Security

World-Class Security at Every Level

Security is critical for any organization—failures can have devastating consequences for a company and its customers. As a result, companies spend enormous resources to protect their data and networks.

But salesforce.com does more. Independent audits confirm that our data security goes far beyond what most companies have been able to achieve for themselves. Using the latest firewall protection, intrusion detection systems, SSL encryption, and proprietary security products, salesforce.com gives you the peace of mind that only a world-class security infrastructure can provide.

Security is a multidimensional business imperative that demands to be considered at every level, from security for applications to physical facilities to network security. In addition to the latest technologies, world-class security requires ongoing adherence to best-practice policies. To ensure this adherence, we continually seek relevant third-party certification—salesforce.com has completed the SysTrust audit, the recognized standard for system security, and SysTrust SAS 70 Type II, an attestation for internal corporate controls.

 
Protection at the Application Level

Salesforce.com protects customer data by ensuring that only authorized users can access it.

  • Administrators assign data security rules that determine which users have access to which data. Sharing models define company-wide defaults and data access based on a role hierarchy.
  • All data is encrypted in transfer, all access is governed by strict password security policies, and all passwords are stored in MD-5 hash format.
  • Applications are continually monitored for security violation attempts.

 
Protection at the Facilities Level

Salesforce.com security standards are on par with the best civilian data centers in the world, including the world’s most security-conscious financial institutions.

  • Authorized personnel must pass through five levels of biometric scanning to reach the salesforce.com system cages.
  • All buildings are completely anonymous, with bullet-resistant exterior walls and embassy-grade concrete posts and planters around the perimeter.
  • All exterior entrances feature silent alarm systems that notify law enforcement in the event of suspicion or intrusion.
  • Data is backed up to disk and to tape, with tape providing a second level of physical protection. Neither disks nor tapes ever leave the data center.

 
Protection at the Network Level

Multilevel security products from leading security vendors and proven security practices ensure network security.

  • To prevent malicious attacks through unmonitored ports, external firewalls allow only http and https traffic on ports 80 and 443, along with ICMP traffic.
  • Switches ensure that the network complies with the RFC 1918 standard, while address translation technologies further enhance network security.
  • IDS sensors protect all network segments.
  • Internal software systems are protected by two-factor authentication, along with the extensive use of technology that controls points of entry.
  • All networks are certified through third-party vulnerability assessment programs.

 

For more information about security for salesforce.com products, download the white paper, " The Seven Standards of Service Delivery."