Vendor compliance profile
Is Salesforce HIPAA compliant?
Salesforce may support HIPAA-regulated workflows only for covered Salesforce services, configured features, and contract scope. Verify the current Business Associate Addendum restrictions, HIPAA covered services, Shield or Health Cloud requirements, and integrations before storing or processing PHI.
HIPAA status signal
Conditional
BAA public signal
Covered services only
SOC 2 evidence signal
Public evidence
PHI warning: CRM fields, notes, tasks, Chatter, email sync, Einstein features, Slack, Marketing Cloud, support cases, APIs, and third-party AppExchange apps can all create PHI exposure.
HIPAA, BAA, and SOC 2 summary
| HIPAA | Salesforce's compliance site says customers building healthcare applications on Salesforce can contact their account representative regarding a BAA and should review current BAA restrictions and HIPAA covered services. |
|---|---|
| BAA | BAA availability depends on the exact Salesforce product, infrastructure, edition, and covered-service scope. Some adjacent features may need to be disabled or excluded. |
| SOC 2 | Salesforce publishes SOC 2 categories and product-specific compliance documents through the Salesforce Compliance site. Review the current report for the services in use. |
| Category | HIPAA-Compliant CRM and Marketing Tools |
What it may be used for
- General business workflows that do not include PHI.
- Healthcare-adjacent operations after BAA scope and configuration have been verified.
- Vendor risk review, procurement research, and compliance planning.
What not to use it for
- Putting PHI into Salesforce products or features that are not covered by the BAA.
- Using email capture, inbox sync, AI, marketing, messaging, or analytics features without covered-service confirmation.
- Assuming Health Cloud claims apply to Sales Cloud, Service Cloud, Marketing Cloud, Slack, Tableau, or every Salesforce add-on.
What to verify with the vendor
- Whether the vendor will sign a BAA for your exact product, plan, and use case.
- Which services, add-ons, regions, and support channels are covered by the agreement.
- Whether your intended workflow stores, transmits, or processes PHI.
- Which admin, access control, retention, audit log, and encryption settings must be enabled.
Safer alternatives and related profiles
FAQ
Is Salesforce HIPAA compliant?
Salesforce may support HIPAA-regulated workflows only for covered Salesforce services, configured features, and contract scope. Verify the current Business Associate Addendum restrictions, HIPAA covered services, Shield or Health Cloud requirements, and integrations before storing or processing PHI.
Will Salesforce sign a BAA?
BAA availability depends on the exact Salesforce product, infrastructure, edition, and covered-service scope. Some adjacent features may need to be disabled or excluded.
Can Salesforce be used with PHI?
Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.
Last checked and source notes
- Last checked
- 2026-04-30
- Confidence
- High
- Dataset rows
- 267 vendors
- ComplySaaS public vendor dataset entry.
- Vendor trust center, legal terms, BAA documentation, and covered services should be re-checked before use.
- Salesforce HIPAA compliance
- Salesforce SOC 2 compliance
- Salesforce trust documentation