Is Salesforce Einstein safe with your data?

Salesforce Einstein

Salesforce

83/100

Good disclosure · high confidence

Largely yes. Salesforce Einstein earns a B (83/100) for what it discloses about your data: the Trust Layer states that zero data retention is a strict policy: prompts and generated responses are never stored or used to train the underlying third-party large language models, and PII is masked before the prompt reaches the model.

of 69 apps ranked

score · Enterprise copilot avg 60

+23

vs category average

Grade scaleA · 85–100B · 70–84C · 55–69D · 40–54F · 0–39

Salesforce Einstein sits at the top of the B band because it guarantees zero data retention for AI prompts, states clearly that the customer owns the data, and lists every data-subject right. It misses an A because controller-side retention timing is vague, the security language is generic, and the policy is silent on breach notification and government access standards.

What Salesforce Einstein's privacy policy says about your data

AI prompts never stored or trained on

The Trust Layer states that zero data retention is a strict policy: prompts and generated responses are never stored or used to train the underlying third-party large language models, and PII is masked before the prompt reaches the model.

Customer owns the data and outputs

Salesforce commits that the data it manages does not belong to Salesforce, it belongs to the customer. Permission-aware dynamic grounding then limits the model to customer-approved sources.

Full rights and named transfer safeguards

Section 10 grants access, rectification, erasure, restriction, portability, and objection. Section 7 names SCCs under Article 46 plus EU-US, Swiss-US, and UK DPF certification for international transfers.

Weak spots on retention timing and breach notice

Controller-side retention is described only as 'as long as required' with deletion after applicable retention periods and no number, security is described in generic terms, and the policy says nothing about breach notification or any government access standard.

What the policy is silent or vague on

Doesn't clearly: says whether training use differs by plan or tier
Doesn't clearly: states a standard for government and law-enforcement access
Doesn't clearly: commits to breach notification
Only partly: states a deletion timeline after closure or request

Salesforce Einstein privacy rating

Training-data use3 of 4 disclosed

Keeps user inputs out of model training, or makes training opt-inDisclosed

Names a way to opt out of or into trainingDisclosed

Says whether training use differs by plan or tierSilent

Lets the user keep ownership of generated outputsDisclosed

Data-subject rights5 of 5 disclosed

Grants a right to access your dataDisclosed

Grants a right to delete your dataDisclosed

Offers data portability in a usable formatDisclosed

Grants a right to correct your dataDisclosed

Grants a way to object to or opt out of processingDisclosed

Retention and deletion3 of 4 disclosed

States a retention period for your dataDisclosed

States a deletion timeline after closure or requestDisclosed

Sets a shorter retention for AI conversation logsDisclosed

Commits to collecting only the data it needsDisclosed

Third-party sharing2 of 5 disclosed

Lists the categories of third parties it shares withDisclosed

References a sub-processor list or data processing agreementDisclosed

Does not sell or share data for advertising, or offers opt-outDisclosed

Names a safeguard for international data transfersDisclosed

States a standard for government and law-enforcement accessSilent

Transparency4 of 4 disclosed

Discloses that you are interacting with AIDisclosed

Marks AI-generated or synthetic outputNot applicable

Enumerates the categories of data it collectsDisclosed

Maps processing purposes to legal basesDisclosed

Is versioned and dated, with change noticeDisclosed

Sensitive data and children3 of 3 disclosed

Discloses automated decisions and a human-review pathDisclosed

Limits the use of special-category dataDisclosed

Governs biometric data specificallyNot applicable

States protections for children's dataDisclosed

Security and accountability1 of 3 disclosed

Describes its security safeguardsDisclosed

Commits to breach notificationSilent

Names a certification or a privacy contactDisclosed

DisclosedPartialSilentAdverseNot applicable

Details

Category: Enterprise copilot
Modalities: text
Processes biometrics: No
Policy last updated: 2026-05-19
Region scored: Global / US-default
Assessed: 2026-06-20

Read Salesforce Einstein's privacy policy

Other enterprise copilot apps

Each grade reflects our analysis of what an app states in its public privacy policy and terms as of the assessment date. It measures the transparency of those documents, not the company's actual data practices, security, or compliance. Grades are our opinion, offered for general information. Full disclaimer.