Data we hold
The catalog of your Salesforce metadata — field names, data types, descriptions, usage graph. We do NOT store: passwords, API keys, row-level data, or personally identifying records in your Salesforce org.
Data residency
You pick US (us-east-1) or EU (eu-central-1) at setup. Data does not cross regions. Data-residency choice is enforced at the storage layer; there are no fallbacks.
Encryption
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Database-level column encryption for any cached sample values. Keys are rotated quarterly.
Access control
Every internal access is MFA-gated, role-scoped, and logged. Customer data is isolated per-org; staff access requires a customer-ticket link.
Audit log
Every write action is signed with HMAC and chained via a Merkle-style hash. You can export the chain and verify it independently. Growth retains 1 year, Enterprise 7 years.
Incident response
15-minute paging, 24-hour public disclosure commitment for confirmed breaches. We run quarterly tabletop exercises with our infra and customer-success teams.
Subprocessors
AWS (us-east-1, eu-central-1), Stripe (billing), Postmark (transactional email), OpenAI (description generation — no data retention enabled). Full list on the Trust portal.