A real example, in case you missed it
In September 2025, security researchers disclosed ForcedLeak, a CVSS 9.4 vulnerability in Salesforce Agentforce. The exploit was almost embarrassing in its mundanity: an attacker registered a domain that Salesforce had let lapse, then planted instructions on a web page hosted there. When Agentforce's AI agent fetched that page during a routine task, it followed the instructions and quietly exfiltrated customer lead data.
This is not a one-off bug. It is what indirect prompt injection looks like in production. Every CRM that lets an AI agent read web pages, emails, attachments, or any text a third party can influence has the same surface area.
A separate study released during Data Privacy Week 2026 found that 77% of employees actively leak corporate data through AI tools — usually by pasting it into a chatbot, but increasingly by clicking "Summarize" inside their CRM.
The point is not "AI is dangerous." The point is: when you turn on AI features in your CRM, your customer data leaves your account. The rest of this post is about where it actually goes — and what you can do about it.
The five-minute audit
You can do this on your lunch break. No tools needed beyond your CRM and a browser tab.
1. Open your CRM's AI settings. Settings → Einstein, Breeze, Zia, Copilot, "AI features" — whatever they call it. List every AI feature that's currently on. Most CRMs default these to enabled.
2. Find your vendor's "subprocessors" page. Every reputable SaaS company publishes one. If you can't find it, search [vendor name] subprocessors on Google. It's usually one click from the trust or security page.
3. Search that page for these names: OpenAI, Anthropic, Google, Vertex, Azure, Bedrock, Cohere. Any hit means your AI feature output passes through that company's infrastructure.
4. For each AI feature, check the docs: does it work offline? If the answer is no, your data is going to a server. If the docs don't say, assume yes.
5. Read the data processing addendum. Look for language like "sub-processors may be added with 30 days notice." That's the clause that lets your vendor swap which LLM provider sees your data without asking you again.
What you'll typically find on the major CRMs, per their public docs as of mid-2026:
| CRM | AI brand | Publicly listed LLM provider(s) |
|---|---|---|
| Salesforce | Einstein / Agentforce | OpenAI (via Azure), Anthropic Claude |
| HubSpot | Breeze | OpenAI, Google Vertex |
| Pipedrive | Pipedrive AI | OpenAI |
| monday CRM | monday AI | OpenAI |
| Folk | Folk AI | OpenAI |
| Attio | Attio AI | OpenAI |
| Zoho CRM | Zia | Zoho infrastructure + optional OpenAI |
Verify against your vendor's current subprocessor list before relying on this. Vendors change LLM providers frequently and the contract usually allows it without asking you.
None of this is a secret. The vendors disclose it. The audit is just about you knowing what you signed up for when you toggled the AI summary feature on.
"We don't train on your data" is a promise, not a structure
Every cloud AI vendor tells you the same three things: customer data is not used to train models, data is encrypted in transit and at rest, and they have a SOC 2 report. All of which is true. None of which is the same as your data not leaving your account.
The promise model breaks in a handful of specific ways, all observed in the last two years:
Indirect prompt injection. The ForcedLeak case above. The model reads attacker-controlled text and does what it's told. Salesforce patched it. The architectural risk is the same on every CRM whose AI agents browse the web or read inbound emails.
Sub-processor changes. Your DPA almost certainly allows the vendor to swap LLM providers with 30 days notice. Customers rarely notice the email.
Accidental retention. OpenAI's March 2023 incident — a Redis bug that exposed conversation history to other users — is the canonical example. There have been others, including recent Agentforce leaks. Bugs happen. The question is whether your customer's name was in the blast radius.
Expired domains and orphan endpoints. Cheap to attack, hard to detect. ForcedLeak was triggered by a domain that cost less than $20 to acquire.
Compliance scope creep. Once data is in a vendor's pipeline, it can show up in their internal logs, debugging tools, or human-review queues that nobody told your DPO about. This is rarely malicious. It's just what happens when sales-call data flies between four companies before it gets summarized.
Why August 2, 2026 makes this harder
The EU AI Act becomes fully applicable on August 2, 2026. The relevant passage for CRMs is buried in Annex III, but it's specific: any AI system that profiles individuals — which includes AI deal scoring, AI lead prioritization, AI sentiment analysis on customer messages — is automatically classified as high-risk regardless of category.
High-risk means documented data lineage, mandatory data protection impact assessments, human oversight requirements, and fines up to €15 million or 3% of global revenue for non-compliance.
If your CRM's AI features run on a stack you don't control, demonstrating compliance is not impossible — but it's expensive, and the audit trail depends on the vendor's cooperation. If your CRM's AI features run on the device, the audit gets short: data didn't leave the device, no third-country transfer occurred, no profiling system processed personal data outside the data subject's control.
This is not legal advice. It's a structural observation: the cleanest way to be compliant is not to send the data in the first place.
What "on-device AI" actually means
When Apple shipped Apple Foundation Models with iOS 18 and beyond, it changed what "AI feature" can mean.
The model weights ship with the operating system. Inference runs on the device's Neural Engine — the same silicon that already does Face ID and live photo segmentation. There is no API key. There is no cloud round trip. The app developer gets a function call ("summarize this," "extract a contact," "detect intent in this transcript") and a result.
Yuzen uses Apple Foundation Models for everything that deserves to be called AI:
Business card scanning. Photo in. Name, email, phone, company, title out. The image never leaves the phone.
Voice notes. The on-device Speech framework transcribes audio. Foundation Models extract structured actions from the transcript — stage changes, deal value updates, follow-up tasks.
Lead summaries and email drafts. Drafted on the device, ready before a network round trip would have completed.
You can verify this from your couch: turn on Airplane Mode, scan a card, dictate a voice note, draft a reply. All of it still works.
The wider context: in May 2026, Apple confirmed that iOS 27 will let users pick Claude, Gemini, or ChatGPT as the default Apple Intelligence model for system features like Writing Tools and Siri. Yuzen does not make that choice for you, because Yuzen doesn't send your data to any of them. The decision doesn't apply.
Why this matters more for solo and small-team sellers
If you're running a 1–5 person operation, the cloud-AI privacy story is mostly a problem you didn't ask to inherit. You're not a regulated bank. You don't have a DPO. But your customer list still matters, and your sales call notes still matter, and the people you sell to still expect their information to be treated like it was theirs.
The way to make that promise unbreakable is to architect it: AI processes your data on the device that already has your data. The CRM never gets to ship it elsewhere because the CRM has no LLM provider configured.
This is also, conveniently, cheaper. Every cloud-AI feature in mainstream CRMs is metered. A typical AI summary call costs the vendor a fraction of a cent — which they then bundle into a $30–$125/user/month upcharge. Yuzen's monthly price is $7.99 flat with no AI tier, because the AI is free to run on hardware you already own.
The short version
If you only remember three things:
Run the audit. Five minutes. Settings → AI features → vendor subprocessors page → search for OpenAI, Anthropic, Google. You'll know more about your data flow than 90% of your customers' DPOs.
"We don't train on your data" is a contract, not a wall. Read your DPA's sub-processor clause and decide if the trade is worth it for your business.
On-device AI is structurally different. Not a stronger promise. A different architecture.
If the audit makes you uncomfortable, Yuzen CRM is $7.99/month, runs natively on iPhone and iPad, and uses Apple Foundation Models on-device for everything AI. Not because we promise not to send your data anywhere — because the app does not have the code to send it.