Einstein Activity Capture Security Guide

Einstein Activity Capture Security

Guide

Salesforce, Winter ’25

Last updated: July 25, 2024

names and marks. Other marks appearing herein may be trademarks of their respective owners.

CONTENTS

Einstein Activity Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Einstein Activity Capture System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Access and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Allowing Network Access When Using Einstein Activity Capture with a Microsoft

Exchange Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Exchange Web Services (EWS) and API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Einstein Activity Capture Data Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

How Data Is Stored and Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Data Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Data Storage and Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

EINSTEIN ACTIVITY CAPTURE

EDITIONS

Available in: Lightning

Experience

Available with Einstein

Activity Capture Standard,

which is available in Sales

Cloud in Starter,

Professional, Enterprise,

Performance, and

Unlimited Editions

Available with Sales Cloud

Einstein, which is available

in Performance and

Unlimited Editions, and

available for an extra cost in

Enterprise Edition

Available with Inbox in Sales

Cloud, which is included in

Starter, Performance and

Unlimited Editions and

available for an extra cost in

Professional and Enterprise

Editions. Inbox is also

available for an extra cost in

Service Cloud and Lightning

Platform.

Available with Sales

Engagement in Sales Cloud,

which is included in

Performance and Unlimited

Editions, and available for

an extra cost in Professional

and Enterprise Editions.

Sales Engagement is also

available for an extra cost in

Service Cloud and Lightning

Platform.

Available with Revenue

Intelligence, which is

available for an extra cost in

Enterprise and Unlimited

Editions

Einstein Activity Capture is a productivity-boosting tool that helps keep data between Salesforce

and your email and calendar applications up to date.

Note: Starting in late 2023, existing Einstein Activity Capture (EAC) services and data are

migrating to Hyperforce. Hyperforce is Salesforce cloud-native infrastructure architecture,

built for the public cloud. Before the migration, some EAC services and data are stored in

Salesforce-managed data centers in Germany or the United States, and hosted on Amazon

Web Services (AWS) behind a Virtual Private Cloud (VPC). Post-migration, the EAC services

and data are built on Hyperforce and stored on new AWS public cloud infrastructure within

the same region.

To keep data up to date between applications, Einstein Activity Capture focuses on three types of

data—emails, events, and contacts.

Einstein Activity Capture also includes tools to summarize sales activities that were added to

Salesforce manually and by Einstein Activity Capture. The Activities dashboard breaks down data

with various charts and filters. Activity Metrics lets you use activity data with Salesforce platform

capabilities, such as triggers and list views.

In Salesforce documentation, the term capture refers to when data is gathered from the connected

Microsoft or Google account and held on Hyperforce, creating virtual records. The captured data

isn’t stored in your primary Salesforce database and isn’t used to create Salesforce records that can

be queried. For example, captured data is used to generate insights and engagement details on

the timelines of related Salesforce records.

For complete information, including setup steps, limitations, and details about how the feature

works, see Einstein Activity Capture in Salesforce Help.

EINSTEIN ACTIVITY CAPTURE SYSTEM REQUIREMENTS

EDITIONS

Available in: Lightning

Experience

Available with Einstein

Activity Capture Standard,

which is available in Sales

Cloud in Starter,

Professional, Enterprise,

Performance, and

Unlimited Editions

Available with Sales Cloud

Einstein, which is available

in Performance and

Unlimited Editions, and

available for an extra cost in

Enterprise Edition

Available with Inbox in Sales

Cloud, which is included in

Starter, Performance and

Unlimited Editions and

available for an extra cost in

Professional and Enterprise

Editions. Inbox is also

available for an extra cost in

Service Cloud and Lightning

Platform.

Available with Sales

Engagement in Sales Cloud,

which is included in

Performance and Unlimited

Editions, and available for

an extra cost in Professional

and Enterprise Editions.

Sales Engagement is also

available for an extra cost in

Service Cloud and Lightning

Platform.

Available with Revenue

Intelligence, which is

available for an extra cost in

Enterprise and Unlimited

Editions

Before you set up Einstein Activity Capture, confirm that your Google Workspace account or

Microsoft

Exchange-based server meet the system requirements.

All connection methods use the OAuth 2.0 protocol to authorize data retrieval from users' email

service.

Google

The user-level and service account connection methods are available for companies working from

Google Workspace. Einstein Activity Capture supports the Basic, Business, and Enterprise editions

of Google Workspace.

Microsoft Exchange Online with Office 365

The user-level, org-level, and service account connection methods are available for companies

working from Microsoft Exchange Online with Office 365. Before you connect Exchange to Salesforce,

work with your Exchange admin to enable Exchange Web Services (EWS) on an SSL connection.

Einstein Activity Capture only supports Office 365 tenants hosted on Microsoft Azure global

infrastructure clouds. Azure national and government clouds aren’t supported.

Microsoft Exchange 2019, 2016, or 2013

The user-level and service account connection methods are available for companies working from

Microsoft Exchange 2019, 2016, or 2013.

Before you connect Exchange to Salesforce, work with your Exchange admin to enable Exchange

Web Services (EWS) on an SSL connection and allow the necessary network access. Make sure your

server supports Basic Authentication requests.

Microsoft Exchange Hybrid Deployments

For companies working from a combination of Microsoft Exchange Online and Microsoft Exchange

on-premises severs, Einstein Activity Capture only supports user-level connections for the capture

functionality.

ACCESS AND AUTHENTICATION

Set up and manage your access and authentication settings for Einstein Activity Capture.

Access

To use Einstein Activity Capture, users must be assigned to one of the permission sets that includes Einstein Activity Capture. For details,

see Select Who Can Use Einstein Activity Capture in Salesforce Help.

For a user’s events and contacts to be synced, an admin must also add the user to an Einstein Activity Capture configuration with syncing

enabled. For details, see Create a Configuration for Einstein Activity Capture in Salesforce Help.

Org Provisioning

Note: Hyperforce is Salesforce infrastructure architecture, built for use with public cloud providers, such as Amazon Web Services

(AWS). Hyperforce is composed of code rather than hardware, so that the Salesforce platform and applications can be delivered

rapidly and reliably to locations worldwide. It provides Salesforce applications with compliance, security, privacy, agility, and

scalability, and gives customers more choice and control over data residency.

When Einstein Activity Capture is enabled in an org, a corresponding Einstein Activity Capture org is created on Salesforce Hyperforce

infrastructure. The integration between the Salesforce first-party servers, where your primary Salesforce data is stored, and Salesforce

Hyperforce servers, where your Einstein Activity Capture data is stored, is authenticated through encrypted private keys. When Einstein

Activity Capture makes API calls to Hyperforce, the key is required.

Authentication

The choices of how to connect and authenticate users’ email and calendar applications depend on which email and calendar applications

you use. For details about the available connection and authentication methods, see Set Up Einstein Activity Capture in Salesforce Help.

In all cases, the connection allows Salesforce to:

•

Read, send, delete, and manage users’ email.

•

View files in users’ Google drive, if applicable.

•

Manage users’ contacts.

•

Manage users’ calendars.

ALLOWING NETWORK ACCESS WHEN USING EINSTEIN

ACTIVITY CAPTURE WITH A MICROSOFT EXCHANGE SERVER

When setting up Einstein Activity Capture with a Microsoft Exchange on-premises server (2019, 2016, or 2013), make sure that you allow

the necessary network access.

Available in: Lightning Experience

Available with Sales Cloud in: Essentials, Professional, Enterprise, Performance, and Unlimited Editions

Available with Sales Cloud Einstein, which is available for an extra cost in: Enterprise, Performance, and Unlimited Editions

Available with Inbox, which is available in Professional, Enterprise, Performance, and Unlimited Editions

Available with Sales Engagement, which is available for an extra cost in: Enterprise, Performance, and Unlimited Editions

Inbound Connections

If an IP or VPN restricts the Exchange Web Services (EWS) endpoint, you must add the following addresses to your allowlist. Doing so

ensures that your Exchange server is visible to Salesforce.

Note: Starting in late 2023, Einstein Activity Capture services are migrating to Hyperforce, the Salesforce cloud-native infrastructure

architecture, built for the public cloud. Before migration to Hyperforce, Einstein Activity Capture data is stored in Salesforce managed

data centers and hosted on Amazon Web Services (AWS) behind a Virtual Private Cloud (VPC). After migration, the Einstein Activity

Capture data and services are stored on Hyperforce and new AWS public cloud infrastructure, within the same region as before.

Important: To ensure uninterrupted access of your Einstein Activity Capture services and data, add both sets of IP addresses to

your allowlist.

If Your Salesforce Instance Is in EuropeIf Your Salesforce Instance Is Outside of

Europe

Hyperforce

•

18.158.21.76

•

44.242.15.232

•

44.236.183.129

•

3.76.67.243

•

18.158.241.92

•

100.21.196.196

•

54.200.249.136

•

3.76.75.66

•

52.57.103.81

•

44.228.8.56

• •

35.165.2.200 3.72.121.255

Pre-Hyperforce

•

52.59.28.245

•

54.200.130.205

•

54.218.59.121

•

52.28.30.206

•

52.57.191.228

•

34.210.91.105

•

34.210.91.103

•

18.194.116.65

•

52.57.191.229

•

44.224.62.36

•

52.35.129.120

•

18.184.19.133

If Your Salesforce Instance Is in EuropeIf Your Salesforce Instance Is Outside of

Europe

•

52.57.191.226

•

54.71.145.62

•

35.166.120.106

•

52.57.191.224

•

52.57.191.227

•

44.224.71.98

•

52.35.232.62

•

18.197.233.154

•

18.196.51.181

•

54.68.117.123

•

52.26.6.102

•

3.124.138.13

•

3.124.208.146

•

35.163.187.73

•

52.36.92.175

•

3.124.224.62

••

34.210.91.106 3.124.238.55

•

34.210.91.104

•

35.166.17.212

•

34.216.184.173

•

34.210.91.108

•

34.210.91.107

Depending on how you set up Salesforce, it can be necessary to add Salesforce IP addresses that aren't specific to EWS or Einstein Activity

Capture to your allowlist. To ensure continued access to Salesforce features, see Salesforce IP Addresses and Domains to Allow.

Outbound Connections

If you have restrictions on Exchange outbound connections, you must allow outbound access to the following domains. Then, when

new emails and events arrive in Exchange, push notifications are sent to Salesforce. To ensure uninterrupted access of your Einstein

Activity Capture services and data, add both sets of webhook endpoints to your org.

If Your Salesforce Instance Is in EuropeIf Your Salesforce Instance Is Outside of

Europe

apiq-ews-webhook-c01.sfdc-yzvdd4.svc.sfdcfc.netapiq-ews-webhook-c01.sfdc-lywfpd.svc.sfdcfc.netHyperforce

ews-webhook-eu1-prod.salesforceiq.comews-webhook-us1-prod.salesforceiq.comPre-Hyperforce

Allowing Network Access When Using Einstein Activity

Capture with a Microsoft Exchange Server

EXCHANGE WEB SERVICES (EWS) AND API

To access contacts and events from Exchange, Salesforce makes the following calls via EWS.

Tip: For details, visit Microsoft’s support website and search for the calls mentioned here.

DescriptionEWS API Call

Creates a folder in Exchange.CreateFolder

Creates a contact or event in Exchange. The Salesforce record ID

is added to the Exchange item properties.

CreateItem

Delete contacts or events based on the Salesforce record ID.DeleteItem

Finds a folder in Exchange.FindFolder

Finds a contact or event based on given search parameters.FindItem

Accesses information about Exchange events.GetEvents

Accesses a folder from Exchange.GetFolder

Accesses information about a contact or event in Exchange.GetItem

Returns information from time zone definitions that are available

on the Exchange server.

GetServerTimeZones

Returns all changed contacts and events with requested fields.SyncFolderItems

Modifies one or more contact or events with new field data.UpdateItem

EINSTEIN ACTIVITY CAPTURE DATA FLOW

Email, event, and contact data flows from the connected account, through the Salesforce Hyperforce platform infrastructure, to your

Salesforce instance.

When email, event, or contact data moves from the connected account to Salesforce, the data follows the same flow from the user’s

email account to Salesforce, regardless of which service is connected to Salesforce. The data flows between Salesforce core architecture,

which can be hosted in Salesforce first-party data centers, and Hyperforce, the Salesforce infrastructure architecture built for public cloud

providers (such as AWS).

First, Salesforce Hyperforce servers capture the data from the email service. Then, the core Salesforce servers fetch email and event data

from Hyperforce to display on the activity timeline of related Salesforce records. Contact data is also captured and stored on Hyperforce

to be used by other Salesforce features, such as Einstein Email Insights. Some event and contact data is also stored in the core Salesforce

servers. Finally, the activities’ metadata is stored in the core Salesforce servers.

When contacts or events move only from Salesforce to the connected account, no data is stored in Hyperforce.

HOW DATA IS STORED AND USED

Review details about how Einstein Activity Capture and Inbox capture, store, and use data.

Inbox and Einstein Activity Capture can be used together or separately. However, the way each of these features captures, stores, and

uses data is the same.

Either Inbox or Einstein Activity Capture initiates the data capturing, which is the process for gathering data. The data is stored on the

Salesforce Hyperforce infrastructure. Some data can be stored in Salesforce first-party data centers. The data is used by either Inbox,

Einstein Activity Capture, or both to bring productivity-boosting tools to assigned users.

Learn more about Salesforce Inbox.

Review details about what data is captured and stored, and how the data is used.

How Data is UsedAdditional DetailsWhat Hyperforce Captures and

Stores

Einstein Activity Capture uses the data to

display events in the activity timeline and

the Salesforce calendar.

Inbox uses the date for the Insert Availability

and Recommended Connections features.

Calendar events include all event data that

comes from users’ connected Microsoft or

Google accounts. They don’t include event

attachments.

Calendar events

Contact data is used by other Salesforce

features, such as Einstein Email Insights.

The details include contact data from what’s

displayed in the Contact Profile screen from

Gmail, Exchange, or Sales Cloud.

Contact details

Einstein Activity Capture and Inbox use the

data to connect users’ email accounts to

Salesforce.

The information includes details about users’

connected Microsoft or Google accounts,

including email address, server, and domain.

Email accounts

Einstein Activity Capture doesn’t currently

use the attachment metadata.

Inbox uses the attachments and metadata

for the Send Later feature.

The metadata for email attachments is

included. For Einstein Activity Capture, the

attachments themselves aren’t stored or

shown on the activity timeline.

For Inbox, the Send Later feature stores the

attachments until the email is sent.

Email attachments

During Inbox’s email send action,

attachments can be Email Attachments

dynamically fetched from the Google or

Exchange server by passing the email

message ID.

How Data is UsedAdditional DetailsWhat Hyperforce Captures and

Stores

Einstein Activity Capture uses the data to

add emails to the activity timeline of related

Salesforce records.

Email Insights, available with Inbox and

Einstein Activity Capture, uses the data to

create classifications.

The email messages are from users’

connected Microsoft or Google accounts.

The email elements that are stored include:

Subject, From, To, CC, and sent date.

Email headers and metadata

Recommended Connections, which is

available with Inbox and Einstein Activity

Capture, uses the data to generate

suggestions.

Einstein Activity Capture uses the data to

display emails in Salesforce. The data is also

used to generate email insights.

Email HTML bodies

The OAuth refresh and access tokens are

used to connect users’ Google or Microsoft

accounts to Salesforce.

When users connect their account to

Salesforce with OAuth 2.0, we don’t store

Passwords and OAuth tokens

users’ passwords. Therefore, if users change

their email password after connecting their

account to Salesforce, they don’t have to

reauthenticate against Google or Microsoft.

For users that use on-premises Exchange

email accounts that use password

authentication, we store users’ passwords.

Inbox mobile apps use the data to improve

performance when looking up records

related to an email or event.

To associate emails with related Salesforce

records, Einstein Activity Capture copies

The records also include metadata, such as

permissions, fields, and page layouts, for

records such as contacts, leads, and

opportunities.

Inbox stores metadata for records for up to

24 hours. Einstein Activity Capture stores

Salesforce records

email addresses from contact and lead

metadata for records until you delete the records and stores them on Hyperforce

servers.data in Salesforce. When you delete the

record data in Salesforce, it’s also removed

from Hyperforce servers.

The user settings include the user’s personal

settings from Inbox or Einstein Activity

Capture.

User settings

How Data Is Stored and Used

ENCRYPTION

Einstein Activity Capture uses various encryption methods to provide data security.

For captured emails and events, Salesforce platform encryption isn’t available. Instead, the data is encrypted at rest using AES-256

server-side encryption. When Shield Platform Encryption is enabled for your org, emails and events that are added to the activity timeline

of related Salesforce records show the names of encrypted contacts and leads.

For synced events and contacts, Salesforce uses Transport Layer Security technology (TLS 1.2 or higher) to protect transferred data.

During authorization of each transaction, Salesforce requires the TLS configuration from the data received to meet Salesforce TLS security

requirements before granting access.

For all data accessed between the user’s email account and Salesforce core servers and between Salesforce core servers and Hyperforce,

Salesforce uses Transport Layer Security technology (TLS 1.2 or higher), HTTPS, and token-based authentication to protect transferred

data.

Shield Platform Encryption is supported when syncing contacts and events; however, there are some exceptions. For details, see

Considerations for Setting Up Einstein Activity Capture.

DATA PRIVACY

Einstein Activity Capture includes several ways to ensure that data is captured, stored, and shared the way users want.

Note: Unless stated otherwise, the following information applies only to captured data, not synced data.

Share Emails and Events

Users can control how activities that were added to Salesforce by Einstein Activity Capture are shared with other Salesforce users at your

company. Einstein Activity Capture users can share with all users, with Chatter groups, or with no one. Users can also set sharings for

individual emails or events. The admin sets the default sharing setting, but users can override it by setting their individual sharing. The

user’s setting is applied to all emails and events, except settings that they set individually. However, if the admin sets the default sharing

setting to Don’t Share, they can choose to prevent users from changing it. In that case, users can’t set their own sharing. Users can still

share individual emails and events, and respond to sharing requests from other users.

Some Sales Cloud Einstein features generate business-related insights using emails captured by Einstein Activity Capture, including

emails that aren’t shared. However, the content of the emails and the usernames associated with them are hidden. Einstein Opportunity

Insights and Einstein Automated Contacts are the Sales Cloud Einstein features that use these private emails.

For more information, see Control How Activities Added by Einstein Activity Capture Are Shared in Salesforce Help.

Exclude Email Addresses

Admins and end users can exclude emails and events from being added to Salesforce by adding an email address or domain to the

Excluded Address list. Emails and events associated with persons or companies added to the Excluded Address list aren’t added to the

activity timeline of related Salesforce records. And events aren’t synced between Salesforce and the connected accounts. However, the

emails and events are still stored on Hyperforce

The org-wide Excluded Addresses list, which the admin creates, can include domains and email addresses. Users can add more email

addresses to their own Excluded Addresses list.

For more information, see Considerations for Excluding Data from Einstein Activity Capture in Salesforce Help.

Delete Data

Admins can honor their customers’ requests to delete their personal data in Salesforce email and events. When activities are deleted,

they’re removed from Hyperforce servers and from the activity timeline. Activities can be deleted based on email address or username.

We process the request after seven days, and it can take up to a month to complete the request.

The data isn’t removed from the email services; consider deleting the data from those locations too.

For more information see Delete Email and Events Logged by Einstein Activity Capture in Salesforce Help.

Exclude Data from Machine Learning

Admins can honor their customers’ requests to exclude their personal data from factoring into machine learning models. Salesforce

processes the request after seven days and it can take up to a month to complete the request.

For more information, see Exclude People’s Personal Data from Modeling and Data Enrichment in Salesforce Help.

Data Privacy

DATA STORAGE AND RETENTION

Einstein Activity Capture and Inbox store some data using the Salesforce Hyperforce infrastructure.

Note: The following information applies only to captured data, not synced data.

Einstein Activity Capture data is stored on Salesforce Hyperforce servers and, therefore, doesn’t affect Salesforce data allocations. There’s

no additional cost for this storage. The license that's used to access Einstein Activity Capture determines the data retention policy. If an

org has at least one Sales Cloud Einstein, Sales Engagement, or Inbox license, the data retention policy for that license applies to the

entire org.

When a new Microsoft or Google account is connected to Salesforce, the amount of historical data that’s captured and stored by the

Salesforce Hyperforce servers is 6 months (up to 50K emails and 5K events).

Then, Hyperforce servers use notification subscriptions from the email service to capture new email messages and events. The default

amount of data stored over time on Hyperforce ranges from 6 to 24 months, depending on which Salesforce license is used to access

Einstein Activity Capture. Admins can contact Salesforce Customer Support to change the storage amount.

After the data retention period has passed, the data is removed from the system. For example, if the data retention period is 24 months,

then any activity that occurred more than 24 months ago (regardless of when it was added to Salesforce) is deleted from the Hyperforce

servers and the activity timeline. Activities captured by Einstein Activity Capture aren't archived.

For complete data retention information, see Data Retention for Einstein Activity Capture in Salesforce Help.