Salesforce Einstein / Agentforce
Salesforce, Inc. · EFROS US AI Vendor Governance Index entry
Composite governance score
C = mixed posture. Acceptable for non-regulated use; requires meaningful additional controls in regulated workloads.
About this vendor
AI and agent infrastructure built into Salesforce CRM. The Einstein Trust Layer enforces no-train, masking, and audit logging at the platform level.
- Enterprise tier
- Einstein 1 Platform, Agentforce, Einstein Trust Layer (included in core Salesforce licenses)
- Vendor homepage
- https://www.salesforce.com/products/einstein
- Trust center
- https://compliance.salesforce.com
Twelve-axis governance scoring
Each axis is scored Yes / Partial / No / N/A against public evidence — vendor trust portals, BAAs/DPAs, SOC 2 report cover pages, published methodology documents. N/A applies when the axis is structurally inapplicable (foundation models, for example, defer Section 1557 to the downstream healthcare deployer).
| Axis | Status | EFROS note | Source |
|---|---|---|---|
| BAA / DPA available | Yes | BAA available under Salesforce Health Cloud and applicable to Einstein/Agentforce within the BAA-covered environment. | Salesforce HIPAA compliance |
| Training-data opt-out | Yes | Einstein Trust Layer enforces zero data retention by the underlying LLM provider. Customer data never used for model training. | Einstein Trust Layer |
| US data residency option | Yes | Salesforce supports US data residency through US-based Hyperforce regions. Customer-configurable. | Salesforce Hyperforce |
| SOC 2 Type II report | Yes | Salesforce holds SOC 2 Type II, SOC 1, ISO 27001/17/18, FedRAMP, and additional sector certifications. | Salesforce Compliance |
| ISO/IEC 42001 attestation | No | No ISO/IEC 42001 attestation for Einstein/Agentforce as of May 2026. | Salesforce Compliance |
| NIST AI RMF self-attestation | Partial | Salesforce publishes a Trusted AI Principles framework with explicit mapping to NIST AI RMF functions. No formal self-attestation document. | Salesforce Trusted AI |
| Colorado AI Act readiness | No | No Colorado AI Act-specific public statement; Salesforce documents the deployer responsibility model. | Public posture review |
| HHS-OCR Section 1557 readiness | Partial | BAA available; Section 1557 compliance for clinical decision support is deployer responsibility. Salesforce Health Cloud documents the technical controls. | Salesforce Health Cloud compliance |
| FRB SR 11-7 readiness | Partial | Salesforce Financial Services Cloud documents model risk controls; SR 11-7 validation is deployer responsibility. | Salesforce Financial Services compliance |
| ABA Formal Op 512 readiness | N/A | Not legal-vertical positioned. | Salesforce positioning review |
| Subprocessor list public | Yes | Salesforce subprocessor list public and granular. | Salesforce Subprocessors |
Trust-center maturity
Mature compliance portal at compliance.salesforce.com — public certificates, subprocessor list, audit reports, sector-specific BAA addenda.
Source: Salesforce Compliance
Deep dive
Overview
Salesforce's governance posture is one of the strongest in the enterprise category because Einstein/Agentforce inherits the Salesforce platform compliance stack — BAA, US residency, FedRAMP, SOC 2, granular subprocessors. The Einstein Trust Layer's zero-retention enforcement at the LLM-provider boundary is operationally meaningful. The gap is sector-specific posture: deployers still own clinical or financial validation work.
Strengths
- BAA, US residency, FedRAMP — full platform compliance stack
- Einstein Trust Layer enforces zero LLM-provider retention
- Most mature compliance portal in the productivity category
- Vertical Cloud (Health, Financial Services) integration
Weaknesses
- No ISO/IEC 42001
- No Colorado AI Act-specific statement
- Section 1557 / SR 11-7 readiness is deployer-side
Best-fit use case
Salesforce-standardized organizations rolling out Agentforce within existing Health Cloud / Financial Services Cloud / Einstein Trust Layer configuration — governance inherits cleanly from the platform.
Avoid when
Organizations without an existing Salesforce platform — the value of Einstein governance depends entirely on platform standardization.
Operator's take
Deploy Salesforce Einstein / Agentforce when salesforce-standardized organizations rolling out Agentforce within existing Health Cloud / Financial Services Cloud / Einstein Trust Layer configuration — governance inherits cleanly from the platform. The composite score of 69 (grade C) reflects a mixed posture for regulated US workloads. Skip the vendor when organizations without an existing Salesforce platform — the value of Einstein governance depends entirely on platform standardization. In every deployment, treat the cells above as a snapshot — the acquisition that gets to production safely is the one that re-verifies the trust-center posture before contract signature and rebuilds the matrix at renewal.
How this scoring is computed
The composite score blends eleven scoreable axes (BAA, training opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act, Section 1557, SR 11-7, ABA Op 512, subprocessor transparency) with the trust-center maturity score. Axes marked N/A are excluded from the denominator so vendors are not penalized for sector-inapplicable axes. The vendor's primary sector amplifies the most relevant axes — healthcare vendors weight Section 1557 ×2, legal vendors weight ABA Op 512 ×2, banking vendors weight SR 11-7 ×2 — so the composite reflects what matters in the actual buying context.
Read the full methodology →Disagree with this scoring?
EFROS publishes scoring rationale per cell with a public source. If you have evidence that a specific axis should score differently — a new BAA, a new certification, a documented policy change — submit a formal challenge below. We re-score and publish the result with the next quarterly edition (or as a mid-quarter changelog entry if the change is material).
Disagree with a score?
Every cell in the EFROS Index is source-cited. If you have a public source that contradicts a score for Salesforce Einstein / Agentforce, submit a formal challenge — we re-verify against the source and respond within 14 days.
Other vendors in Productivity AI
Same category, scored on the same twelve axes. Useful for head-to-head shortlisting.
Take the scoring into production
The Index tells you the posture. These engagements turn the posture into a deployable program — vendor selection, governance policy, sector overlay, audit-ready evidence.