Security is a multidimensional business imperative that demands consideration at every level, from security for applications to physical facilities and network security. In addition to the latest technologies, world-class security requires ongoing adherence to best-practice policies. To ensure this adherence, we continually update relevant third-party certifications, including ISO 27001, the SysTrust audit (the recognized standard for system security), SSAE16/ISAE 3402 SOC-1 (the standard attestation for internal corporate controls), and the German TÜV audit.
Protection at the Application Level
We protect your data by ensuring that only authorized users can access it. Administrators assign data security rules that determine which data users can access. Sharing models define company-wide defaults and data access based on a role hierarchy. All data is encrypted in transfer. All access is governed by strict password security policies. All passwords are stored in MD-5 hash format. Applications are continually monitored for security violation attempts.
Protection at the Datacenter Level
Salesforce.com security standards are on par with the best civilian data centers in the world, including the world’s most security-conscious financial institutions. Authorized personnel must pass through five levels of biometric scanning to reach the system cages. All buildings are completely anonymous, with bullet-resistant exterior walls and embassy-grade concrete posts and planters around the perimeter. All exterior entrances feature silent alarm systems that notify law enforcement in the event of suspicion or intrusion. Data is backed up to disk and to tape, with tape providing a second level of physical protection. Neither disks nor tapes ever leave the data center.
Protection at the Network Level
Multilevel security products from leading security vendors and proven security practices ensure network security. Perimeter firewalls and edge routers block unused protocols, and internal firewalls segregate traffic between the application and database tiers. Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports. All networks are certified through third-party vulnerability assessment programs.
Backup & Recovery
All customer data is stored in secure data centers and is replicated over secure links to a disaster recovery data center. This design provides the ability to rapidly restore service in the case of a catastrophic loss. In addition to these disaster-recovery capabilities, customer data is also backed up to tape in a separate data center. Tapes are not transported offsite from this data center, reducing the risk of loss. Load-balanced networks, pools of application servers, and clustered databases are features of the highly scalable and redundant infrastructure design.
Can these Companies go wrong?
Many Salesforce.com and IPfolio customers are global corporations from industries where security and data privacy are particularly critical, such as Financial Services. A number of IT companies whose names are synonymous for network and internet security have also been Salesforce customers for many years.
We recognize that you will have additional questions about security, beyond the basics covered here. Please visit trust.salesforce.com for more information about the policies, practices and technologies in place to protect your data.