Salesforce.com Tools That Support Privacy Compliance

Salesforce.com recognizes that many of our customers are subject to at least some privacy-related laws that govern the handling of personal information. We seek to support our customers' compliance with such laws by providing a comprehensive privacy and security program that includes certifications, policies, practices, people, and technology.

Certifications

Salesforce.com has comprehensive privacy and security assessments and certifications performed by multiple third parties.

Policies

Salesforce.com has privacy and security-conscious policies that apply to all of our information handling practices.

  • Contractual Privacy Protection for Customers
    • Salesforce.com's contracts include confidentiality provisions that prohibit us from disclosing customer confidential information, including customer data, except under certain narrowly defined circumstances, such as when required by law.
    • Salesforce.com agrees not to access customer's accounts, including customer data, except to maintain the service, prevent or respond to technical or service problems, at a customer's request in connection with a customer support issue, or where required by law.
  • Code of Conduct, Confidentiality Agreements, and Information Security Policies
    • Every salesforce.com employee and contractor must follow salesforce.com's code of conduct, sign confidentiality agreements, and follow salesforce.com's information security policies.
  • Privacy Statement
    • For information collected on salesforce.com's Web site, salesforce.com provides assurances around the types of information collected, how that information may be used, and how that information may be shared.
    • Salesforce.com offers individuals the opportunity to manage their receipt of marketing and other non-transactional communications.
    • Salesforce.com offers individuals the opportunity to update or change the information they provide.

Practices

Salesforce.com's comprehensive privacy and security program includes communicating with personnel and customers about current issues and best practices.

  • Internal Training and Communications for Salesforce.com Personnel
    Salesforce.com regularly communicates with our personnel about our obligation to safeguard confidential information, including customer data and personal information.
    • Salesforce.com provides classroom training around confidentiality, privacy, and information security for all new employees during its monthly new hire orientation.
    • All salesforce.com personnel are required to complete an annual privacy and security training and are tested on the materials presented.
    • Salesforce.com communicates with all personnel about privacy and information security awareness through monthly newsletters.
  • Customer End User Awareness
    Salesforce.com strongly encourages all of our customers and users to adopt industry-standard solutions to secure and protect their authentication credentials, networks, servers, and computers from security attacks.
    • We communicate with our customers about current issues and trends through our Trust web site.
    • We email end users about specific security issues when warranted.
    • We publish a Security Implementation Guide for customers to learn more about how to implement customer-controlled security settings. The Security Implementation Guide is available in the Help & Training section of the salesforce.com service.
    • We offer customers a complimentary AppExchange program that enables them to evaluate their use of our customer-controlled security settings
    • The Security section of the Trust Web site includes a security webinar and various security-related white papers.
    • We offer security-related sessions at our annual conference, Dreamforce.

People

Salesforce.com has multiple organizations, teams, and individuals responsible for security and security-related matters. The Chief Trust Officer is responsible for salesforce.com's security program and personnel, including information, product, and corporate security, enterprise risk management, and technology audit & compliance. The Global Privacy Counsel is responsible for salesforce.com's privacy program, including compliance with applicable privacy and data-protection laws. Additionally, all salesforce.com personnel are required to follow salesforce.com's confidentiality, privacy, and information security policies

Technology

Salesforce.com maintains a comprehensive array of technical measures to protect the salesforce.com service and offers a robust set of customer-controlled settings to further heighten privacy and security protection.

  • Default Privacy and Security Features
    • Application features that protect customer data:
      • Connection to the salesforce.com service is via secure socket layer/transport layer security (SSL/TLS), ensuring that our customers have a secure connection to their data. Individual user sessions are uniquely identified and re-verified with each transaction.
      • Customers passwords are not accessible by salesforce.com personnel.
      • Application logs record the creator, last updater, timestamps, and originating IP address for every record and transaction completed.
    • Logical separation of customer data:
      • Hardware and software configurations are designed to provide secure logical separations of customer data that permit each customer to view only its related information.
      • Multitenant security controls include unique, non-predictable session tokens, configurable session timeout values, password policies, sharing rules, and user profiles.
      • The salesforce.com service supports delegated authentication.
    • Network security measures:
      • Multiple layers of external firewalls
      • Intrusion-detection sensors
      • Security event management system
      • Continuous external vulnerability scanning
    • Redundancy and Scalability
      The salesforce.com service is highly scalable and redundant, allowing for fluctuation in demand and expansion of users while greatly reducing the threat of long-term outages. Load-balanced networks, pools of application servers, and clustered databases are features of our design.
    • Disaster Recovery
      All customer data is stored in secure data centers and is replicated over secure links to a disaster recovery data center. This design provides the ability to rapidly restore the salesforce.com service in the case of a catastrophic loss.
    • Backups
      In addition to our disaster-recovery capabilities, customer data is also backed up to tape in a separate data center. Tapes are not transported offsite from this data center, reducing the risk of loss.
  • Customer-Controlled Privacy and Security Settings
    • Customers may determine which of their respective designees can access different categories of data.
    • Customers may set customizable password rules.
    • Customers may define log-off times for inactivity.
    • By default, salesforce.com's Identity Confirmation feature automatically recognizes whether a user is logging in from an IP address or device that has been previously used. Unrecognized IP addresses or devices prompt identity re-verification.
    • Customer may enable salesforce.com's IP Range Restrictions feature that enables customers to restrict the range of IP addresses from which its designees may log in. The "Restricting Login Ranges for Your Organization" section of the Salesforce User Guide is available to customers in the Help & Training section of the salesforce.com service.
    • Customers may create custom fields that are encrypted in storage for sensitive information types. The "About Encrypted Custom Fields" section of the Salesforce User Guide is available to customers in the Help & Training section of the salesforce.com service.