data andon the free movement of such data (EU Data Protection Directive)
Asia Pacific
  • Japan Law on Protection of Personal Information of 2003
  • Asia-Pacific Economic Cooperation (APEC) Privacy Framework
Although the requirements of these laws and frameworks vary greatly,some common themes have emerged, such as notice, choice, access, and security.
Notice: What information must be provided to individualsabout how their data may be used and who it may be shared with?When must this notice be provided to individuals? In what manner must this notice be provided?
Choice: What choices are individuals offered in terms of what information aboutthem is collected and how such information is used?
Access: Are individuals given the opportunity to access information maintained about them?Can individuals request that their information be amended or deleted?
Security: Are organizations that handle personal information required to protect suchinformation using administrative, technical, and physical safeguards?'s customers solely determine what data is submitted to the salesforce.comservice as customer data. With respect to such data, acts as a data processor.In our role as a processor of customer data, addresses the generalprivacy principles described above in the following ways:
Notice, Choice & Access: generally does not have a direct relationship withindividuals whose personal data is submitted by customers to the service ascustomer data. does not collect personal information on behalf of ourcustomers, and does not determine how our customers use suchdata. Additionally,'s customer contracts generallyprohibit from accessing customer data except under limited circumstances.Compliance with the Notice, Choice, and Access principles is based on cooperation and our customers. For example,'s contracts with our customersstate that customers are responsible for the accuracy, quality, integrity, reliability, andappropriateness of data submitted to the service and that customers must complywith applicable laws in using the service.
Security: maintains appropriate administrative, physical, and technicalsafeguards to help protect the security, confidentiality, and integrity of data our customers submitto the service as customer data.'s customers are responsible forensuring the security of their customer data in their use of the service.