Salesforce Einstein GPT
Enterprise-Ready
This vendor is rated Enterprise-Ready with a score of 89 out of 100. Strong evidence includes confirmed SOC 2 and ISO certifications (FEDRAMP HIGH, HIPAA, ISO 27001, ISO 27017) available via the vendor's trust portal. A material gap is the absence of a security.txt vulnerability disclosure policy. The buyer should request the audit report for the confirmed certifications and inquire about the vendor's vulnerability disclosure process.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (FEDRAMP HIGH, HIPAA, ISO 27001, ISO 27017). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement A Data Processing Agreement is published and tracked.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure No product identity match in vulnerability databases — not assessed.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy No security.txt vulnerability disclosure policy found.
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 9 legal/policy documents publicly tracked.
Ask This in Your Security Review 2 open items
- Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).
- Vulnerability Disclosure PolicyConfirm a coordinated vulnerability disclosure / security.txt contact.
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| BAA Available (HIPAA) | Stated by vendor | https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf |
| GDPR | Stated by vendor | https://www.salesforce.com/company/privacy/ |
| HIPAA | Stated by vendor | https://www.salesforce.com/company/privacy/ |
| ISO 27001 | Stated by vendor | https://compliance.salesforce.com/en |
| SOC 2 | Stated by vendor | https://compliance.salesforce.com/en |
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Sub-processors (published list) | View document → | https://www.salesforce.com/company/legal/trust-and-compliance-documentation/ |
| Trains on Customer Data key clause |
Enterprise:
does not train
Einstein Trust Layer: zero data retention with third-party LLMs (OpenAI/Azure); Salesforce does not use Customer Data to train generative AI models. Future training would require explicit customer opt-in.
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| FEDRAMP HIGH | Available via Trust Center | https://marketplace.fedramp.gov/products/FR1824807631 |
| HIPAA | Available via Trust Center | https://trust.salesforce.com/ |
| ISO 27001 | Available via Trust Center | https://compliance.salesforce.com/categories/iso-27001 |
| ISO 27017 | Available via Trust Center | https://trust.salesforce.com/ |
| ISO 27018 | Available via Trust Center | https://trust.salesforce.com/ |
| PCI DSS | Available via Trust Center | https://trust.salesforce.com/ |
| SOC2 TYPE2 | Available via Trust Center | https://trust.salesforce.com/ |
Common compliance questions
Tracked Legal & Policy Documents
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Continuous Monitoring change-tracking active
6 legal & policy documents under change-monitoring since 2026-06-11. Baseline captured — future revisions will be flagged.
Search the Legal Documents verbatim · cited
Search Salesforce Einstein GPT's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.
Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.
Monitor Salesforce Einstein GPT — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Salesforce Einstein GPT changes something that affects your risk. Built for procurement & security teams.