Salesforce EU Alternative 2026: CLOUD Act Exposure, Hyperforce EU Limitations, and CRM Options That Keep Customer Data in Europe

Post #940 in the sota.io EU Cyber Compliance Series | EU-CRM-SERIE Post #1

CRM systems are not passive data stores. They are the operational core of customer relationships — holding every contact record, deal stage, support ticket, marketing interaction, and revenue forecast your business generates. When a customer buys from you, complains to you, or receives a proposal from your sales team, that event lands in your CRM. The data is intimate: billing addresses, phone numbers, email histories, conversation transcripts, negotiation notes, payment terms, and in B2C contexts, health preferences, family situations, or employment details that customers volunteered during a sales process.

Salesforce is the dominant CRM worldwide, and for EU businesses deploying it, the regulatory question is not just about GDPR's data minimisation obligations. It is about who else — beyond your organisation and Salesforce — can legally access that data. The answer involves a nineteen-word federal statute: 18 U.S.C. § 2713, the provision that makes the CLOUD Act one of the most consequential laws ever written for EU cloud infrastructure decisions.

Salesforce, Inc.: Delaware Corporation, CLOUD Act Jurisdiction

Salesforce, Inc. was incorporated in Delaware in 1999 and is headquartered in Salesforce Tower, San Francisco, California. It is publicly traded on the New York Stock Exchange under the ticker CRM. Its 2023 annual revenue exceeded $31 billion. Every contractual relationship European enterprise customers maintain is with Salesforce, Inc. or its wholly-owned subsidiaries — entities that are "US persons" under federal law.

The CLOUD Act, enacted in 2018, amended the Stored Communications Act to clarify — and expand — the extraterritorial reach of US law enforcement data demands. Under 18 U.S.C. § 2713, a US electronic communications provider must comply with a warrant or court order to produce data "regardless of whether such communication, record, or other information is located within or outside of the United States."

The geographical location of data is legally irrelevant to CLOUD Act compelled disclosure. If Salesforce stores your customer data in Frankfurt, it remains accessible to US federal authorities through a CLOUD Act order. The data does not need to cross a border for the obligation to apply — only the company holding it needs to be a US person, which Salesforce, Inc. unambiguously is.

The EU-US Data Privacy Framework Does Not Limit CLOUD Act

A common misconception in enterprise procurement conversations is that the EU-US Data Privacy Framework (DPF), adopted in 2023, resolved the surveillance access problem that invalidated Privacy Shield in Schrems II. The DPF introduced enhanced protections for commercial privacy processing and created the Data Protection Review Court for EU individuals to challenge US intelligence access. It did not limit CLOUD Act law enforcement access. Law enforcement demands under the CLOUD Act are distinct from intelligence collection under FISA Section 702 — the DPF addresses the intelligence side, not the law enforcement side. The two channels remain separate, and CLOUD Act orders continue to operate without DPF restriction.

For EU businesses, the practical implication is that Salesforce can be compelled to produce EU customer data through a US federal court order without notifying the data subject, without requiring EU judicial approval, and without the EU data protection authorities having any procedural role. The Standard Contractual Clauses in Salesforce's Data Processing Addendum do not alter this — SCCs are a mechanism for lawful transfer to a third country, not a shield against compelled disclosure once data has been transferred.

Hyperforce EU: What It Promises Versus What It Delivers

In 2021, Salesforce announced Hyperforce — a re-architecture of its infrastructure designed to run on major public cloud providers, initially AWS and Azure, and later Google Cloud. In the European context, Salesforce markets Hyperforce EU as a data residency solution that keeps customer data within EU boundaries.

Hyperforce EU delivers on its narrow promise: data at rest and in transit is stored within EU-region cloud infrastructure, and Salesforce contractually commits to not transferring that data outside the EU without customer consent. For the specific GDPR obligations around international data transfers under Articles 44-49, Hyperforce EU plus SCCs satisfies the transfer mechanism requirement.

What Hyperforce EU does not change is the jurisdictional status of Salesforce, Inc. as a US person subject to the CLOUD Act. The company remains incorporated in Delaware. Its officers remain subject to US law. A CLOUD Act warrant directed at Salesforce does not require data to be physically moved to the US before it can be accessed — it requires Salesforce to produce the data, and Salesforce's legal obligation to comply arises from its US incorporation, not the physical location of its servers.

This is not a theoretical risk. In the years since the CLOUD Act's passage, US prosecutors have used it to obtain data from major cloud providers held in non-US datacentres. The legal standard for a CLOUD Act order in domestic criminal matters is probable cause — the same standard as a domestic warrant. There is no requirement to demonstrate that the target is a US person or that the alleged crime involves the United States beyond the US person status of the provider.

Hyperforce EU and the Salesforce Product Portfolio

A further limitation of Hyperforce EU is that it does not cover the entire Salesforce product portfolio. Salesforce's core CRM (Sales Cloud, Service Cloud) are covered by Hyperforce EU data residency commitments. However, a number of adjacent products that many enterprises rely on operate on different terms:

Marketing Cloud (formerly ExactTarget): Salesforce Marketing Cloud was acquired in 2013 for $2.5 billion. Its infrastructure has been progressively migrated to Hyperforce but the timeline for full EU data residency across all Marketing Cloud features has not been publicly completed as of 2026. Email send infrastructure and contact data for marketing campaigns may process outside the EU depending on the specific Marketing Cloud product tier and data centre configuration.

Tableau: Acquired in 2019 for $15.7 billion, Tableau remains on separate infrastructure from Salesforce core. Business intelligence and analytics workloads processed through Tableau may not benefit from Hyperforce EU data residency commitments.

Slack: Acquired in 2021 for $27.7 billion, Slack operates its own infrastructure separate from Salesforce's Hyperforce architecture. Slack's EU data residency offering exists but operates on different contractual terms. A business using Salesforce CRM integrated with Slack — a common enterprise configuration — may find that customer conversation data flowing into Slack exists outside its Hyperforce EU envelope.

Einstein AI and Salesforce AI Cloud: Salesforce's AI features — Einstein Copilot, Einstein Predictions, lead scoring, opportunity insights — process CRM data to generate their outputs. AI model training and inference workloads raise distinct questions about where computation occurs and what data is retained for model improvement. Salesforce's AI terms permit use of customer data for "improving and maintaining" Salesforce services, subject to opt-out provisions that require explicit configuration.

What Data Salesforce Holds: Why CRM Data Is High-Stakes

To understand the CLOUD Act exposure, it helps to enumerate what Salesforce actually holds for a typical enterprise customer.

Contact records: Full name, email address, phone number, job title, employer, physical address. These are personal data under GDPR Article 4(1) in their simplest form.

Account records: Company-level data that, in B2B contexts, includes the names and contact details of individual employees, procurement decision-makers, and financial contacts.

Opportunity records: Deal values, probability estimates, close date forecasts, notes from sales calls. In aggregate, opportunity pipelines represent commercially sensitive intelligence about a business's revenue trajectory.

Case records (Service Cloud): Customer support tickets contain whatever problem description the customer chose to share. In regulated industries, this may include health information (a patient describing a symptom to a healthcare company's support team), financial account details, or identity verification information provided during account recovery.

Marketing interaction data: Email open history, click-through data, form submission records, website visit attribution tied to known contacts. When combined with contact records, this constitutes a detailed behavioural profile.

Custom objects and integrations: Most Salesforce implementations extend the standard schema with custom objects that reflect the specific business. A company might store document metadata, compliance status flags, or transaction records in Salesforce. Whatever the business considers important enough to track likely ends up in the CRM.

Under GDPR's accountability principle (Article 5(2)), your organisation as data controller is responsible for demonstrating compliance with all data protection principles. If the processor you use for all this data is subject to compelled disclosure under a foreign law — the CLOUD Act — and you have not adequately disclosed this risk to data subjects or conducted a Transfer Impact Assessment that honestly addresses it, your organisation bears the accountability exposure.

GDPR Obligations When Using Salesforce

Transfer Impact Assessment

Following Schrems II, GDPR data exporters are required to conduct Transfer Impact Assessments (TIAs) when transferring personal data to third countries. A TIA for Salesforce must assess the legal framework of the United States — specifically the CLOUD Act and FISA Section 702 — and determine whether SCCs provide effective protection in practice, not just on paper.

The European Data Protection Board's Recommendations 01/2020 on supplementary measures acknowledge that SCCs may be insufficient if the legal framework of the receiving country allows surveillance authorities to access data. A TIA that honestly assesses the CLOUD Act will note that US federal law enforcement can compel Salesforce to produce EU customer data through a process that does not require EU judicial involvement. Whether this assessment leads to a conclusion that SCCs are still adequate is a legal determination that individual DPAs in different member states have reached differently — but the assessment cannot omit the CLOUD Act from consideration.

Data Processing Agreements and Sub-Processors

Salesforce publishes a Data Processing Addendum and a sub-processor list. The sub-processor list includes Amazon Web Services, Microsoft Azure, and Google Cloud Platform as infrastructure providers — all US persons themselves. Hyperforce EU data residency agreements with these sub-processors address geographic location of storage but do not alter the US-person jurisdictional status of those sub-processors under the CLOUD Act.

Article 13 Transparency Obligations

If you collect EU personal data and process it in Salesforce, your privacy notice must describe the transfers to third countries and the safeguards in place. A privacy notice that identifies Salesforce as a processor and lists SCCs as the transfer mechanism is technically correct. Whether it adequately discloses the CLOUD Act exposure to data subjects is a transparency question under Article 13(1)(f) that some DPAs have begun scrutinising more carefully.

EU Alternatives to Salesforce: What's Available in 2026

For EU organisations that conclude the CLOUD Act exposure in their TIA warrants moving to an EU-native CRM, the market has grown substantially. The alternatives below are grouped by their operational model.

Brevo CRM (France)

Brevo — formerly Sendinblue — is a French company founded in Paris in 2012 and headquartered in France. It is not publicly traded on a US exchange and has no US parent company. Brevo's CRM product is integrated with its email marketing platform and provides contact management, deal pipeline tracking, and basic automation.

Brevo's CRM is positioned more toward SMBs and marketing-led companies than large enterprise sales teams. It lacks the depth of Salesforce's Sales Cloud for complex B2B deal management. However, for organisations whose primary CRM use case is contact management, email history, and marketing attribution, Brevo covers substantial ground.

GDPR position: Brevo operates entirely within EU jurisdiction. Data is stored in EU infrastructure with no US parent company creating CLOUD Act exposure. Brevo is supervised by the French CNIL.

Limitations: No equivalent to Salesforce's AppExchange ecosystem, limited custom object support, basic reporting compared to Salesforce's Einstein analytics.

Teamleader (Belgium)

Teamleader is a Belgian software company founded in Ghent in 2012. It provides an integrated CRM, project management, and invoicing platform designed for European SMEs and professional services firms. The product has been purpose-built for EU markets and includes native invoicing workflows, time tracking, and project delivery features alongside CRM functionality.

GDPR position: Belgian company, EU infrastructure, no US parent. Data processing contracts are straightforward and reflect EU legal standards by default.

Limitations: Most directly suited to service businesses rather than product companies with large sales teams. Not a like-for-like Salesforce Sales Cloud replacement for complex enterprise pipelines.

Zoho CRM (EU entity)

Zoho Corporation is an Indian company headquartered in Chennai. It is not publicly traded and remains privately held. Zoho operates a European entity — Zoho Europe — and provides EU data residency options for its European customers. Zoho CRM is among the most feature-complete Salesforce alternatives available, with comparable depth in lead management, opportunity tracking, workflow automation, and reporting.

GDPR position: Zoho's European entity provides EU data processing agreements and EU-region data storage. Zoho is not a US person under the CLOUD Act. However, Zoho is an Indian company, and India has its own data access legal framework (the Digital Personal Data Protection Act 2023, DPDPA). Indian law enforcement has data access mechanisms under the Information Technology Act 2000 that are distinct from EU frameworks. For organisations whose primary concern is US CLOUD Act exposure specifically, Zoho addresses that concern while introducing Indian jurisdictional considerations that require separate TIA analysis.

Practical consideration: Zoho's depth, pricing, and EU entity make it the most common landing spot for Salesforce customers moving off US CRM. The Indian jurisdictional question is real but often assessed as materially lower risk than US CLOUD Act exposure given current enforcement patterns.

Pipedrive: Estonian Origin, US Private Equity Acquisition

Pipedrive was founded in Tallinn, Estonia in 2010 by Estonian and Czech entrepreneurs. For its first decade, Pipedrive was frequently cited as an example of EU-native SaaS success. In 2020, Vista Equity Partners — a US-based private equity firm headquartered in Austin, Texas — acquired a majority stake in Pipedrive, giving a US entity controlling ownership of the CRM.

Vista Equity Partners is incorporated and headquartered in the United States. Its stake in Pipedrive means that Pipedrive's corporate control now sits with a US person. Depending on how Pipedrive's corporate structure is organised and what agreements govern data access between Pipedrive entities and Vista, the CLOUD Act analysis for Pipedrive is more complex than it was before the 2020 acquisition.

Pipedrive continues to operate from its Estonian offices and maintains EU data storage, and the company has not made public statements indicating that US authorities have sought data under the CLOUD Act. However, the change in ownership structure means that the simple "EU-founded CRM" framing no longer tells the full jurisdictional story.

HubSpot: US Parent with EU Data Hosting

HubSpot, Inc. is a Delaware corporation headquartered in Cambridge, Massachusetts and publicly traded on the New York Stock Exchange. It is a US person under the CLOUD Act. HubSpot offers EU data hosting as a feature for its Enterprise tier customers, and it provides a Data Processing Agreement with Standard Contractual Clauses for EU customers.

HubSpot EU data hosting means your data at rest is in EU infrastructure. It does not change HubSpot's status as a US person. For organisations whose TIA analysis focuses specifically on physical data location rather than jurisdictional compelled disclosure, HubSpot EU hosting may be assessed as adequate. For organisations whose TIA concludes that CLOUD Act compelled disclosure is a material risk regardless of data location, HubSpot presents the same category of concern as Salesforce.

Self-Hosted Options: SuiteCRM and EspoCRM

For organisations with the technical capacity to operate self-hosted infrastructure, two open-source CRM platforms provide complete elimination of third-party jurisdictional exposure:

SuiteCRM: A fork of SugarCRM's open-source codebase, maintained by SalesAgility (a Scottish company). SuiteCRM is widely deployed and has a large community of developers and integration partners. Running SuiteCRM on your own EU infrastructure — or on an EU-native IaaS provider — means no third party holds your CRM data. The CLOUD Act simply does not apply when there is no US person in the data processing chain.

EspoCRM: A PHP and JavaScript CRM with a clean architecture and active development. Smaller community than SuiteCRM but a more modern codebase. Available for self-hosting or through managed hosting providers.

The operational overhead of self-hosted CRM is real: you manage upgrades, backups, security patching, and availability. For organisations with existing IT operations capacity, this overhead may be acceptable given the data control benefits. For organisations without that capacity, managed hosting through an EU-native provider offers a middle path.

Decision Framework: When to Move Off Salesforce

The decision to migrate a CRM is not purely a legal compliance exercise. Salesforce is deeply integrated into many enterprises — it touches sales commission calculations, forecasting workflows, customer success operations, and often serves as the system of record for contractual relationships. A migration decision should weigh regulatory exposure against operational complexity.

Situations where EU-native alternatives are most appropriate:

• Regulated industries: Healthcare, financial services, legal, and public sector organisations where data subjects' personal information is particularly sensitive and regulatory penalties for inadequate transfer safeguards are significant.
• Government and public procurement contracts: EU public sector procurement increasingly includes requirements for EU-jurisdiction data processing. A Salesforce deployment may become a contract compliance issue if a public sector customer specifies EU-only data processing.
• Post-Schrems II TIA failures: If your legal team conducts a CLOUD Act TIA for Salesforce and concludes that SCCs cannot provide effective protection in practice, migration to an EU-native CRM is the substantive remedy. Supplementary technical measures (encryption, pseudonymisation) are difficult to implement effectively for a full-featured CRM where Salesforce needs to read and process data to function.
• Data minimisation audits: A CRM migration is an opportunity to audit what personal data is actually necessary. Many Salesforce implementations have accumulated custom fields and objects over years — a migration to a cleaner CRM forces a data minimisation exercise that improves GDPR compliance posture overall.

Situations where Salesforce with supplementary measures may remain appropriate:

• Organisations where the sales cycle complexity genuinely requires Salesforce's depth: If your organisation runs complex multi-stage enterprise sales with dozens of custom workflows, CPQ (Configure, Price, Quote) integrations, and AppExchange dependencies, the operational cost of migration to a less capable EU CRM may outweigh the compliance benefit, particularly if your TIA concludes that SCCs plus Hyperforce EU provide defensible protection for your specific risk profile.
• Near-term Salesforce contract renewal negotiations: If Salesforce contract renewal is imminent, it may be worth negotiating explicit CLOUD Act response procedure commitments into the contract — for example, a requirement for Salesforce to notify and delay compliance where legally permitted before producing EU customer data.

Migration Considerations

A Salesforce migration requires careful data mapping before export:

1. Standard objects: Contacts, Accounts, Opportunities, Cases, Leads — these map to standard objects in most alternative CRMs. Export via Salesforce's Data Export feature (Setup → Data Management → Data Export).
2. Custom objects: Require field-by-field mapping to the target CRM's data model. Some fields will not have direct equivalents.
3. Files and attachments: Documents attached to records require separate export and may represent significant storage volume.
4. Automation and workflow rules: Process Builder rules, Flows, and Apex triggers need to be re-implemented in the target CRM's automation framework.
5. Integrations: Every Salesforce integration (accounting systems, marketing tools, customer success platforms) needs a corresponding integration in the target CRM.

Specialist Salesforce migration partners operate in the EU market. The migration timeline for a mid-market deployment typically runs three to six months. For large enterprise deployments with complex custom objects and deep integrations, twelve to eighteen months is realistic.

Conclusion

Salesforce is the world's leading CRM and its market position reflects genuine product capability. Hyperforce EU addresses the geographic data residency question that many EU organisations raise first. What Hyperforce EU does not address — and cannot address through technical architecture alone — is the jurisdictional status of Salesforce, Inc. as a Delaware corporation subject to CLOUD Act compelled disclosure.

For EU organisations processing sensitive customer data in Salesforce, a Transfer Impact Assessment that honestly evaluates the CLOUD Act alongside the EU-US Data Privacy Framework is a legal compliance requirement, not an optional exercise. The assessment may conclude that SCCs plus Hyperforce EU provide defensible protection for your specific risk profile. It may conclude that the residual risk is acceptable given the operational value of Salesforce. Or it may conclude that migration to an EU-native CRM — Brevo, Teamleader, Zoho EU, or a self-hosted option — is the appropriate response.

Sota.io is an EU-native managed PaaS built on Hetzner Germany. If you are migrating off US cloud infrastructure as part of a broader EU sovereignty programme, we deploy your application stack — including self-hosted CRM options — on EU infrastructure with no US parent company in the data processing chain. No CLOUD Act. No SCCs required.