Salesforce Data Security: Answers to Our Clients’ Top 3 Questions

Author: Laura Tooker

salesforce security blog data

Keeping an organization’s data and client data safe can directly impact its operations and reputation — because of this, some of the most frequent questions we get from clients looking into solution options are about Salesforce’s data security capabilities and practices.

If your organization is researching CRM solutions, this blog will review our clients’ top 3 data security questions, and cover:

  • Salesforce’s certifications and attestations.
  • Information on their data architecture and redundancy.
  • Their disaster recovery plan, including data backup and recovery.
  • Additional information about their overall data safety and security.

What are Salesforce’s Security Certifications and Attestations?

Salesforce has a number of important security certifications and attestations and we’ll cover the ones we’re asked about most often in this section. The link provided here will take you to the certification portion of Salesforce’s site dedicated to compliance if you’re looking for more information.

Salesforce is ISO 27001, 27017, and 27018 certified:

  • They have up-to-date certification of their compliance with specific information security and risk management requirements; and adherence with ISO/IEC 27002 Code of Practice controls for both cloud services and protection of personal information.
    • ISO stands for The International Organization for Standardization, and these certifications require adherence to strict security standards.

They are SOC 1, 2, and 3 certified:

  • Which means they have Type II reports covering internal controls over financial reporting systems, security, availability, integrity, confidentiality, and privacy.
  • They can also supply public reports of security, availability, integrity, confidentiality, and privacy controls.
    • SOC stands for Security and Operations Controls, and these certifications mean Salesforce has controls in place to audit everything listed above and prove compliancy.

Salesforce has CSA Star certification:

  • The STAR Registry (Security, Trust, Assurance, and Risk) is publicly accessible, and documents cloud computing security and privacy controls; standards include transparency, rigorous auditing, and harmonization of standards.
    • This certification improves the transparency and security controls they have in place.

What is Salesforce’s Data Architecture?

Salesforce is a large company, with a lot of customers, and data segregation in order to maintain data integrity is a big deal. Clients are often curious about how Salesforce stores data, how it separates one client’s data from another’s, and where exactly it’s hosted.

Salesforce is a cloud-based platform that uses multi-tenancy or multi-tenant architecture, with meta-data, and data partitioning. There’s an in-depth article about it here, but in short:

  • Multi-tenancy means the solution architecture isolates and supports the requirements of a variety of users (e.g., organizations, business units, etc.).
  • Meta-data refers to things like an organization’s specific UI and business logic; and means each tenant can customize their particular solution’s app and user experiences.
  • Data partitioning is what enables platform data, metadata, and structures (e.g., underlying database indexes) to be physically partitioned with their OrgID by using native database partitioning mechanisms; each org primarily belongs to a single instance.

This is the same method companies like Microsoft, Google, and Amazon use; in fact, for Canadian and some US Salesforce users, Amazon Web Services (AWS) cloud infrastructure is utilized.

We’ll cover data storage and hosting below, as it’s closely related to our next question, but the main takeaway here is that an organization’s data is hosted in a way that makes it completely inaccessible to other individuals or organizations.

Does Salesforce Have a Disaster Recovery Plan?

Salesforce has an extremely comprehensive data recovery plan, found here. The way they store data reflects best practices for data recovery, having separate but identical copies to back data up (i.e., data redundancy).

For Canadian Salesforce users:

  • Each customer’s org is hosted from a primary and secondary site, with near real-time replication (cloud-based full backups) occurring between the two sites.
  • An individual customer’s data will be stored in two co-located data centers, with one acting as the primary location and the other as the fully contingent secondary site.
  • This Canadian public cloud instance allows personal information to be uploaded and hosted exclusively in Canada — and has been assessed by the Government of Canada for security processes and controls.

For US Salesforce users, their data is stored in the US, in multiple, geographically diverse data centers.

  • Instances are replicated in near real-time across two or more availability zones in completely redundant, separate locations.
  • Salesforce regularly switches sites between locations for maintenance, compliance, and disaster recovery purposes.
  • US-specific certifications and compliancy can be found in the certification and attestation portion of this blog.

Why is all of this important? It lowers disaster recovery associated costs for organizations and offers fully redundant backups of data for organizations.

Overall Salesforce Safety and Data Security

As far as overall data security, Salesforce user data is encoded in session ID cookies to avoid being compromised, they enforce MFA (multi-factor authentication), have handy flags that pop up if a user is doing something that poses a security risk — and adheres to high security and data protection standards across all of their products.

If you would like to review any aspect of your organization’s Salesforce solution, have questions about Salesforce or Salesforce security that we didn’t cover in this blog, or need assistance finding the right solution for your organization, contact us