For certain Services, for which we act as a data processor, Salesforce has certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks. For more details about the scope of the certification see here. The Privacy Shield frameworks were designed by the U.S. Department of Commerce, European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with EU and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the United States, but have since been held by the the Court of Justice of the European Union and the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland to be invalid. Additional information can be found at https://www.privacyshield.gov/Program-Overview.
EU and Swiss personal data may however still be transferred to and within Salesforce’s services pursuant to Salesforce’s Processor Binding Corporate Rules and the European Commission’s standard contractual clauses, both of which are incorporated by reference into Salesforce’s Data Processing Addendum. For further information, please see our International Transfers of EU Personal Data to Salesforce's Services document.