Plain-English risk rating: 2 of 5
Salesforce's AI products (Einstein for predictive features, Agentforce for agentic workflows) sit within Salesforce's enterprise-grade governance framework anchored by the Einstein Trust Layer. The Trust Layer is Salesforce's built-in mechanism for preventing agent prompts from being used to train external models, masking sensitive PII before it reaches an LLM, and logging all agent activity for audit purposes. As of late 2025, Salesforce's board formalised cybersecurity and AI deployment oversight in a dedicated Cybersecurity & Privacy Committee.
The risk picture for SMBs is dominated by three factors: (a) the September 2025 ForcedLeak disclosure (CVSS 9.4) which demonstrated that Agentforce's architecture is vulnerable to indirect prompt injection in ways the Einstein Trust Layer did not initially defend against, (b) the broader Salesforce ecosystem breaches affecting customer sites (ShinyHunters campaigns during 2025-2026, the Aura data breach affecting 900,000 records in March 2026), and (c) the high cost of entry that makes Salesforce impractical for most very small businesses.
Recommended for
- Sole proprietor: Not appropriate. Salesforce's pricing and complexity are designed for 10+ user organisations.
- Small team (10-50 people): Sales Cloud Professional or Enterprise with Einstein add-on. Einstein Trust Layer should be configured during deployment. If using Agentforce with Web-to-Lead forms, apply Salesforce's September 8, 2025 Trusted URLs Enforcement (post-ForcedLeak patch) and audit lead data for suspicious submissions.
- Regulated industry: Salesforce Health Cloud or Financial Services Cloud with appropriate compliance configuration; Government Cloud for US federal contractors.
- The honest answer for most 1-10 employee businesses: Salesforce is enterprise software with enterprise pricing and enterprise complexity. HubSpot or Pipedrive are typically better fits at this scale. Profile here for completeness and for the SMB segment that has scaled into Salesforce territory.
Critical pre-deployment warning (Agentforce indirect prompt injection)
This is the most important security configuration item for any business running Agentforce with Web-to-Lead enabled: apply Salesforce's Trusted URLs Enforcement (deployed September 8, 2025) and audit existing lead data for suspicious submissions.
The September 2025 ForcedLeak disclosure (CVSS 9.4, Noma Labs research) demonstrated that an attacker could submit a malicious Web-to-Lead form containing prompt-injection instructions in the 42,000-character Description field. When an employee later asked Agentforce to summarise the lead, the injected instructions executed, causing Agentforce to exfiltrate CRM data via image tags pointing to attacker-controlled domains. The vulnerability was made worse by Salesforce's Content Security Policy whitelist including an expired domain that researchers purchased for $5 to demonstrate the attack.
Salesforce patched by enforcing Trusted URL allowlists; existing Agentforce deployments need to verify the enforcement is active.
Data retention default
- Standard Salesforce retention per workspace configuration
- Einstein Trust Layer enforces zero-retention with third-party LLM providers
- All agent activity logged for audit purposes
- Data Cloud retention configurable per use case
Training opt-out
NO TRAINING ON CUSTOMER DATA BY DEFAULT. Einstein Trust Layer prevents agent prompts from being used to train external models. Contractual restrictions on third-party LLM providers (Anthropic, OpenAI) are enforced through the same layer. Optional opt-in for product-improvement data sharing is off by default.
Zero Data Retention availability
- Default via Einstein Trust Layer for third-party LLM processing
- PII masking applied before content reaches LLM providers
Plan tiers and pricing (as of early 2026)
| Tier | Price (USD) | AI features | Suitable for |
|---|---|---|---|
| Sales Cloud Professional | $80/user/month | Limited Einstein | Small Salesforce-committed teams |
| Sales Cloud Enterprise | $165/user/month | Standard Einstein | Mid-size teams |
| Sales Cloud Unlimited | $330/user/month | Full Einstein | Larger orgs |
| Einstein 1 Studio | $50/user/month add-on | Custom agent building | Teams building Agentforce |
| Agentforce | $2/conversation | Autonomous agents | Customer-facing AI deployment |
Jurisdiction
- Primary processor: Salesforce Inc., San Francisco, California, USA
- Cloud infrastructure: Salesforce-operated (Hyperforce) with regional residency options
- Third-party AI: Anthropic, OpenAI under Einstein Trust Layer zero-retention contracts
- SOC 2 Type II, ISO 27001, HIPAA (with BAA), FedRAMP Moderate (Government Cloud)
- Multi-region data residency available
Breach history (public incidents)
July-September 2025 — ForcedLeak (Noma Labs, CVSS 9.4)
The canonical Salesforce-AI security incident. Noma Labs disclosed ForcedLeak on September 25, 2025 after responsibly reporting it to Salesforce on July 28, 2025. Salesforce deployed Trusted URLs Enforcement on September 8, 2025 before public disclosure. CVSS severity 9.4 — comparable to the 9.3 EchoLeak in Microsoft 365 Copilot and the 9.6 CamoLeak in GitHub Copilot.
How it worked: An attacker submitted a Web-to-Lead form with prompt-injection instructions embedded in the 42,000-character Description field. When a Salesforce user later asked Agentforce to summarise the lead, the malicious instructions executed as if they were trusted prompts. Agentforce composed output containing an image tag referencing a Salesforce-CSP-allowlisted domain (which Noma researchers had acquired for $5 because it had expired and become available for purchase). The image request encoded exfiltrated CRM data in URL query parameters; the attacker's server logged the data while the AI agent saw only a normal image request.
For SMBs: this is the structural pattern that affects every agentic AI product. AI agents reading user-submitted content cannot reliably distinguish between data they should summarise and instructions they should execute. The patch closed the specific exfiltration vector but not the underlying class of vulnerability.
Sources: Noma Security blog (September 25, 2025); The Hacker News (September 26, 2025); The Register; Dark Reading; Dataconomy; SecurityAffairs; Nudge Security; Varonis; Infosecurity Magazine (March 2026 follow-up)
Ongoing 2025-2026 — ShinyHunters campaign against Salesforce Experience Cloud
The cybercriminal group ShinyHunters has conducted ongoing campaigns targeting Salesforce Experience Cloud sites during 2025-2026. The Aura data breach (March 2026, 900,000 records exposed) was one of the most-publicised incidents. The breaches are typically not Salesforce-platform compromises but rather customer-misconfiguration exposures.
Sources: Help Net Security (March 2026); TechRadar; SecurityWeek
Category-level risk: Agentforce's autonomous-agent capability puts it in the same prompt-injection risk class as Microsoft 365 Copilot (EchoLeak), GitHub Copilot (CamoLeak), and Cursor (NomShub). All four major agentic-AI products had CVSS 8+ disclosures during 2025. The structural lesson: defensive prompting and trust boundaries in agentic AI remain unsolved at the architectural level.
What this means in plain English for SMB owners
Three honest takeaways:
- Salesforce is enterprise software with enterprise-grade governance — but ForcedLeak demonstrated that enterprise-grade governance has not solved indirect prompt injection. The Trust Layer is real and meaningful for most workloads. It did not prevent the September 2025 disclosure. Apply Salesforce's patches promptly; audit existing data for injection payloads.
- Most 1-10 employee businesses are not the right fit for Salesforce. The pricing alone rules it out. HubSpot is the typical privacy-comparable, SMB-appropriate alternative.
- The Salesforce ecosystem breach pattern matters indirectly. ShinyHunters has demonstrated that customer-side misconfigurations are exploited at scale. The Einstein Trust Layer is a strong product; the admin configuration discipline (including post-ForcedLeak Trusted URLs Enforcement) is what determines whether your tenant joins next year's breach statistics.
Sources
- Salesforce 2026 Proxy Statement (SEC DEF 14A): Cybersecurity & Privacy Committee charter (verified 2026-05-24)
- Noma Security: ForcedLeak Agent Risks Exposed in Salesforce Agentforce (September 25, 2025)
- The Hacker News: Salesforce Patches Critical ForcedLeak Bug (September 26, 2025)
- The Register: Prompt injection and a $5 domain trick Salesforce Agentforce (September 26, 2025)
- Dark Reading: Salesforce AI Agents Forced to Leak Sensitive Data (September 25, 2025)
- Dataconomy; SecurityAffairs; Nudge Security; Varonis; Infosecurity Magazine
- MindStudio: Salesforce Agentforce Architecture (April 2026)
- Help Net Security: ShinyHunters Salesforce Aura data breach (March 2026)
- Salesforce official statement to Infosecurity and The Register on ForcedLeak patches
Related on AI Leakage
- Compare all 29 AI tools in the risk directory — see how Salesforce Einstein / Agentforce stacks up against the rest, tier by tier.
- Take the 5-minute “Am I Leaking?” check — a personalised view of your business’s AI exposure.
- Check a prompt before you paste it — our free Data-Safe Prompt Rewriter.
- Shadow AI vs AI leakage — why even approved tools like Salesforce Einstein / Agentforce can leak data.
- Get plain-English AI Leakage Alerts — we email you when an AI tool you use changes its data policy or has an incident.
- Get the free AI Acceptable Use Policy template — a plain-English policy with the tool-by-tool risk guide built in.