Hyperforce and Canadian infrastructure
Salesforce Hyperforce is the company's public cloud infrastructure initiative, built on top of major cloud providers (primarily AWS). Hyperforce enables Salesforce to offer regional data residency, including a Canadian region. Organizations on Hyperforce can have their Salesforce instance running on Canadian infrastructure, with data at rest in Canada.
This is a significant development — historically, Salesforce operated its own data centre infrastructure with limited regional options. Hyperforce expands Canadian organizations' ability to keep CRM data within national borders. However, migration to Hyperforce requires planning and may not be available for all Salesforce products simultaneously.
The jurisdictional limitation remains: Salesforce Inc. is incorporated in Delaware. Hyperforce changes where data sits, not who can be compelled to produce it.
The platform ecosystem problem
Salesforce's compliance challenge is not a single tool — it is the interconnected ecosystem. A typical Salesforce deployment includes: CRM data (contacts, leads, opportunities), Service Cloud case data (support tickets, customer communications), Marketing Cloud data (email lists, behavioural tracking, campaign data), Slack communications, Tableau analytics and dashboards, MuleSoft integration data flowing between systems, and AppExchange third-party applications.
Each of these products may have different data residency capabilities, different processing locations, and different contractual terms. A Canadian data residency commitment for Sales Cloud does not automatically extend to Marketing Cloud or Slack. Organizations must assess each product independently and understand where data flows between them.
Einstein AI and data processing
Salesforce Einstein provides AI-powered predictions, recommendations, and generative features across the platform. Einstein processes CRM data — customer information, communication history, deal data — through AI models. As with Microsoft Copilot and Google Gemini, the location of AI processing may differ from the location of data storage.
Salesforce has introduced an "Einstein Trust Layer" that includes data masking and prompt defense features. These are meaningful safeguards for AI-specific risks, but they do not change the jurisdictional exposure of the underlying platform.
Slack within Salesforce
Since Salesforce's acquisition of Slack, the two platforms are increasingly integrated. Slack notifications trigger from Salesforce events, CRM data surfaces in Slack channels, and workflows span both platforms. This means Slack's jurisdictional profile — US-only, no Canadian data residency — becomes part of the Salesforce compliance assessment.
An organization may have Canadian data residency for their Salesforce CRM data while the same data is visible in Slack channels stored on US infrastructure. The compliance assessment must account for data flowing between the two platforms.
Compliance requirements
The TIA for Salesforce should cover each product in use, not just "Salesforce" as a single entry. Document: which Salesforce products are deployed, whether each is on Hyperforce with Canadian residency, where data flows between products, whether Einstein AI is enabled and where processing occurs, and what data categories (including personal information) each product handles.
Salesforce provides comprehensive DPAs and has invested in compliance documentation. Leverage these — but document the specific configuration of your deployment, not the general capabilities of the platform.
Salesforce is US-incorporated and subject to the CLOUD Act. BC public bodies using Salesforce with sensitive personal information — particularly citizen or client data — must complete a FIPPA privacy impact assessment. Salesforce offers a Canada data centre (Hyperforce Canada), but CLOUD Act exposure persists through the parent entity. Read the full FIPPA SaaS compliance guide → · Download PIA template →