System and Organization

Controls (SOC1) Type 2

Salesforce Services
Report on Management’s Description of
salesforce.com, inc.’s Salesforce Services’
Covered Services System on the Suitability of
Design and Operating Effectiveness of Controls

For the Period November 1, 2020 to April 30, 2021

Table of Contents

Section I: salesforce, inc.’s Management Assertion .............................................................. 1

Section II: Independent Service Auditor’s Assurance Report ............................................... 4
Section III: Report on Management’s Description of salesforce.com, inc.’s
Salesforce Services’ Covered Services System on the Suitability of
Design and Operating Effectiveness of Controls For the Period
November 1, 2020 to April 30, 2021 ...................................................................... 8
Overview of Operations ........................................................................................ 9
Salesforce Corporate Services Controls ............................................................. 9
Principal Service Commitments and System Requirements ............................ 10
Description of Covered Services........................................................................ 11
Overview of Salesforce Services’ Covered Services Architecture .................. 21
Services Provided by Subservice Organizations Excluded From the
Scope of the Examination ............................................................................. 21
Locations and Infrastructure .............................................................................. 22
Software ............................................................................................................... 23
People .................................................................................................................. 23
Procedures .......................................................................................................... 25
Customer Data ..................................................................................................... 26
System Incident Disclosures .............................................................................. 26
Relevant Changes ............................................................................................... 26
Relevant Aspects of the Control Environment, Risk Management,
Monitoring, and Information and Communication ......................................... 27
Control Environment ........................................................................................ 27
Control Activities................................................................................................. 28
General Information Systems Controls ............................................................ 28
Physical Security ............................................................................................. 29
Vendor Audit Program ..................................................................................... 29
Logical Security ............................................................................................... 29
Network Architecture and Management ........................................................... 32
Product Security .............................................................................................. 34
Threat and Vulnerability Management ............................................................. 34
Encryption ....................................................................................................... 35
Change Management ...................................................................................... 35
Service Monitoring ........................................................................................... 38
 Security Monitoring .......................................................................................... 38
Incident Management ...................................................................................... 38
Backup, Recovery, and System Availability ..................................................... 39
Customer Control Responsibilities and Considerations .................................. 40
Complementary Subservice Organization Controls ......................................... 42
Controls expected to be implemented at Salesforce Corporate
Services........................................................................................................ 43
Controls expected to be implemented at other Salesforce Services
Subservice Organizations ............................................................................. 44
Control Objectives and Related Controls .......................................................... 45
Section IV: salesforce.com, inc.’s Control Objectives, Related Controls, and
EY’s Test Procedures and Results..................................................................... 46
Testing Performed and Results of Tests of Entity Level Controls ................... 47
Control Objectives and Related Controls for Systems and
Applications ...................................................................................................... 47
Procedures Performed for Assessing the Completeness and
Accuracy of Information Provided by the Entity ............................................ 47
Control Objectives Summary ............................................................................. 48
Control Objective 1: Physical Security ............................................................. 49
Control Objective 2: Logical Security ............................................................... 50
Control Objective 3: Network Architecture and Management ........................... 60
Control Objective 4: Application Change Management .................................... 62
Control Objective 5: Incident Management ...................................................... 63
Control Objective 6: Backup and Recovery ...................................................... 65
Control Objective 7: Infrastructure Change Management ................................ 67
Section V: Other Information Provided by salesforce .......................................................... 69
Management Responses to Exceptions Identified ............................................ 70
Glossary of Terms ............................................................................................... 72
Section I: salesforce, inc.’s
Management Assertion
 salesforce.com, inc.’s Management Assertion

We have prepared the description of salesforce.com, inc.’s system entitled, Report on Management’s
Description of salesforce.com, inc.’s Salesforce Services’ Covered Services System on the Suitability of
Design and Operating Effectiveness of Controls For the Period November 1, 2020 to April 30, 2021
(Description) for user entities of the system during some or all of the period November 1, 2020 to April 30,
2021, and their auditors who audit and report on such user entities’ financial statements or internal control
over financial reporting and have a sufficient understanding to consider the Description, along with other
information, including information about controls implemented by subservice organizations and user entities
of the system themselves, when assessing the risks of material misstatements of user entities’ financial
statements.

salesforce.com, inc. uses subservice organizations specified in Section III to provide the specified functions.
The description includes only the control objectives and related controls of salesforce.com, inc.’s Salesforce
Services’ Covered Services System and excludes the control objectives and related controls of the
subservice organizations. The description also indicates that certain control objectives specified in the
description can be achieved only if complementary subservice organization controls assumed in the design
of our controls are suitably designed and operating effectively, at the subservice organizations along with
the related controls of salesforce.com, inc.’s Salesforce Services’ Covered Services System. The
description does not extend to controls of the subservice organizations.

The description indicates that certain control objectives specified in the description can be achieved only if
complementary user entity controls assumed in the design of salesforce.com, inc.’s controls are suitably
designed and operating effectively, along with related controls at the service organization. The description
does not extend to controls of the user entities.

We confirm, to the best of our knowledge and belief, that:

a. The Description fairly presents the Salesforce Services’ Covered Services system (System) made
available to user entities of the System during some or all of the period November 1, 2020 to
April 30, 2021 as it relates to controls that are likely relevant to user entities’ internal control over
financial reporting. The criteria we used in making this assertion were that the Description:

(1) Presents how the System made available to user entities of the system was designed and
implemented to process relevant transactions, including, if applicable:

● The types of services provided, including, as appropriate, the classes of transactions

processed.

● The procedures, within both automated and manual systems, by which those services
are provided, including, as appropriate, procedures by which transactions are initiated,
authorized, recorded, processed, corrected as necessary, and transferred to the reports
and other information prepared for user entities of the System.

● The information used in the performance of the procedures including, if applicable,

related accounting records, whether electronic or manual, and supporting information
involved in initiating, authorizing, recording, processing and reporting transactions; this
includes the correction of incorrect information and how information is transferred to the
reports prepared for user entities.

Salesforce Services | 2
 ● How the System captures and addresses significant events and conditions, other than
transactions.

● The process used to prepare reports and other information for user entities.

● Services performed by a subservice organization, if any, including whether the carve-out

method or the inclusive method has been used in relation to them.

● The specified control objectives and controls designed to achieve those objectives,
including, as applicable, complementary user entity controls and complementary
subservice organization controls assumed in the design of the service organization’s
controls.

● Other aspects of our control environment, risk assessment process, information and
communication systems (including the related business processes), control activities,
and monitoring activities that are relevant to the services provided, including processing
and reporting transactions of user entities.

(2) Includes relevant details of changes to the service organization’s system during the period
covered by the Description.

(3) Does not omit or distort information relevant to the service organization’s System, while
acknowledging that the Description is prepared to meet the common needs of a broad range
of user entities of the System and their user auditors, and may not, therefore, include every
aspect of the System that each individual user entity of the System and its user auditor may
consider important in the user entity’s own particular environment.

b. The controls related to the control objectives stated in the Description were suitably designed and
operated effectively throughout the period November 1, 2020 to April 30, 2021 to achieve those
control objectives, if subservice organizations applied the complementary subservice organization
controls and user entities applied the complementary user entity controls assumed in the design of
salesforce.com, inc.’s controls throughout the period November 1, 2020 to April 30, 2021. The
criteria we used in making this assertion were that

(1) The risks that threaten the achievement of the control objectives stated in the Description have
been identified by management of the service organization.

(2) The controls identified in the Description would, if operating as described, provide reasonable
assurance that those risks would not prevent the control objectives stated in the Description
from being achieved if subservice organizations applied the complementary subservice
organization controls and user entities applied the complementary user entity controls assumed
in the design of salesforce.com, inc.’s controls throughout the period November 1, 2020 to April
30, 2021, and

(3) The controls were consistently applied as designed, including whether manual controls were
applied by individuals who have the appropriate competence and authority.

salesforce.com, inc.

Salesforce Services | 3
Section II: Independent Service
Auditor’s Assurance Report
 Ernst & Young LLP Tel: +1 415 894 8000
Suite 1600 Fax: +1 415 894 8099
560 Mission Street ey.com
San Francisco, CA 94105-2907

Independent Service Auditor’s Assurance Report

To the Board of Directors of salesforce.com, inc.:

Scope

We have examined salesforce.com, inc.’s description entitled “Report on Management’s Description of

salesforce.com, inc.’s Salesforce Services’ Covered Services System on the Suitability of Design and
Operating Effectiveness of Controls For the Period November 1, 2020 to April 30, 2021” (Description) of its
Salesforce Services’ Covered Services system (System) and the suitability of the design and operating
effectiveness of controls described therein to achieve the related control objectives stated in the Description
(Control Objectives), based on the criteria identified in salesforce.com, inc.’s Management Assertion
(Assertion). The Control Objectives and controls included in the Description are those that management of
salesforce.com, inc. believes are likely to be relevant to user entities’ internal control over financial
reporting, and the Description does not include those aspects of the System that are not likely to be relevant
to user entities’ internal control over financial reporting.

The Description indicates that certain Control Objectives can be achieved only if complementary user entity
controls assumed in the design of salesforce.com, inc.’s controls are suitably designed and operating
effectively, along with related controls at the service organization. Our examination did not extend to such
complementary user entity controls, and we have not evaluated the suitability of the design or operating
effectiveness of such complementary user entity controls.

salesforce.com, inc. uses the carved-out subservice organizations identified in Section III to perform the
specified functions. The Description includes only the Control Objectives and related controls of
salesforce.com inc.’s Salesforce Services’ Covered Services system and excludes the control objectives
and related controls of the carved-out subservice organizations. The description also indicates that certain
Control Objectives specified by salesforce.com, inc. can be achieved only if complementary subservice
organization controls assumed in the design of salesforce.com, inc.’s controls are suitably designed and
operating effectively, along with the related controls at salesforce.com, inc. Our examination did not extend
to such complementary controls of the carved-out subservice organizations, and we have not evaluated the
suitability of the design or operating effectiveness of such complementary subservice organization controls.

The information included in Section V - Other Information Provided by salesforce.com, inc. is presented by
management of salesforce.com, inc. to provide additional information and is not a part of salesforce.com,
inc.’s Description and has not been subjected to the procedures applied in our examination of the
description of the System and of the suitability of the design and operating effectiveness of controls to
achieve the related Control Objectives, and, accordingly we express no opinion on it.

salesforce.com, inc.’s responsibilities

salesforce.com, inc. has provided the accompanying assertion titled, salesforce.com, inc.’s Management
Assertion (Assertion) about the fairness of the presentation of the Description and suitability of the design
and operating effectiveness of the controls described therein to achieve the related Control Objectives.
salesforce.com, inc. is responsible for preparing the Description and Assertion, including the completeness,
accuracy, and method of presentation of the Description and Assertion, providing the services covered by
the Description, specifying the Control Objectives and stating them in the Description, identifying the risks

|5
A member firm of Ernst & Young Global Limited
that threaten the achievement of the Control Objectives, selecting the criteria stated in the Assertion, and
designing, implementing, and documenting controls that are suitably designed and operating effectively to
achieve the related Control Objectives.

Service auditor’s responsibilities

Our responsibility is to express an opinion on the fairness of the presentation of the Description and on the
suitability of the design and operating effectiveness of the controls described therein to achieve the related
Control Objectives, based on our examination. Our examination was conducted in accordance with
attestation standards established by the American Institute of Certified Public Accountants. Our
examination was also performed in accordance with International Standard on Assurance
Engagements 3402, Assurance Reports on Controls at a Service Organization, issued by the International
Auditing and Assurance Standards Board. Those standards require that we plan and perform our
examination to obtain reasonable assurance about whether, in all material respects, based on the criteria
in management’s Assertion, the Description is fairly presented and the controls were suitably designed and
operating effectively to achieve the related Control Objectives throughout the period November 1, 2020 to
April 30, 2021. We believe that the evidence we have obtained is sufficient and appropriate to provide a
reasonable basis for our opinion.

An examination of a description of a service organization’s system and the suitability of the design and
operating effectiveness of controls involves:

• Performing procedures to obtain evidence about the fairness of the presentation of the Description
and the suitability of the design and operating effectiveness of the controls to achieve the related
Control Objectives, based on the criteria in management’s Assertion.

• Assessing the risks that the Description is not fairly presented and that the controls were not
suitably designed or operating effectively to achieve the related Control Objectives.

• Testing the operating effectiveness of those controls that management considers necessary to
provide reasonable assurance that the related Control Objectives were achieved.

• Evaluating the overall presentation of the Description, the suitability of the Control Objectives, and
the suitability of the criteria specified by the service organization in the Assertion.

Service auditor’s independence and quality control

We have complied with the independence and other ethical requirements set forth in the Preface: Applicable
to All Members and Part 1 - Members in Public Practice of the Code of Professional Conduct established
by the AICPA and applied the AICPA’s Statements on Quality Control Standards.

Inherent limitations

The Description is prepared to meet the common needs of a broad range of user entities and their auditors
who audit and report on user entities’ financial statements and may not, therefore, include every aspect of
the System that each individual user entity may consider important in its own particular environment.
Because of their nature, controls at a service organization may not prevent, or detect and correct, all
misstatements in processing or reporting transactions. Also, the projection to the future of any evaluation

|6
A member firm of Ernst & Young Global Limited
of the fairness of the presentation of the Description, or conclusions about the suitability of the design or
operating effectiveness of the controls to achieve the related Control Objectives, is subject to the risk that
controls at a service organization may become ineffective.

Description of tests of controls

The specific controls tested and the nature, timing, and results of those tests are listed in the accompanying
Section IV - salesforce.com, inc.’s Control Objectives, Controls, and EY’s Test Procedures and Results
(Description of Tests and Results).

Opinion

In our opinion, in all material respects, based on the criteria described in salesforce.com, inc.’s Assertion:

a. The Description fairly presents the System that was designed and implemented throughout the
period November 1, 2020 to April 30, 2021.

b. The controls related to the Control Objectives were suitably designed to provide reasonable
assurance that the Control Objectives would be achieved if the controls operated effectively
throughout the period November 1, 2020 to April 30, 2021 and if subservice organizations and user
entities applied the complementary controls assumed in the design of salesforce.com, inc.’s
controls throughout the period November 1, 2020 to April 30, 2021.

c. The controls operated effectively to provide reasonable assurance that the Control Objectives were
achieved throughout the period November 1, 2020 to April 30, 2021 if complementary subservice
organization and user entity controls assumed in the design of salesforce.com, inc.’s controls
operated effectively throughout the period November 1, 2020 to April 30, 2021.

Restricted use

This report, including the description of tests of controls and results thereof in the Description of Tests and
Results, is intended solely for the information and use of management of salesforce.com, inc., user entities
of salesforce.com, inc.’s System during some or all of the period November 1, 2020 to April 30, 2021, and
their auditors who audit and report on such user entities’ financial statements or internal control over
financial reporting and have a sufficient understanding to consider it, along with other information, including
information about controls implemented by user entities themselves, when assessing the risks of material
misstatements of user entities’ financial statements. This report is not intended to be, and should not be,
used by anyone other than these specified parties.

June 24, 2021

|7
A member firm of Ernst & Young Global Limited
 Section III: Report on Management’s
Description of salesforce.com, inc.’s
Salesforce Services’ Covered Services
System on the Suitability of Design and
Operating Effectiveness of Controls For the
Period November 1, 2020 to April 30, 2021
Overview of Operations
Salesforce.com, inc. (Salesforce or the Company), headquartered in San Francisco, California, is an
enterprise cloud computing company that provides an integrated customer relationship management
platform through various products and services. These products and services (Services) include solutions
for enhancing customer success through sales, service, marketing, commerce, engagement, integration,
analytics, enablement, and productivity, among others.

Salesforce is committed to achieving and maintaining the trust of its customers. Integral to this mission is
providing a robust security and privacy program that carefully considers data protection matters across our
suite of Services, including data submitted by customers to the Services.

The scope of this report includes the Services that host “Customer Data” (as defined within our Master
Subscription Agreement (MSA), which is available from our publicly facing website:
https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/salesforce_MSA.pdf) and the
software described in the table below (collectively and for purposes of this document only, “Salesforce
Services’ Covered Services system” or “Covered Services”).

Salesforce provides services to companies of all sizes via a multi-tenant cloud based solution. The solution
is a collection of application development, deployment, and hosting services. These services allow
customers the ability to purchase, use, and customize Salesforce-deployed applications or use platform
capabilities to develop their own applications. With a multi-tenant platform, each organization that uses the
application uses a set of shared resources. Organizations share a common codebase and their applications
can be customized for their specific needs.

Customers can store data and documents, integrate their services with other applications, perform their
own reporting, analytics, and scale up or down with high availability and security. There are customers
worldwide who use Salesforce for managing their sales, marketing, customer support, and various other
business operations.

Salesforce Corporate Services Controls

In addition to the Salesforce Services’ Covered Services system report (as defined below), this report
should be reviewed in conjunction with the Salesforce Corporate Services report for details regarding the
domains where the Salesforce Services’ Covered Services system relies on corporate controls and
processes. Salesforce Corporate Services teams are responsible for all or a portion of the following
domains:

• Salesforce Board of Directors

• Hiring Practices and Staff Development

• Security Awareness and Training

• Risk Management

• Monitoring of Internal Controls

• Physical Security

• Environmental Safeguards

Salesforce Services | 9
 • Vendor Audit Program

• Logical Security

• Corporate IT Network Architecture and Management

• Endpoint Protection

• Product Security

• Threat and Vulnerability Management

• Security Monitoring

• Incident Management

• Contingency Planning and Business Continuity

The above domains are covered as part of the Salesforce Corporate Services SOC report, which covers
common controls, services and oversight across Services offered by Salesforce.

Principal Service Commitments and System Requirements

Salesforce leverages advanced technologies along with the administrative, technical, and physical controls
to ensure the security, confidentiality, and availability of the Salesforce Services’ Covered Services system.
Salesforce’s Trust and Compliance commitments to customers are communicated via MSAs, the Service
Level Agreements (SLA) detailed in the MSAs and the online Security, Privacy, and Architecture (SPARC)
documentation. Together these documents define the broad set of Trust and Compliance commitments,
including, but not limited to:

• Service availability

• Architecture and data segregation

• Security controls

• Security policies and standards

• Security logging

• Incident management

• User authentication

• Physical security

• Reliability and backup

• Disaster recovery

• Data encryption

• Deletion of Customer Data

Salesforce Services | 10
The Salesforce Services SPARC documents are managed and updated through collaboration of the
Security Governance, Risk, and Compliance (GRC) team, the Product Legal team, and the Information
Management team. The Salesforce Services SPARC documents are reviewed and updated at least
annually and as needed. The Trust and Compliance commitments for the Salesforce Services’ Covered
Services system that form the basis for the description of the controls herein are defined in the Salesforce
Services SPARC document published February 18, 2021.

Description of Covered Services

Salesforce Services is responsible for components of infrastructure (i.e., software that comprise the
Salesforce Services’ Covered Services system infrastructure), data security, data storage, and service
management processes (i.e., the operation and management of the infrastructure, system, and software
engineering life cycles).

This report covers the general information system controls related to the Salesforce Services’ Covered
Services system described below:

Service Name Service Description

Sales Cloud Sales Cloud is a cloud-based application designed to help salespeople sell
more effectively by centralizing customer information, logging interactions with
the company, and automating many of the tasks salespeople do every day.

Sales Cloud enables collaboration across a global organization, including social

intelligence (e.g., Twitter, LinkedIn), and supports secure sharing and
publishing of files, including search capabilities.

Service Cloud Salesforce’s enterprise CRM applications for customer service, Service Cloud
allows customers to provide customized support to their customers and
manage customer accounts and interactions via phone, email, mobile
messaging, and social media channels. Questions and comments from social
media channels can become part of a case queue, and customers can easily
collaborate using mobile devices. Information from online profiles can be used
to deliver customized responses. Service Cloud applications can be fully
integrated with a company’s call-center telephony and back-office applications.
Service Cloud has many features that are included within the scope of this
report including, but not limited to, the live chat feature Chat (formerly Live
Agent) and Lightning Scheduler.

Salesforce Mobile The Salesforce app is Salesforce on a mobile device. This enterprise-class
App (iOS/Android) mobile experience gives users real-time access to the same information users
see on their desktop, but in a convenient mobile experience.

Experience Cloud Salesforce Experience Clouds are branded spaces where user employees,
(formerly branded as customers, and partners can share information and collaborate. Users can
Community Cloud) customize and create communities to meet their business needs, then
transition seamlessly between them. Multiple communities can be created
within the user organization for different purposes.

Salesforce Services | 11
Service Name Service Description
Chatter Chatter extends the platform capabilities by offering users real-time enterprise
collaboration and communication capabilities. Chatter allows users to instantly
interact through profiles, groups, status updates, feeds, content sharing, and
app updates. With Chatter, users can also share documents securely and
engage each other socially. Chatter is private for the user’s instance of
Salesforce, and any content in Chatter is only shared with users of that
organization. The role-based sharing model and user permissions implemented
for the user’s instance of the platform apply to Chatter. Users and
administrators use the same web interface to access application functionality,
but the security controls reside at the platform level.

Lightning Platform The Lightning Platform, which excludes Lightning Platform Developer Edition
(including and its associated products and services that are provided for free, is a
Force.com) Platform as a Service (PaaS) delivery model that allows customers to develop
custom applications and sites using predefined programming languages and by
customizing Salesforce developed application templates and system objects.
The Lightning Platform enables developers to customize and deploy business
applications entirely on-demand by developing custom code (e.g., using Apex).
The platform also includes easy-to-use, point-and-click customization tools to
help customers create solutions for unique business requirements, without any
programming experience.

The Covered Services also include Salesforce Connect, which is a feature of

Lightning Platform. All data presented in Salesforce Connect is retrieved real-
time by Salesforce Connect from external data sources and is not copied into
the Customer’s org.

Site.com The Site.com platform supports the creation of a single site that can be
published as a corporate, social mobile, and micro site. Business users can edit
their own content and add or modify content by using ‘drag and drop’ features.
These changes to the site do not require a planned downtime.

Database.com The Database.com platform is a stripped-down Salesforce Platform that

provides a low-cost option for development in the cloud. It has a rich set of
Application Program Interfaces (API) that can be accessed from any modern
framework, language, or device. Customers can query their data from an
application or establish a secure stream of updates to a mobile device.

Salesforce Services | 12
Service Name Service Description
Tableau CRM Tableau CRM, which includes Einstein Discovery and Salesforce Data
(formerly Einstein Pipelines, allows customers to connect data from multiple sources and create
Analytics) (including interactive views and dashboards to share. Tableau CRM datasets contain
Einstein Discovery Salesforce data, external data, or a combination. Salesforce data can be
and Salesforce Data integrated using a dataflow, which is a reusable set of instructions that defines
Pipelines) how to extract data from Salesforce and load it into datasets. Tableau CRM
provides customers with the ability to connect Salesforce data or external data
and create custom views of datasets and dashboards. By viewing, exploring,
refining, saving, and sharing datasets and dashboards, customers can use
Tableau CRM dashboards to ultimately support data-based decisions by
presenting data in a visually tangible manner.

IoT Explorer IoT Explorer quickly and easily allows customer IoT strategies to integrate into
the Salesforce Platform, giving business strategists the opportunity to start
exploring and implementing their IoT solutions with out-of-the-box access to all
their Salesforce data.

Salesforce Surveys Salesforce Surveys is an easy to use surveys tool built natively on the
Salesforce Platform. Customers can create easy-to-use surveys for collecting
actionable insights and feedback. The survey creators can build and brand their
own surveys, send them to customers or embed them in apps or community
pages. Results of the survey are stored in the creators’ org, so they can
harness the power of Salesforce to view data, create reports and dashboards,
and share insights.

Salesforce Shield Salesforce Shield is a product offering built on the Salesforce Platform and
provides customers a means to protect their enterprise with point-and-click
tools that enhance trust, transparency, compliance, and governance across
their business-critical apps.

Salesforce Platform Encryption

As more customers use Salesforce to store personally identifiable information
(PII), sensitive, confidential, or proprietary data, they need to ensure the privacy
and confidentiality of that data to meet both external and internal data
compliance policies. Platform Encryption is designed to allow users to retain
critical app functionality - like search, workflow, and validation rules - so users
maintain full control over encryption keys and can set encrypted data
permissions to protect sensitive data from unauthorized users. Platform
Encryption allows users to natively encrypt their most sensitive data at rest
across their Salesforce apps.

Salesforce Services | 13
Service Name Service Description
Salesforce Shield Salesforce Event Monitoring
(continued) Gain access to detailed performance, security, and usage data on Salesforce
apps. Every interaction is tracked and accessible via APIs, so users can view it
in the data visualization app of their choice. See who is accessing critical
business data, when, and from where. Understand user adoption across apps.
Troubleshoot and optimize performance to improve end-user experience. Event
Monitoring data can be easily imported into any data visualization or application
monitoring tool, such as Einstein Analytics, Splunk, or FairWarning.

Salesforce Field Audit Trail

Whether for regulatory compliance, internal governance, audit, or customer
service, Field Audit Trail lets users know the state and value of their data for
any date, at any time. Built on a big data backend for massive scalability, Field
Audit Trail helps companies create a forensic data-level audit trail with up to 10
years of history, and sets triggers for when data is deleted.

WDC WDC is a suite of sales-management and service-management tools that help

managers and teams learn faster and perform better. WDC has various
features to help sales and service teams. This includes recognition tied to real
rewards, detailed goals and real-time coaching, and full-featured performance
reviews.

Since WDC is built on the same underlying Salesforce infrastructure as the

Lightning Platform, from an end user perspective WDC inherits many of the
same security features and configurable security options as the platform.
However, profiles and permissions sets must be configured for WDC features.

Industry Cloud The Salesforce Industry Cloud is built on the Salesforce Customer Success
Platform. The Industry Cloud allows enterprises to streamline workflow,
increase productivity, deliver more targeted service, and drive deeper customer
engagement. The industry-specific applications are mobile friendly and
interoperable with other of Salesforce’s Services, helping to tailor products that
meet the unique needs of specific industries. The scope for the Industry Cloud
Platform covers the solutions mentioned below:

Health Cloud
Health Cloud helps create stronger relationships between patients and care
providers, and between the providers themselves. Health Cloud is helping
providers meet the pressing new challenges of today’s healthcare industry,
while affording new opportunities to enhance the quality of care they provide to
patients. It facilitates 1:1 care through a Patient Profile offering a complete view
of information from multiple sources, including electronic health records,
medical devices, and wearables. Health Cloud engages patients on a deeper
level and on any device. Customers and patients can securely collaborate as
well as view Care Plans, connect with their providers, and get answers to
common questions quickly.

Salesforce Services | 14
Service Name Service Description
Industry Cloud Financial Services Cloud
(continued) Financial Services Cloud is an integrated platform designed to drive stronger
client relationships that last generations. Powered by Lightning, Financial
Services Cloud makes it easy for advisors to deliver a concierge level of service
with the personalized, proactive advice clients expect. With an enhanced set of
productivity and engagement features, advisors can spend less time gathering
client information and more time doing what they do best — providing holistic,
goal-based advice that puts their clients at the center of everything they do.

Manufacturing Cloud
Manufacturing Cloud delivers a new level of business visibility and collaboration
between the sales and operations organizations of a manufacturing company.
This allows them to have a better view of their customers through powerful new
sales agreements and account-based forecasting solutions, providing visibility
into their customer interactions while enabling them to generate more robust
sales forecasts.

Emergency Program Management

Speed up local stabilization and disaster relief efforts with streamlined program
management and incident resolution for residents, communities, and
government agencies.

With the Emergency Response Management for Public Sector solution, you
can:
• Accelerate responsiveness with a single view of all requests and approvals
• Empower and connect with emergency response field workers using
intuitive mobile apps
• Attain mission readiness in a matter of days with compliant service
deployment

Salesforce Services | 15
Service Name Service Description
Salesforce Configure Salesforce CPQ and Salesforce Billing are built on the Sales Cloud platform. In
Price Quote (CPQ) addition, there are related packages that add on functionality and/or
and Salesforce integrations with other systems. These packages include, but are not limited to,
Billing (together advanced approvals, payment gateway integrations, document generation
formerly branded as integrations, tax engine integrations, etc.
Quote to Cash
(QTC)) Salesforce Configure Price Quote (CPQ)
CPQ extends the standard features of Sales or Service Cloud to easily find the
right products and services with guided selling, handle complex configurations
with bundles and nested configuration, manage subscriptions, contracted
pricing, discount approvals, generate contracts and proposals, and create
orders from completed quotes.

Salesforce Billing
Billing automates and speeds up the billing and collection process with features
that let users rate usage consumption, automatically apply taxes, get the power
to easily process invoices and automate payment collection, and allows for
revenue recognition reporting.

B2B Commerce Salesforce B2B Commerce (B2BC) is built natively on Salesforce and sold into
(formerly branded as existing Sales, Service, and Experience Cloud customers. For Salesforce
CloudCraze) and customers who want to grow their business by selling products online, it gives
B2B Commerce on them the ability to provide their customers with the seamless, self-service
Lightning experience of online shopping with all the B2B functionality they demand to
Experience grow sales, reduce the cost to serve, and deploy fast.

Einstein Prediction Einstein Prediction Builder is an add-on service for the Salesforce Sales Cloud
Builder and Service Cloud product offerings. It is an AI product that Salesforce admins
can use to retrieve custom predictions based on a Customer’s own data.
Einstein Prediction Builder is graphical user interface (GUI) based and does not
require any coding or modeling by the Customer. Predictions are possible for all
custom objects and a large set of the standard objects. The actual prediction is
performed by Einstein Platform, not Salesforce platform, but this distinction is
not visible to the admin. The systems of record / sources for Customer Data are
Sales/Service Clouds.

Einstein Case Einstein Case Classification is an add-on service option for the Service Cloud
Classification product offering. Einstein Case Classification uses Einstein Platform to
(formerly branded as recommend or populate picklist and checkbox field values for new cases based
Einstein) on past data. The system of record / source for Customer Data is Service
Cloud.

Salesforce Services | 16
Service Name Service Description
Einstein Language Einstein Language creates natural language processing models to classify the
intent of text or to classify text as positive, negative, and neutral. Users can use
the Einstein Language APIs to build natural language processing into their
apps. Einstein Language includes two APIs that users can use to unlock
insights within text.
• Einstein Sentiment - Classify the sentiment of text into positive, negative,
and neutral classes to understand the feeling behind text. Users can use
the Einstein Sentiment API to analyze emails, social media, and text from
chats.
• Einstein Intent - Categorize unstructured text into user-defined labels to
better understand what users are trying to accomplish. Leverage the
Einstein Intent API to analyze text from emails, chats, or web forms.

Einstein Vision Einstein Vision is part of the Einstein Platform Services technologies. Einstein
Vision enables users to tap into the power of AI and train deep learning models
to recognize and classify images at scale. Users can use pre-trained classifiers
or train their own custom classifiers to solve unique use cases. In addition,
Einstein Vision offers OCR capabilities that can detect alphanumeric text in
images or PDF files.

Einstein Vision includes these APIs:

• Einstein Image Classification - Enables developers to train deep learning
models to recognize and classify images at scale.
• Einstein Object Detection - Enables developers to train models to recognize
and count multiple distinct objects within an image, providing granular
details like the size and location of each object.
• Einstein OCR - Enables developers to scan images or documents and
extract relevant text from a variety of common forms, tables or free form
documents.

Einstein Next Best Display the right recommendations to the right people at the right time with
Action Einstein Next Best Action. Create and display offers and actions for your users
that are tailored to meet your unique criteria. Develop a strategy that applies
your business logic to refine those recommendations. Your strategy distills your
recommendations into a few key suggestions, like a repair, a discount, or an
add-on service. Display the final recommendations in your Lightning app or
community.

Salesforce Private Salesforce Private Connect enables customers to establish private

Connect communications between Salesforce and AWS. Salesforce Private Connect
establishes the connection without exposing sensitive data traffic to the public
internet, manages the end-to-end connections and streamlines access controls.

Salesforce Services | 17
Service Name Service Description
Salesforce.org Salesforce.org is a social impact center focused on partnering with the global
community to tackle the world’s biggest problems. Salesforce.org builds
powerful technology for, and with, its community of nonprofits, schools, and
philanthropic organizations. With their guidance, the services help entities
operate effectively, raise funds, and connect. The scope of the Salesforce.org
products included in the Covered Services is below:

Nonprofit Success Pack (NPSP)

Nonprofit Success Pack (NPSP) is an open source app offered to existing
Salesforce Enterprise Licensed customers offering tools to manage programs,
donations, volunteers, and supporters - all in one place. It allows customers to
streamline fundraising processes and manage missions in real-time with pre-
configured but customizable reports and dashboards. Key features of NPSP
include:
• Constituent and Donor Management
• Donation and Grant Management
• Engagement Management
• Volunteer Management
• Reporting and Analytics
• Mobile, Social, and Cloud

Program Management Module (PMM)

Program Management Module (PMM) provides a standard framework for
nonprofits to get up and running managing programs and services. With the
free and open source PMM built alongside Salesforce’s NPSP, nonprofits can
track any type of program or service, regardless of complexity or volume.

Case Management (CM)

Built on PMM, Case Management (CM) is a product that enables a nonprofit to
track the programs and services delivered to clients who are engaging with the
organization over the long term. It contains features such as:
• Client Notes to track any updates based on interactions with clients
• Case Plans which are a means to track the client’s goals and action items
that need to be completed to work towards those goals
• Incident tracking, enabling organizations to capture any incidents the client
has been involved with
• Home Page for Case Managers to help them manage their day by
highlighting tasks to be completed today, upcoming Events, any recent
incidents, etc.
• A customized view of the Contact Record to highlight the most important
information that Case Managers need to know about their clients

Salesforce Services | 18
Service Name Service Description
Salesforce.org foundationConnect
(continued) foundationConnect is a grants management system for grant makers built on
the Salesforce constituent relationship management platform. Grant makers
can manage the entire lifecycle of philanthropic giving - from eligibility and
application, to application reviews and evaluations, all the way through grants
distribution and real-time outcome tracking. Through a portal, grantees can
search for, save, and submit grant applications, collaborate and update status
reports, and provide programmatic outcomes on an ongoing basis.

Grants Management
With Grants Management, grantmakers have a single system built off of the
Salesforce CRM to simplify and accelerate grantmaking while facilitating
greater collaboration between giver and recipient. Grants Management helps
foundations and nonprofits who disburse awards and grants a simple way to
track, manage and deliver funding programs. Grantees can easily find and
apply for grants through an additional grantee portal, engage directly with
grantmakers and share outcomes. Grantmakers can spend less time on tedious
processes that bog them down and more time driving their philanthropic
mission.

Education Data Architecture (EDA)

Developed in collaboration with partners and customers in Higher Education,
EDA is an open source, community-driven data architecture and set of
practices designed to configure Salesforce out of the box for higher education.
As the foundation of Education Cloud, EDA provides a flexible and scalable
framework to capture a 360 degree view of students from day one.

Salesforce Advisor Link

Built on EDA, Salesforce Advisor Link connects the people and systems to
empower current and incoming student success conversations across campus
by bringing student data - even legacy data - together to deliver a 360-degree
view of the student across the entire institution.

Salesforce Services | 19
Service Name Service Description
Workplace The Workplace Command Center provides a single source of truth for
Command Center managing the complexities associated with maintaining workplace and
employee safety and wellbeing. From the Workplace Command Center,
organizations can send wellness surveys and assess wellness trends to
uncover insights. Then, they can make informed decisions around workplace
operations, while keeping employee health data secure. With the Workplace
Command Center, organizations can quickly deliver custom learning to skill up
employees for new ways of working, access prebuilt content kits on best
practices, and gain data insights on employee learning. In addition,
organizations can create new capacity models to reduce office density.
Organizations can avoid large groups in common areas, office spaces, or
elevators through spatial distancing and scheduling breaks.

The Employee Wellness Check is a platform to help organizations prioritize

safety and wellbeing. Employee Wellness helps enable leaders to make
informed decisions on workplace operations by making critical employee,
workplace, and public health data accessible. Securely monitor employee
health and safety with wellness surveys.

Platform Events & Platform Events enables developers to deliver secure, scalable, and
Change Data customizable event notifications within the Salesforce platform or from external
Capture sources.

Customers use platform events to connect business processes in Salesforce

and external apps through the exchange of real-time event data. Platform
events are secure and scalable messages that contain data. Publishers publish
event messages that subscribers receive in real time.

Platform events are based on a publish-subscribe architecture, and apps can

publish platform events by using Apex or one of the Salesforce platform APIs
(SOAP, REST, or Bulk API). In addition, declarative tools such as the Lightning
Process Builder or Cloud Flow Designer can publish platform events.

Change Data Capture is a streaming product on the Lightning Platform that

enables customers to efficiently integrate Salesforce data with external
systems. With Change Data Capture, customers can receive changes of
Salesforce records in real time and synchronize corresponding records in an
external data store. Change Data Capture publishes events for changes in
Salesforce records corresponding to create, update, delete, and undelete
operations.

Salesforce Services | 20
Service Name Service Description
Salesforce Identity Salesforce Identity connects Salesforce org users with external apps and
services while providing administrative tools for monitoring, maintaining, and
reporting user apps and user authorization.

Salesforce Identity is an identity and access management (IAM) service with

the following features:
• Cloud-based user directories, so user accounts and information are stored
and maintained in one place, while available to other services or apps.
• Access management and authorization for third-party apps, including UI
integration, so a user’s apps and services are readily available.
• App user provisioning, which streamlines the process for providing and
removing access to apps to multiple users simultaneously.
• An API for viewing and managing Identity features.
• Identity event logs for creating reports and dashboards on single sign-on
(SSO) and connected app usage.

Additional services not covered by the preceding description of the Covered Services above are out of
scope of this report.

Overview of Salesforce Services’ Covered Services Architecture

The Covered Services are operated in a multitenant architecture that is designed to segregate and restrict
Customer Data access based on business needs. The architecture provides logical data separation for
different customers via customer-specific unique identifiers and allows the use of customer and user role-
based access privileges. Additional data segregation is maintained by providing separate environments for
different functions, including for testing and production.

A Point of Delivery (POD) refers to the Salesforce Services’ Covered Services system layer deployed in
secure high-availability data centers. Multiple customer environments are hosted in a single, self-contained
POD that contains all the necessary servers, network equipment (e.g., IDS, firewall, VLAN switch), and disk
storage hardware. Redundant system components and optimized design patterns maximize availability and
performance. The System Engineering group manages the PODs.

Services Provided by Subservice Organizations Excluded From the Scope of the

Examination

The Covered Services use the following Subservice Organizations in order to provide services to
customers:

Subservice Description
Organization

Salesforce Corporate level controls and services provided by company salesforce.com,

Corporate Services inc.

Salesforce Services | 21
Subservice Description
Organization

Amazon Web Infrastructure as a Service (IaaS) hosting Covered Services is provided by

Services (AWS) AWS. Data centers are in the following locations:
• Montreal, Canada
• Sydney, Australia
• Camden, Australia
• Northern Virginia, USA (Salesforce Private Connect)
• Oregon, USA (Salesforce Private Connect)

Locations and Infrastructure

Salesforce has the following key functions and locations which support the Covered Services:

Function Description
Production Production data centers are in the following locations:
Colocation Data • Ashburn, Virginia
Centers
• Manassas, Virginia
• Sterling, Virginia
• Irving, Texas
• Chicago, Illinois
• Phoenix, Arizona
• Yokohama, Japan
• Kobe, Japan
• London, United Kingdom
• Frankfurt, Germany
• Paris, France

Research and R&D data centers are in the following locations:

Development (R&D) • Phoenix, Arizona
Colocation Data
• Chicago, Illinois
Centers

Operations Support Operations support is in the following locations:

• San Francisco, California (Headquarters)
• Northern Virginia, USA
• Bellevue, Washington
• Dublin, Ireland
• Singapore, Singapore
• Sydney, Australia

Salesforce Services | 22
Function Description
Public Cloud Service Some Services have infrastructure hosted on the following public cloud service
Providers providers:
• Amazon Web Services (AWS)

Information regarding the specific infrastructure, locations, and controls is contained within the Salesforce
Services Trust and Compliance documentation on https://trust.salesforce.com/en/trust-and-compliance-
documentation/.

For details regarding the Locations and Infrastructure supporting the controls provided by the Salesforce
Corporate Services, please refer to the Salesforce Corporate Services SOC report.

Software
The following table details the key software and network components, which support the Covered Services.

Component Description
Operating Systems Operating Systems used to support the Covered Services are Linux and Unix.

Databases In-scope Customer databases are Apache, Oracle, and Salesforce Databases.

Monitoring Systems There are multiple monitoring systems in use for the Covered Services,
including:
• Security Incident Event Monitoring - centralized log correlation analysis,
alert system, and network based intrusion detection system
• Performance monitoring system

Network The Covered Services network infrastructure utilizes a common set of network
Infrastructure components, including:
• Switches
• Load Balancers
• Firewalls
• Routers
• Hardware appliances

For details regarding the Software supporting the controls provided by the Salesforce Corporate Services,
please refer to the Salesforce Corporate Services SOC report.

People
The following teams are in-scope for this report as their job responsibilities require that they have access
to production systems, develop code to be included into the environment or support operational and
advisory functions:

Salesforce Services | 23
Team Responsibilities Covered
Security Salesforce Services shares a number of security responsibilities with the
Salesforce Corporate functions. Specific security team responsibilities can be
found in the Salesforce Corporate Services SOC report.

Infrastructure For Systems:

Engineering • Server Configuration & Management
• Setup Access to servers

For Network:
• Network Device Configuration & Management
• Setup Access to Network
• Define network security standards
• Implement and review access control lists for network
• Capacity Planning
• File attachment storage
• Site Switching/Disaster Recovery

Database • Database Configuration & Management

Engineering • Setup Access to Database instances
• Data Protection

Development/Quality • Develop new code, fix bugs

Engineering • Release Management
• Write technical specifications and performance software build services

Program/Product • Provide development project/product management, release/deployment

Management management, and status reporting.
• Identify customer requests and prioritize functionality to be released.

Site Reliability (SR) • Provide Performance Incident Management for critical incidents within the
Engineering Salesforce environment.

Salesforce Services | 24
Team Responsibilities Covered
Salesforce • Salesforce Board of Directors
Corporate Services • Hiring Practices and Staff Development
• Security Awareness and Training
• Risk Management
• Monitoring of Internal Controls
• Physical Security
• Environmental Safeguards
• Vendor Audit Program
• Logical Security
• Corporate IT Network Architecture and Management
• Endpoint Protection
• Product Security
• Threat and Vulnerability Management
• Security Monitoring
• Incident Management
• Contingency Planning and Business Continuity

For details regarding the People supporting the controls provided by the Salesforce Corporate Services,
please refer to the Salesforce Corporate Services SOC report.

Procedures
Salesforce has detailed information security, availability, and confidentiality standards which are designed
and categorized as per the National Institute of Standards and Technology (NIST) Special Publication
800-53 Revision 4 control families, including:

• Access Control

• Audit and Accountability

• Awareness and Training

• Configuration Management

• Contingency Planning

• Identification and Authentication

• Incident Response

• Maintenance

• Media Protection

• Personnel Security

Salesforce Services | 25
 • Physical and Environmental Protection

• Planning

• Program Management

• Risk Assessment

• Security Assessment and Authorization

• System and Communications Protection

• System and Information Integrity

• System and Services Acquisition

Customer Data
Customer Data is defined within the publicly available MSA. Customer Data processed on behalf of
customers has been classified as Mission Critical, which is the highest sensitivity classification at
Salesforce. Customer Data, as referenced in this report, refers to Salesforce’s role as a Processor as
defined in the Data Processing Addendum (DPA) to the MSA.

The use cases for Customer Data extraction by Salesforce personnel are aligned with the customer MSA.
Customer Data extraction requests for technical support are reviewed and approved prior to execution.
Extractions are documented, tracked, and encrypted, which is restricted for use by authorized personnel.

System Incident Disclosures

There were no incidents noted during the examination period that caused the Covered Services to not meet
their security, availability, and confidentiality commitments.

Relevant Changes
The following table details the relevant changes to the Covered Services during the examination period:

Change Description of change

Common Controls Salesforce has developed a Common Controls Framework (CCF) to provide
Framework more efficient alignment across external and internal security compliance
requirements. Descriptions of the controls for the Covered Services have been
updated to align with CCF while keeping the control purpose the same.

Covered Services Inclusion of Salesforce.org, Workplace Command Center/Employee Wellness

Check, Salesforce Connect (a feature of Lightning Platform), Platform Events &
Change Data Capture, Salesforce Identity (entire examination period), and
Salesforce Data Pipelines (from 3/28/2021 onwards).

Salesforce Services | 26
Relevant Aspects of the Control Environment, Risk Management,
Monitoring, and Information and Communication
As defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal
control is a process affected by an entity’s board of directors, management, and other personnel. Internal
control consists of five interrelated components:

Component Description
Control Environment This sets the tone of an organization, influencing the control consciousness of
its people. It is the foundation for all other components of internal control,
providing discipline, and structure.

Risk Management This is the entity’s identification and analysis of risks relevant to the
achievement of its objectives, forming a basis for determining how the risks
should be managed.

Monitoring The entire internal control process must be monitored, and modifications are
made as necessary. To support modifications, the systems react dynamically
and change as conditions warrant.

Information and Surrounding these activities are information and communication systems.
Communication These enable the entity’s people to capture and exchange information needed
to conduct and control the entity’s operations.

Control Activities Control policies and procedures must be established and executed to help
ensure that the actions identified by management are completed as necessary
to address risks for achievement of the entity’s control objectives.

Set out below is a description of the components of internal control related to the Covered Services that
may be relevant to customers.

Control Environment

The control environment begins at the highest level of the Company. Executive and senior management
play important roles in the Company’s tone from the top, and their direct leadership is an integral part of the
integrity and ethics, which are part of the corporate culture.

Salesforce Board of Directors

The Salesforce Board of Directors (BOD) maintains corporate governance guidelines that outline the roles,
responsibilities, limitations and operation of the BOD. For further details regarding the BOD, please refer to
the Salesforce Corporate Services SOC report.

Salesforce Services | 27
Hiring Practices and Staff Development
The Salesforce Employee Success team, and Security Communications and Engagement team for security
related training, are responsible for hiring practices and staff development. These activities include:

• Background investigations

• Employee offer acceptance

• Employment Disciplinary Action

• Security awareness and training

• Employee performance reviews

For further details regarding Hiring Practices and Staff Development, please refer to the Salesforce
Corporate Services SOC report.

Risk Management
Salesforce’s Enterprise Strategy, Enterprise Risk Assessment, and Security Risk Assessment processes
are detailed in the Salesforce Corporate Services SOC report.

Monitoring
Salesforce’s Security GRC team is responsible for monitoring of internal controls and coordinating third-
party assessments over the controls for the Covered Services. For further details regarding these
processes, please refer to the Salesforce Corporate Services SOC report.

Information and Communication

Salesforce maintains an Enterprise-wide internal Information Security Policy, supported by detailed
Security standards and training to ensure that employees understand their individual roles and
responsibilities regarding security, availability, confidentiality, and significant events.

For further details regarding information and communication, please refer to the Salesforce Corporate
Services SOC report.

Control Activities
General Information Systems Controls

Salesforce maintains a formal Company-wide information security management system (ISMS) that
conforms to the requirements of the ISO 27001 standard and NIST Cybersecurity Framework (CSF),
including security policies, standards, and procedures. Formal policies and procedures are documented for
operational areas including: data center operations, development, program management, production
management, infrastructure engineering, quality engineering, release management, operations, hiring, and
terminations. The Information Security Policy and supporting standards have been developed to segregate
duties and enforce responsibilities based on job functionality.

Salesforce Services | 28
Physical Security

The Salesforce Physical Security team is responsible for physical security measures at the Corporate
Offices, and components of physical security at colocation data center facilities. Further details of physical
security at Salesforce Corporate Offices and colocation data center facilities are found in the Salesforce
Corporate Services SOC report.

Physical security at public cloud service providers is the responsibility of the public cloud service provider.
Refer to “Complementary Subservice Organization Controls” for more information.

Vendor Audit Program

The Salesforce Security GRC team includes a Vendor Audit Program (VAP) for evaluating and monitoring
technical support vendors, data center providers, and public cloud service providers. Further details of VAP
are found in the Salesforce Corporate Services SOC report.

Logical Security

The Information Security Policy and its supporting security standards, which have been reviewed and
approved by management, specify the minimum standards for logical access to Salesforce systems. The
standards also identify functional responsibilities for the administration of logical access and security, and
the classification of data.

Account Provisioning
Approval for a new employee’s standard user account must originate from the Hiring Manager and is based
on the employee’s job function. For users providing customer support for Salesforce Configure Price Quote
(CPQ), Salesforce Billing, and B2B Commerce, access is granted by default to the License Management
Internal Admin Portal. Any further access required to Salesforce Services systems beyond the basic
accounts designated for that user’s job function requires approval from the employee’s direct manager and
the Role Owner as defined in the role ownership and definition documentation.

Access is provisioned according to least privilege, and separation of duties is enforced. Production servers
are configured to log escalation of privileges. In addition, network devices and servers log successful and
unsuccessful account logon events and transmit them to a log aggregation facility where logs are retained
for a period of one year. Logical access controls restrict access to the Covered Services’ production system
logs and protect audit information from unauthorized modification and deletion.

Before new databases are brought into the production environment, default database accounts are locked,
have the default vendor password changed, or are removed to prevent unauthorized access. Vendor-
provided database accounts that are not needed or used are locked or removed. For database accounts
that remain, the default passwords are changed. Only database administrators have access to privileged
database accounts.

Customer access is the responsibility of the customer. New customers sign/acknowledge a MSA, which
includes security considerations for protecting the security, confidentiality, and integrity of data. Customers
are provided access to their environment by a designated Salesforce system administrator and subsequent
users are provided access by the customer’s system administrator.

The MSA also specifies the responsibilities of the users and Salesforce’s responsibilities and commitments.

Salesforce Services | 29
Upon acceptance of the MSA, the customer is responsible for the administration and maintenance of access
to the system for their personnel, as well as ensuring the security settings, such as password settings, are
configured in accordance with their specific policies and procedures. Further details of MSA requirements
are found in the Salesforce Corporate Services SOC report.

Access Removal
In the event that a Salesforce employee or contractor is terminated, the individual’s Manager is responsible
for initiating the termination case.

This entry triggers automated tasks to system owners in the authorization matrix, such as Active Directory,
OS, Network devices, Database, Public Cloud management consoles, and Covered Services application
to remove the access in a timely manner. Corporate access is removed within 2 business days of
termination task creation, followed with production access removal within 5 business days of termination
date. Once the access has been removed, the ticket is closed by the resolving group.

In addition, once the automated termination task is created, an automated job is executed which
systematically removes a user’s infrastructure access. In the event of a failure, an alert is sent to the
TechOps System Access Team. The issue is then investigated and if determined to be a true issue, a ticket
is created to document actions to resolve the issue.

Further details regarding the removal of access to Salesforce’s Corporate Network are found in the
Salesforce Corporate Services SOC report.

Access Authentication
Prior to authentication to Salesforce Services’ Covered Services production infrastructure, individuals must
be authenticated on Salesforce’s Corporate Network utilizing valid Active Directory credentials. Further
details of Salesforce’s Corporate Network are found in the Salesforce Corporate Services SOC report.

Access to databases and production information systems is achieved with password-based authentication,
enforced via MFA, and dynamic password generation or password parameters set in accordance with
company standards.

Access to the production infrastructure is restricted to authorized personnel based on job function.
Privileged system access is restricted to a limited number of system administrators and their management.

Access to databases and production information systems is achieved with password-based authentication,
enforced via multi-factor authentication, and dynamic password generation or password parameters set in
accordance with company standards.

Users can only access the production environment after authentication to the corporate network, via Virtual
Private Network concentrators (VPN), and must then pass through multiple layers of authentication as
described below:

• The first layer of authentication is through a secure virtual gateway and requires multi-factor
authentication using their username and a one-time passcode token.

• The second layer of authentication includes authentication to the bastion host using their username
and a one-time passcode token.

Salesforce Services | 30
 • The third layer is authentication to the individual production systems where the user must log in
with their username and password on the target system.

Access to the public cloud management console is restricted only to infrastructure engineering groups that
require access.

Authentication credentials are obscured during the authentication process. Internal system management
functionality is segregated within the production environment using various layers of security within network
devices, the operating system, databases, and the application.

Policies and agreements are in place that define the circumstances in which customer data can be used,
including requirements to limit removal of the data from its native storage and requirements for maintaining
the security of the data at all times. Sessions into the secure virtual gateway and Secure Shell (SSH), which
are used to access production, are automatically terminated after a determined number of inactive minutes
to prevent unauthorized activity or use.

Access Reviews
Logical access to production environments is reviewed on a quarterly basis to verify that terminated users
have been removed from the respective systems. Each quarterly access review covers the systems that
support the Covered Services and a ticket is created to track the review process. For any discrepancies
found during the access review, the responsible employees must correct and document the removal.

Once the results of the access review are documented, there is a second-line review by a manager or
director; once the manager or director approves the findings, and confirms remediation of the findings, the
quarterly access review ticket is then closed.

Additionally, on an ongoing basis employee transfers are reviewed to determine that network, server, and
database access to the production systems is still appropriate. The review is initiated automatically when
an employee’s title, manager, or business unit changes in the HR system. The change triggers the creation
of a transfer review ticket, which has a defined workflow that requires the user’s manager to review the
transferred user’s access for appropriateness. The manager has 30 days to complete the transfer review
and close the ticket and access not reviewed within 30 days is revoked. If a change in user access is
necessary a child ticket is created for each access to track the removal. Where the system allows,
automated workflows are in place to enforce the access removals in alignment with Salesforce Security
Standards.

Password Requirements
The password requirements for corporate and production systems are required to meet or exceed the
following information security password requirements defined in Salesforce’s Authentication Standard,
which includes:

• Passwords must have a minimum length of:

– 12 characters for production systems

– 16 characters for corporate endpoint systems and applications

– 20 characters for service accounts

Salesforce Services | 31
 • Password complexity must contain a combination of three or four of the following: uppercase,
lowercase, numbers, and symbols based on available system functionality.

• Password maximum lifetime is restricted to 365 days for corporate endpoint systems and
applications.

• Password maximum lifetime is restricted to 60 days for administrators and production systems.

• Passwords cannot be reused for at least 6 generations.

• Account lockout settings are enforced after a number of consecutive invalid login attempts and
automatically lock the account after the number of unsuccessful attempts is exceeded.

Further details of Salesforce’s Corporate Network are found in the Salesforce Corporate Services SOC
report.

Network Architecture and Management

The information system consists of three logically and physically separate networks: a corporate network,
a R&D network, and a production network. The corporate network supports internal corporate functions and
is separate from the production network, which supports customer instances. For further details on
Salesforce’s corporate network, please refer to the Salesforce Corporate Services SOC report.

The R&D network supports software development, quality assurance, and part of release engineering.
Access Control Lists (ACLs), firewalls, and subnets are used to prohibit network access and information
flow between the different networks.

The data centers have a fully redundant infrastructure. Network devices are also implemented in a fully
redundant, fault-tolerant configuration. Servers that require redundancy are configured with two separate
switches, which are connected to separate network interface cards on each server.

Networking protocols that are not necessary for business purposes and/or are deemed to be non-secure
are disabled. Protocols and allowed services are documented in configuration standards.

Tools are installed and used to monitor the status and load of each managed network device. The
monitoring tools are configured to generate alerts when specified thresholds are reached or exceeded.
When triggered, the predefined group of alerts will generate an automatic notification to designated
personnel and, depending on the severity of the problem, appropriate levels of escalation are applied.

Boundary Protection
Mechanisms are employed within the network to monitor and control communications at the external
boundary of the system. Border routers configured with access control lists are used to filter unwanted
network traffic and can apply rate limits if necessary.

To protect the security of the network, proxies are configured to disable access to public emails, instant
messaging, and other non-business functions from the production servers.

External network devices, configured to “deny all - allow by exception” are used to filter traffic and remediate
basic Denial of Service (DoS) attacks. Salesforce production data center network traffic is also routed
through a Distributed DoS (DDoS) protection service provider to limit the effect of DoS attacks.

Salesforce Services | 32
Load balancers are used in conjunction with the internal network devices to encrypt/decrypt traffic, Network
Address Translation is used for customer IPs, and customer traffic is routed to Virtual IPs rather than IPs
within the network. The customer’s real IP is inserted into the header so that the application recognizes the
origin of the traffic.

Internal firewall, routers, and switches are used to control traffic between Customer Instances (a multi-
tenant stack). ACLs established on the network devices within the specific instances prevents user traffic
from crossing instances. ACLs are configured to deny all and allow only explicitly defined connections and
prevent the database hosts from accepting any traffic other than the expected database traffic. Application
servers are configured to communicate only with specific instances of other resources, preventing
unauthorized connections to other instances or back to the host. ACLs on the application servers are used
to “whitelist” internal IP addresses for administrative functions within resources.

Network Access Controls

Access by customers and internal personnel is restricted by defined network access controls configured to
enforce defined network security standards. Only required ports are enabled and all others are denied.
Access to change network access control configurations is restricted to authorized personnel who have the
required access and approval before making changes.

Network Malware Detection

Malware and virus detection is in place on the corporate network, and alerts are generated in the event of
compromise or potential compromise. For further details on Salesforce’s corporate network, please refer to
the Salesforce Corporate Services SOC report.

Application Protection
Customers connect to the Covered Services over the Internet and data transported into and out of these
controlled environments is encrypted in transit. Once inside these controlled environments, customers can
utilize the application framework and managed computing assets to store and manipulate data in their
organizational instance.

Internal Admin Portals are used to maintain application service health and to provide support for customers.
The License Management Internal Admin Portal is used by the following Covered Services: Salesforce
Configure Price Quote (CPQ) and Salesforce Billing, B2B Commerce, Industry Cloud, and Salesforce.org.
All other Covered Services use the Standard Internal Admin Portal. Authorized users provide operational
support for products and features. Support personnel use the applications through special accounts to
support customers. Support personnel have access to Customer Data when authorized by the customer.
Customers granting access for troubleshooting purposes can define the duration of the access, activity is
logged, and logs are available for customers’ review.

With a multi-tenancy platform, the platform prevents unauthorized and unintended information transfer via
shared system resources through strong logical access controls. Strict controls are in place to restrict user
access across shared resources and equal security protections are provided to Customer Data. Hosted
customers (organizations) are assigned an “Org” with an associated unique “OrgID” within the Salesforce
infrastructure. Only the information associated with the OrgID assigned to the customer’s credentials are
available to the authenticated user.

Salesforce Services | 33
Intrusion Detection
An Intrusion Detection System (IDS) monitors for potential security breaches. IDS devices are placed
between the edge routers and aggregation layer (in front of the load balancers) and behind the load
balancers to monitor network traffic, including malware events in Salesforce production data centers.

IDS events are correlated and the monitoring system is configured to generate and distribute alerts as
security events occur in the environment on production servers. Privileged access to administer the IDS is
restricted to authorized personnel.

Note that the IDS is only currently applicable to the production and government cloud environments at
Salesforce colocated data centers. Due to system limitations with the public cloud service provider, an IDS
is not currently in place. In lieu of an IDS, Salesforce has implemented logging and netflow log collection
(drops and accepts) for all ingress/egress traffic. The public cloud logs are analyzed and reviewed.

Malware and virus detection are in place at the corporate layer and alerts are generated in the event of
compromise or potential compromise. For further details on Salesforce’s Intrusion Detection processes,
please refer to the Salesforce Corporate Services SOC report.

Endpoint Protection
The Salesforce Business Technology team is responsible for managing anti-malware solutions, device
encryption, and mobile device management software. For further details of Salesforce’s endpoint protection
controls, please refer to the Salesforce Corporate Services SOC report.

Product Security

The Salesforce’s Security team includes a function for Product Security. The Product Security function
includes conducting Application Security Assessments, which are black-box web application penetration
tests performed by independent third parties. In addition, Salesforce has an invite-only bug bounty program.
For further details on Salesforce’s Product Security team and controls, please refer to the Salesforce
Corporate Services SOC report.

Threat and Vulnerability Management

Vulnerability Scanning
Vulnerability scans are performed on both internal and external facing production systems using internal
scanning resources at least twice per month through the use of commercial and proprietary vulnerability
tools. Vulnerability scanning tools are configured to identify vulnerabilities which include missing patches
and system configuration issues. Salesforce management reviews vulnerability and patching status on an
at least weekly basis. Patches are deployed for known vulnerabilities at least monthly, or as needed based
on the criticality. For further details of Salesforce’s vulnerability scanning controls, please refer to the
Salesforce Corporate Services SOC report.

PCI-DSS Penetration Testing & ASV Scanning

For Services which are also in-scope for the Payment Card Industry Data Security Standard (PCI-DSS),
additional penetration tests and Approved Scanning Vendor (ASV) scans are coordinated by the Threat
and Vulnerability Management team. For further details of Salesforce’s PCI-DSS penetration testing and
ASV scanning controls, please refer to the Salesforce Corporate Services SOC report.

Salesforce Services | 34
Vulnerability Tracking and Patching
New host and container base images are released with the most recent operating system vulnerability
patches and updates are made at least monthly and are available for service teams to apply to their
infrastructure assets. The TVM team, in coordination with product engineering teams, utilize scanning and
monitoring tools to identify and track the use of insecure images and other system and third-party
vulnerabilities through resolution. For further details of Salesforce’s vulnerability tracking and patching
controls, please refer to the Salesforce Corporate Services SOC report.

Encryption

Transport Layer Security (TLS) encryption is used to protect the confidentiality and integrity of information
transmitted between the customer’s web browser and the Salesforce Services’ Covered Services system.

Cryptographic keys for TLS certificates are monitored by the Security team for expiration. Follow-up
procedures are performed with the Certificate Authority to renew Salesforce cryptographic keys expiring
within 90 days.

The Covered Services offer multiple features for encryption of Customer Data at rest. With the Platform
Encryption offering, customers can choose to encrypt sensitive data stored in custom fields, standard fields,
Chatter, files, attachments, and emails. This is an additional paid feature. Salesforce also offers a free
encryption feature, Classic Encryption, available for custom fields only that customers create.

For more details on Platform Encryption and Classic Encryption, please visit:
https://help.salesforce.com/articleView?id=security_pe_vs_classic_encryption.htm&type=5.

Change Management

The change management process supports a controlled framework as well as proper segregation of duties
for the initiation, testing, approval, and implementation of changes. Salesforce’s Change Management
Standard outlines the activities to be performed during each phase of the change process, as applicable,
and the supporting tasks that need to be completed for each activity.

Changes are implemented during scheduled maintenance windows to minimize customer impact unless
required to address an urgent service issue. Requests for changes, as well as system and hardware
maintenance, are standardized, categorized, and prioritized according to documented policies and
procedures.

Asset inventories of all production systems that reflect the current information system environment are
documented and inventories are maintained at a level of granularity deemed necessary for tracking and
reporting purposes. An asset inventory review of the Covered Services’ production systems is performed
periodically.

Current and prior configurations for production servers, network devices, and databases are maintained in
order to support rollback based on the nature of change.

Salesforce Services | 35
Infrastructure Change Management
The change management process is a defined process that requires people, process, and technology to
support the process. Individuals submitting infrastructure changes into production are required to follow the
defined Global Change Management Procedure and Change Management Security Standard and to
complete mandatory change management training before participating in the change management process.

The Global Change Management Procedure defines the required approvals that a change must route
through before the change owner can begin the change in production. Salesforce uses a ticketing system
as the technology to support the change management process as defined in the Global Change
Management Procedure.

The change management process identifies the roles and responsibilities of each of the members on the
change process as well as the change types. Changes for infrastructure components are tested in a
dedicated environment using production class equipment before being deployed into production. If testing
cannot be conducted in a non-production environment, the change is applied to a minimal number of
production devices and functionality is verified after implementation. Only authorized personnel can
implement a change into the production environment.

Routine and periodic hardware maintenance is performed to reduce the frequency and impact of
performance failures. Salesforce notifies customers of planned downtime through the Trust Maintenance
page.

Infrastructure change management encompasses operational changes for maintaining the service at the
hardware, server, network, and database level. The majority of changes that are processed via the
Salesforce infrastructure change process are Standard or Standard Pre Approved changes that include
routine system patching, firewall, and network changes necessary to maintain the underlying infrastructure
supporting the services. These changes are considered lower risk, routine operating activities and either
follow an established pre-approved template, require a peer review approval, or are systematically
implemented based on a pre-approved change category prior to implementation.

There are five change categories: Standard Pre Approved, Standard, Minor, Significant, and Emergency
Break Fix. Standard Pre Approved changes are structured for repeatable execution. Standard Pre
Approved changes may be automatically implemented when the ticket is created as it follows a standard
change template or change category and has been pre-approved via the Change Advisory Board (CAB).
These are limited to low risk changes and typically include patching or other operational activities that have
a consistent history of success and execution without errors. Standard changes are low risk, performed
frequently, and use a well-defined run list. Standard changes require Peer Approval before receiving a PM
(Prod Message) Start from Site Reliability. Minor changes are deemed low to moderate risk. Significant
changes are higher risk changes. Minor and Significant change types require Peer Approval and review
from specific individuals in the related functional approval group and/or Change Management team and
can be subject to a CAB review before approval. Emergency Break Fix changes are unplanned changes
often in response to an event and require the approval of specific individuals within an emergency approval
group.

Database changes are a subset of infrastructure changes. This type of change includes changes to the
database configuration and data maintained within the tables.

A periodic review is done of change category designations and documentation is performed by the change
management team. Discrepancies identified are followed up by the teams and documentation corrected.

Salesforce Services | 36
Application Change Management
Application change requests are documented and tracked through the online ticket management system
and/or code repository. Desired application functionality and features are identified, prioritized, and initiated
by product owners for future development. Information security and availability considerations are core
components in application development and testing. Adaptive Development Methodology (ADM) and
Scrum project management frameworks are used to manage application development and testing.

Application code changes undergo testing and/or peer review prior to merging the changes into the master
code that makes up a release.

There are 3 types of releases; Major releases that include new product features, Patch releases that include
fixes and upgrades following major releases, and Emergency releases to address issues and bugs.

There are 10 release groups for the Covered Services system: Salesforce Core (covers Sales Cloud,
Service Cloud, Experience Cloud, Lightning Platform, Site.com, Database.com, IoT Explorer, Salesforce
Surveys, Salesforce Shield, WDC, Einstein Prediction Builder, Einstein Agent, and Chatter), Salesforce
Mobile (covers Salesforce Mobile App), Industries (covers Industry Cloud), QTC (covers Salesforce Quote
to Cash), Workplace Command Center, Chat (component of service cloud), Tableau CRM (formerly
Einstein Analytics), Salesforce Private Connect, B2B Commerce, and Salesforce.org.

For the release groups identified above, application releases into production do not occur until applicable
sign-off is obtained from the following teams:

• Change Management, Quality Assurance, or Site Reliability; and

• An Engineering Manager

The sign-off from the required individuals must be documented in the associated release ticket, and is an
indicator of successful testing of the changes and an approval to deploy the release.

Hybrid engineering is employed by Salesforce during the software development life cycle. Software
engineers are cross trained to perform development and quality assurance roles. Segregation of duties is
achieved by ensuring that application code development and quality assurance testing is performed by
different individuals.

The change management tools (code versioning software and online ticketing system) maintain a record
of changes, including the implementer’s name, approvers’ names, implemented solution, roll-back plans,
and any issues arising from the change. Post change validation plans are created for each change to specify
the steps that should be performed to validate a change after implementation in the production environment.
The steps in the validation plan are executed by the change implementer to confirm the change was
successfully executed in production.

Weekly release management meetings are held to discuss the current release schedule and milestones.
Release notes are documented and communicated to internal and external users via the Trust site for
changes and maintenance that affect functionality, features, system security, and availability. Details about
maintenance windows include the maintenance time period, instance(s) impacted, and the reason for the
use of the maintenance window.

Salesforce Services | 37
Service Monitoring

The Covered Services and supporting infrastructure are monitored for availability and performance. A real-
time alerting system will be triggered and alert on-call Engineering team members if defined reliability,
availability or performance thresholds are exceeded.

Various automated and manual systems are used to monitor the confidentiality, integrity, availability, and
performance of the service, such as intrusion detection systems, performance and health systems, and
security event correlation systems.

Security Monitoring

The Covered Services are also monitored for security purposes. The Salesforce Security Detection and
Response team provides centralized monitoring for malicious activity, open vulnerabilities, and indicators
of compromise. Servers, production network systems, public cloud control plane systems, and databases
are configured to forward log data to a centralized Detection and Response system, which then uses
predetermined thresholds and triggers to generate alerts. Examples of security events that will trigger an
alert include (but are not limited to) unauthorized attempts to access production infrastructure, unpatched
infrastructure, and application vulnerabilities. Additionally, servers are configured to log privileged
operations (sudo) undertaken on the platform in order to provide an audit trail and increase accountability.
Further details of security log monitoring, protection, and retention can be found in the Salesforce Corporate
Services SOC report.

Incident Management

Salesforce Services performs incident management in three major categories:

• Security Incident Management

• Availability Incident Management

• Customer Incident Management

Security Incident Management

Security incident management is performed by the Salesforce Computer Security Incident Response Team
(CSIRT). Further details of the CSIRT process are found in the Salesforce Corporate Services SOC report.

Availability Incident Management

Personnel in offices worldwide support the continuous operations of Salesforce. The environment is
monitored 24/7 through a follow-the-sun customer support model for reliability and performance. The Site
Reliability team provides site monitoring, first response, and proactive triage and resolution. There are six
SR locations: 3 in the U.S. (California, Virginia, and Massachusetts), Ireland, India, and Singapore. The SR
team handles first and second tier support, with infrastructure engineers providing escalation support.
Monitoring tools are automated and route potential issues, warnings, and problems to the SR team.

Real time monitoring of all production and sandbox instances is performed. Customer impacting
performance incidents are documented in an online ticketing system. Each incident is assigned a severity
level to prioritize importance and the direct resources assigned to those issues of greatest impact to the
system.

Salesforce Services | 38
Formal incident handling capabilities for system performance incidents are implemented, which include
preparation, detection, analysis, containment, eradication, and recovery. Incidents are assigned a severity
level to prioritize their importance and direct resources to those issues of greatest impact to the system.
Investigation and corrective actions for performance incidents are documented and shared with key
personnel to confirm corrective actions have been completed and lessons learned have been incorporated.

The Salesforce Trust site can be observed anytime by internal and external users, and contains information
around service disruptions, system availability, informational messages, and daily metrics around
performance issues.

High-level performance and availability reports are produced and discussed during monthly executive
management meetings.

System capacity for long term strategic planning is monitored on an ongoing basis.

Customer Incident Management

The Covered Services have onboarded to the Salesforce Enterprise Customer Support processes. For
further details on Customer Incident Management and Support, please refer to the Salesforce Corporate
Services SOC report.

Backup, Recovery, and System Availability

A combination of near real-time data replication and data backups are utilized to protect Customer Data.
Data centers are configured in pairs, so primary production infrastructure and production data are fully
replicated to secondary sites.

The mirror site is a passive site containing equal (or more) capacity of the production data center, as the
systems are the same as the primary. Customer Data in application databases is backed up using
incremental backups, which are merged daily to create full backups, and hourly archive log backups.
Database backups of customers’ production data are retained for a minimum of 90 days and backups of
customers’ test data (sandboxes) are retained for a minimum of 30 days. Attachments which reside on
FileForce servers are replicated and/or backed up. On customer attrition, attachments on FileForce servers
are purged after 90 days in production and sandbox instances. Data deemed important by the customer
should be retained by the customer.

Formal processes and procedures to securely dispose of any device that may contain Customer Data
including backup media and hard drives have been developed. The media management procedures apply
to all data center environments and include procedures for physical destruction.

Backup media does not leave secure data center facilities until the media is securely wiped and destroyed
through a secure destruction process.

A Disaster Recovery Plan outlines the actions to be followed to meet availability and system requirements.
The disaster recovery plan includes, among others, details regarding recovery time objectives, key
personnel, and recovery processes to be followed in the event of a declared disaster. A formal Disaster
Recovery exercise is executed multiple times annually to test the effectiveness of the contingency planning,
and site switching processes. The data restoration process is tested at least annually by the backup team.

Salesforce Services | 39
In addition, Salesforce Private Connect, which creates a native, secure integration between AWS and
Salesforce, is configured and deployed in a highly available manner in AWS to meet availability and system
requirements in the event of a business impact disaster. Private Connect is configured to be spread across
multiple availability zones and regions, where possible.

Further, disaster communication processes are exercised using the mass notification system during each
exercise, which includes call-outs with response requests to Salesforce’s CMT and the production Disaster
Recovery teams. Salesforce will test its disaster recovery plan at minimum on an annual basis and will
continue to enhance and develop processes and its technology related to disaster recovery to further
reduce Recovery Point Objective (RPO)s and Recovery Time Objective (RTO)s.

Service agreements are in place for each of the alternate processing facilities and failover to the alternate
processing facilities is logically controlled and does not require physical access to the production
infrastructure to execute the failover.

In addition, each production data center is served by multiple Internet Service Provider Internet connections
using a carrier-class model in order to provide redundancy. Further details on Internet Service Provider
redundancy in data centers can be found in the Salesforce Corporate Services SOC report.

Customer Control Responsibilities and Considerations

The Covered Services are designed with the assumption that certain policies, procedures, and controls
would be in existence or implemented by user entities (hereafter referred to as “customers”) to achieve
certain control objectives.

This section describes those additional policies, procedures, and controls that should be in operation at the
customer to complement the Covered Services and corresponding controls. The user of this report should
consider whether the following controls have been placed in operation at the customer.

Salesforce Services | 40
 Complemented
Controls expected to be implemented at user entity organizations Control Objective

• Customers are responsible for configuring their implementation of the Control Objective 2
Covered Services, including security measures such as
dedicated/specified IP addresses and two-factor authentication. Where
applicable, customers are responsible for the configuration of the user
organization API system level calls to access Salesforce’s API. Customers
should reference the Salesforce Security Implementation Guide.
• Customers are responsible for managing their organization’s instance(s) of
the Lightning Platform (formerly Force.com), installed applications as well
as establishing any customized security solutions or automated processes
through the use of setup features, application development tools, and API
integration tools.
• Customers are responsible for ensuring that authorized users are
appointed as organizational administrators for granting access to the
Covered Services’ system.
• Customers are responsible for notifying Salesforce of any unauthorized
use of any password or account, or any other known or suspected breach
of security related to the use of the Covered Services’ system.
• Customers are responsible for data classification and the implementation
of encryption features available within the platform, where deemed
necessary by customer-defined requirements.
• Customers are responsible for granting and removing access for
Salesforce customer support personnel, and defining an appropriate
expiration date when granting the access.

• Customers are responsible for communicating relevant security, Control Objective 5

availability, and confidentiality issues and incidents to Salesforce through
identified channels.

The list of Complementary User Entity Controls presented above does not represent a comprehensive set
of all the controls that should be employed by the customers. Other controls may be required for individual
customers.

The following are additional customer control responsibilities and considerations. While these may not be
necessary to achieve the specified control objectives, customers should consider implementing the below
controls to further address their own commitments and system requirements.

Controls customer should consider implementing

Customers are responsible for configuring their implementation of the Covered Services, including
security measures such as dedicated/specified IP addresses and two-factor authentication. Where
applicable, customers are responsible for the configuration of the user organization API system level
calls to access Salesforce’s API. Customers should reference the Salesforce Security Implementation
Guide.

Salesforce Services | 41
Controls customer should consider implementing
Customers are responsible for managing their organization’s instance(s) of the Lightning Platform
(formerly Force.com), installed applications as well as establishing any customized security solutions or
automated processes through the use of setup features, application development tools, and API
integration tools.

Customers are responsible for ensuring that authorized users are appointed as organizational
administrators for granting access to the Covered Services’ system.

Customers are responsible for notifying Salesforce of any unauthorized use of any password or
account, or any other known or suspected breach of security related to the use of the Covered Services’
system.

Customers are responsible for data classification and the implementation of encryption features
available within the platform, where deemed necessary by customer-defined requirements.

Customers are responsible for granting and removing access for Salesforce customer support
personnel, and defining an appropriate expiration date when granting the access.

Customers are responsible for reviewing activity logs of actions performed by the customer support
personnel.

Customers are responsible for any changes made to user organization data stored within the Covered
Services’ system.

Customers are responsible for customer code or functionality designed, developed, and deployed on
the platform.

Customers are responsible for communicating relevant security, availability, and confidentiality issues
and incidents to Salesforce through identified channels.

Customers are responsible for conducting periodic exports of data to meet their specific data retention
requirements.

Customers are responsible for configuring the expiration of mobile refresh tokens.

Complementary Subservice Organization Controls

Salesforce Services’ Covered Services relies on controls performed by salesforce.com, inc. Salesforce
Corporate Services controls are performed and monitored by integrated Salesforce functions, and are not
included in the scope of this report but are required to achieve the control objectives.

The Covered Services utilize public cloud providers to provide cloud infrastructure as mentioned above in
the Locations and Infrastructure table. The public cloud providers are responsible for operating, managing,
and controlling the underlying infrastructure components supporting the services which are utilized by
Salesforce. Salesforce compliance teams review audit reports performed by independent auditors of the
public cloud providers impacting the control objectives of this report.

The following tables identify the impacted control objective and the complementary subservice organization
controls (CSOCs) expected to be implemented at the Subservice Organizations as documented in the
Service specific SOC reports in order to achieve the specified control objective, where applicable, based
on the nature of the service:

Salesforce Services | 42
Controls expected to be implemented at Salesforce Corporate Services

Complemented
Controls expected to be implemented at Salesforce Corporate Services control objective

• The Company reviews public cloud service provider audit reports Control Objective 1
performed by independent auditors to ensure appropriate physical access
and environmental controls have been properly designed and implemented,
and are operating effectively.
• Data center hosting providers and sub-processors are evaluated by Vendor
Audit Program (VAP) prior to processing Customer Data.
• The Vendor Audit Program (VAP) team performs annual supplier due-
diligence reviews for all Tier 1 suppliers to monitor compliance with
Salesforce security requirements. Any issues identified are evaluated and
remediated in a timely manner.

• The Company has implemented logical security tools and technologies to Control Objective 2
protect against security events and other threats from outside the
boundaries of the system boundaries, such as a corporate VPN to access
the corporate network, a security information and event management
solution, and a TLS certificate monitoring and management tool.

• The Company manages authentication into the corporate network, and Control Objective 3
revokes user access to the corporate network in a timely manner upon
termination.

• The Company has a centralized team to track and resolve security issues Control Objective 5
identified in the products and services.

• The Company has implemented a security information and event Control Objective 5
management solution to monitor system components for security incidents.
Logs are protected from tampering and retained for 1 year to support
investigations into suspected security incidents.

• CSIRT has defined processes to evaluate, escalate, track and resolve Control Objective 5
identified security incidents.

• The Company maintains a Change Management Standard which defines Control Objective 4
the requirements for performing changes, and is reviewed annually. Control Objective 7

Salesforce Services | 43
Controls expected to be implemented at other Salesforce Services Subservice
Organizations

Complemented
Controls expected to be implemented at Public Cloud Providers control objective
• Only authorized personnel have access to the facilities housing the system. Control Objective 1
• Badge access control systems are in place in order to access the facilities.
• Visitor access to the corporate facility and data center are recorded in
visitor access logs.
• Visitors are required to wear a visitor badge while onsite at the facilities.
• Visitors are required to check in with security and show a government
issued ID prior to being granted access to the facilities.
• Visitors are required to have an escort at all times.
• All production media is securely decommissioned and physically destroyed
prior to leaving the data center.

• Password and/or MFA is used to restrict access to authorized individuals. Control Objective 2
• Roles and responsibilities for managing cryptographic keys are formally
documented.
• Additions and changes to the system are authorized prior to access being
granted.
• System access is removed timely upon termination.
• System access is reviewed on a periodic basis to ensure access is
restricted to authorized and appropriate individuals.
• IT access above least privileged, including administrator access, is
approved by appropriate personnel prior to access provisioning.

• Firewall devices are configured to restrict access to the computing Control Objective 3
environment and enforce boundaries of computing clusters.
• Network communications within a VPN Gateway are isolated from network
communications within other VPN Gateways.
• Security protections are in place to restrict access to virtual and physical
devices and other information assets to authorized personnel.
• Encryption methods are used to protect data in transit and at-rest.

• External vulnerability assessments are performed on a periodic basis, Control Objective 5

identified issues are investigated and tracked to resolution in a timely
manner.

• Backups of critical system components are monitored for successful Control Objective 6
replication across multiple data centers.

• Changes are authorized, tested, and approved prior to implementation. Control Objective 4
Control Objective 7

Salesforce Services | 44
Control Objectives and Related Controls
Salesforce’s control objectives and related controls are included in Section IV of this report,
“salesforce.com, inc.’s Control Objectives, Related Controls, and EY’s Test Procedures and Results.”
Although the control objectives, and related controls are presented in Section IV, they are an integral part
of salesforce.com, inc.’s description of the Salesforce Services’ Covered Services system as described in
Section III.

Salesforce Services | 45
 Section IV: salesforce.com, inc.’s
Control Objectives, Related Controls,
and EY’s Test Procedures and Results
Testing Performed and Results of Tests of Entity Level Controls
In planning the nature, timing and extent of our testing of the controls specified by salesforce.com, inc., we
considered the aspects of Salesforce’s control environment, risk assessment processes, communication
and management monitoring procedures and performed such procedures as we considered necessary in
the circumstances.

Control Objectives and Related Controls for Systems and

Applications
On the pages that follow, the description of control objectives and the controls to achieve the objectives
have been specified by, and are the responsibility of salesforce.com, inc. The Testing Performed by EY
and the Results of Testing are the responsibility of the service auditor.

Procedures Performed for Assessing the Completeness and Accuracy

of Information Provided by the Entity
For tests of controls requiring the use of Information Produced by the Entity (IPE) (e.g., controls requiring
system-generated populations for sample-based testing), EY performed a combination of the following
procedures where possible based on the nature of the IPE to assess the completeness and accuracy of
the IPE.

1. Inspected the source of the IPE

2. Inspected the query or script, and associated parameters used to generate the IPE from the source
system

3. Reconciled IPE back to the source system of the IPE

4. Inspected the IPE for anomalous gaps in sequence or timing to determine the data is complete and
accurate

In addition to the above procedures, for tests of controls which required management’s use of IPE in the
performance of controls (e.g., quarterly access reviews), where relevant, EY inspected the procedures
performed by management to assess the completeness and accuracy of the IPE used in the performance
of the control.

Salesforce Services | 47
Control Objectives Summary
Control
Objective Ref. Control Objective Title Control Objective Description
CO1 Physical Security Controls provide reasonable assurance that physical
access to computer equipment and storage media
located in production data centers is restricted to
authorized and appropriate personnel to protect
systems and data from unauthorized modification.

CO2 Logical Security Controls provide reasonable assurance that logical

access to production systems and data is restricted
to appropriately authorized personnel for authorized
uses.

CO3 Network Architecture and Controls provide reasonable assurance that systems
Management are in place to prevent and detect unauthorized
production access attempts and to protect the
integrity of customer data.

CO4 Application Change Controls provide reasonable assurance that changes

Management to applications are tested, approved and function in
accordance with specifications to result in complete,
accurate, and timely processing of transactions.

CO5 Incident Management Controls provide reasonable assurance that incidents

are identified, tracked, recorded, and resolved in a
complete, accurate, and timely manner to prevent the
potential loss or access data as desired.

CO6 Backup and Recovery Controls provide reasonable assurance that data is
backed up and procedures are employed to maintain
the integrity of the backup media to permit timely
restoration.

CO7 Infrastructure Change Controls provide reasonable assurance that changes

Management to the Covered Services infrastructure are
documented, approved, and implemented in
accordance with specifications to provide for its
availability of processing.

Salesforce Services | 48
Control Objective 1: Physical Security

Controls provide reasonable assurance that physical access to computer equipment and storage media located in production data centers is
restricted to authorized and appropriate personnel to protect systems and data from unauthorized modification.

Control Description EY’s Test Procedures EY’s Test Results

Controls addressing this control objective are covered in the Salesforce Corporate Services SOC report and AWS SOC report.

Salesforce Services | 49
Control Objective 2: Logical Security

Controls provide reasonable assurance that logical access to production systems and data is restricted to appropriately authorized personnel for
authorized uses.

Control Description EY’s Test Procedures EY’s Test Results

AC-05. Appropriate identification and Inspected authentication policy documentation to determine No exceptions noted.
authentication including multi-factor requirements for appropriate identification and authentication
authentication (MFA) with dynamic credentials, including multi-factor authentication, were defined.
password generation or password
Observed a user traverse the authentication points required to gain No exceptions noted.
parameters set in accordance with
logical access to the production infrastructure to determine appropriate
corporate policy as system
identification and authentication credentials, including multi-factor
functionality allows are required to
authentication, were required to perform actions on the production
access the production systems.
infrastructure.

Inspected system configurations for the production infrastructure to No exceptions noted.

determine systems were configured to enforce multi-factor
authentication with dynamic password generation or password
parameters set in accordance with company policy as systems allow.

AC-07. Secure encryption algorithms Observed an administrator log on to each remote access authentication No exceptions noted.
are used to remotely manage path and inspected the configuration for each path to determine secure
production infrastructure. encryption algorithms were used when users remotely managed
production infrastructure.

Salesforce Services | 50
Control Description EY’s Test Procedures EY’s Test Results
AC-13. Access privileges are Inspected access policies and procedures to determine requirements No exceptions noted.
approved by management and for management approval and documentation of access creation and
documented prior to provisioning or modification were defined.
access is granted by default based on
Inspected ticket details for a sample of account creations and For one (1) of five (5) users
the user’s job function.
modifications for each of the following to determine the access creation selected for testing from the
or modification was documented in a ticketing system and was Salesforce Configure Price
authorized by management or was granted by default based on the Quote (CPQ) and Salesforce
user’s job function: Billing, and B2B Commerce
License Management Internal
• Production access (servers, databases, network devices)
Admin Portals, we determined
• Standard Internal Admin Portal
that evidence of authorization
• Salesforce Configure Price Quote (CPQ) and Salesforce Billing,
prior to the role being granted
and B2B Commerce License Management Internal Admin Portals
did not exist.
• Industry Cloud and Salesforce.org License Management Internal
Admin Portals No population existed for
testing of the Industry Cloud
and Salesforce.org License
Management Internal Admin
Portals.

No issues were identified with

our separate sample-based
testing for Production Access
(Network devices, Servers,
Database, and the Standard
Internal Admin Portal).

Salesforce Services | 51
Control Description EY’s Test Procedures EY’s Test Results
Management Response: Salesforce management reviewed the issue and noted that access to the role within the Salesforce Configure Price
Quote (CPQ) and Salesforce Billing License Management Internal Admin Portal was not explicitly approved. However, Salesforce confirmed a
ticket was created for the provisioning of the user to that role and confirmed that the user’s access is appropriate. Salesforce management has
re-iterated to the provisioning team that access approval is required in a centralized ticketing system for provisioning actions as required by the
Salesforce Security Standards.

Salesforce management also reviewed the samples selected for the B2B Commerce License Management Internal Admin Portal and noted that
there were no impacted users. Refer to Section V of this report for additional details provided by management.

AC-14. Production network, database Inspected the Access Management Standard and supporting No exceptions noted.
server, and application server user documented procedures to determine the guidelines and boundaries of
access is revoked timely following the the access termination process were identified, and the standard was
creation of a termination case in reviewed annually.
accordance with Salesforce Security
Inspected termination automation configurations to determine user No exceptions noted.
Standards.
accounts were automatically disabled/terminated when a termination
case was created and alerts were generated in the event of a failure.

Salesforce Services | 52
Control Description EY’s Test Procedures EY’s Test Results
AC-15. Internal Admin Portal user Inspected the Access Management standard to determine the user No exceptions noted.
access is revoked timely following the termination requirements were defined.
creation of a termination case in
Inspected termination tickets for a sample of terminated employees and For six (6) of the total
accordance with Salesforce Security
contractors selected from the system access lists and HR termination population of seven (7)
Standard.
reports for each of the following to determine their access to the terminated users with access
Internal Admin Portal was revoked in a timely manner (within five to Salesforce Configure Price
business days and/or within 8 hours for the Government Cloud Quote (CPQ) and Salesforce
environment) following termination: Billing, and B2B Commerce
License Management Internal
• Standard Internal Admin Portal
Admin Portals, determined
• Salesforce Configure Price Quote (CPQ) and Salesforce
access was not removed
Billing, and B2B Commerce License Management Internal
timely in accordance with
Admin Portals
policy.
• Industry Cloud and Salesforce.org License Management
Internal Admin Portals
No population existed for
testing of the Industry Cloud
and Salesforce.org License
Management Internal Admin
Portals which follows a
separate termination process.

No issues were identified with

our separate sample-based
testing for Standard Internal
Admin Portal.

Management Response: Salesforce management reviewed the issue and noted the six terminated License Management Internal Admin Portal
user accounts were not deactivated timely. The risk due to the access issue is limited as the License Management Internal Admin Portal requires
Salesforce VPN access, which was terminated timely for the six users in accordance with the Salesforce Security Standard. Additionally, the
user accounts were deactivated as part of the quarterly access review process. Salesforce management reviewed the last login date details
within the License Management Internal Admin Portal for the user accounts and determined that there was no access post termination date.
Refer to Section V of this report for additional details provided by management.

Salesforce Services | 53
Control Description EY’s Test Procedures EY’s Test Results
AC-16. Database user access is Inspected termination tickets for a sample of terminated employees and No samples available for
revoked following the creation of a contractors selected from the system access lists and HR termination testing.
termination case in accordance with reports to determine their access to databases was revoked in a timely
Salesforce Security Standard. manner (within five business days) following termination.

AC-17. System production access is Inspected Salesforce’s Logical Access Management Standard to No exceptions noted.
reviewed for role changes and determine requirements for reviewing Salesforce Services production
transfers. Issues identified are access on a monthly basis for role changes and transfers were defined.
investigated and resolved within 30
Inspected system configurations to determine a transfer review ticket No exceptions noted.
days of transfer.
was systematically created in the event of a role change or transfer.

Inspected the transfer review ticket details for a sample of tickets No exceptions noted.
selected from the ticketing system to determine the review was
completed for role changes and transfers, and any issues identified
were investigated and resolved within 30 days of the role change or
transfer.

Salesforce Services | 54
Control Description EY’s Test Procedures EY’s Test Results
AC-18. Production network and server Inspected Access Management standard to determine requirements No exceptions noted.
user account access is reviewed on a and guidance to perform user access reviews were documented.
quarterly basis. Accounts identified for
Inspected quarterly access review ticket details for a sample quarter to Observed that while the
removal are investigated and resolved.
determine the quarterly access review of user accounts were quarterly access review for the
performed, and any accounts identified for removal were investigated Government Cloud
and resolved. environment was completed
and actions were taken as
required based on the review,
the review was not completed
timely per policy (was
completed 2 months after the
review deadline).

No issues identified related to

the review for the other system
components in scope.

Management Response: Salesforce confirmed that all terminated and transferred users were still actioned upon within the defined timeframes.
Additionally, risk is addressed through the effectiveness of the termination control (AC-14) and the transfer review process (AC-17). Refer to
Section V of this report for additional details provided by management.

AC-19. Production database user Inspected Access Management standard documentation to determine No exceptions noted.
accounts are reviewed on a quarterly requirements for access reviews were defined.
basis. Accounts identified as not being
Inspected quarterly access review ticket details for a sample quarter to No exceptions noted.
appropriate are investigated and
determine quarterly access reviews of database access were
resolved.
performed, and any issues identified were investigated and resolved.

Salesforce Services | 55
Control Description EY’s Test Procedures EY’s Test Results
AC-20. Internal Admin Portal logical Inspected the access review documentation for a sample quarter for Management sign off for the
access is reviewed on a quarterly each of the following to determine that Internal Admin Portal user Industry Cloud License
basis. Accounts identified as not being accounts were reviewed by management quarterly and accounts Management Internal Admin
appropriate are investigated and identified as inappropriate were investigated and resolved: Portal quarterly access review
resolved. was not documented, and
• Standard Internal Admin Portal
current and post user listings
• Salesforce Configure Price Quote (CPQ) and Salesforce Billing
generated for the review were
License Management Internal Admin Portal
not retained to evidence the
• B2B Commerce License Management Internal Admin Portal
completeness and accuracy of
• Industry Cloud License Management Internal Admin Portal the review.
• Salesforce.org License Management Internal Admin Portal
No exceptions were noted for
separate testing performed for
the License Management
Internal Admin Portal for the
other in-scope services and
Standard Internal Admin Portal
reviews.

Management Response: Salesforce management acknowledges that the identified artifacts were not retained for the sampled quarterly user
access review. Salesforce management has reviewed the sampled quarterly user access review details and confirmed the review included all in-
scope users within the Internal Admin Portal and user access was deemed appropriate. Refer to Section V of this report for additional details
provided by management.

AC-24. Customers are uniquely Inspected the application login page to determine that customers could No exceptions noted.
identified and authenticated and not access the application without a valid user ID and password that
cannot access the environment was provided when the customer signed up for the service.
without a valid user ID and password.

Salesforce Services | 56
Control Description EY’s Test Procedures EY’s Test Results
AC-29. Support personnel do not have Inspected Salesforce’s Grant Login Access support article to determine No exceptions noted.
access to log in as a customer unless the procedures for granting login access to Salesforce Support
authorized by the customer. personnel were documented.
Customers grant access for
Observed a system administrator attempt to access customer data on a No exceptions noted.
troubleshooting purposes and define
demo customer account prior to being granted access to determine
the duration of the access.
access to the customer accounts was not available.

Observed a system administrator on a demo customer account grant No exceptions noted.

login access for Salesforce Support to determine customer
authorization was required along with the specified systematically
enforced duration of access availability.

Observed a Salesforce Support individual access the demo customer No exceptions noted.
account through the application to determine the individual was logged
in as the system administrator on the demo customer account and
access was removed after the defined duration.

IA-02. Server, network device, and Inspected server and network device authentication system No exceptions noted.
database accounts are automatically configurations to determine user accounts were configured to
disabled after passwords expire and a automatically disable once passwords expired and if a new password
new password is not set. was not set.

Inspected maximum password life/age configuration for the database No exceptions noted.
account profiles to determine that database accounts were configured
to automatically disable once passwords expired and if a new
password was not set.

SC-02. Customers do not have direct For a sample of users with access to the underlying backend No exceptions noted.
access to the underlying backend infrastructure, selected from the system access lists, inspected the org
infrastructure to perform system chart records to determine access was restricted to Salesforce
management activities. employees.

Salesforce Services | 57
Control Description EY’s Test Procedures EY’s Test Results
SC-06. Production and non-production Inspected a network topology diagram to determine production No exceptions noted.
environments are segregated. networks were separated from the corporate and non-production
environments.

Inspected the configuration for a sample of production firewall devices, No exceptions noted.
selected from the asset inventory list to determine R&D (non-
production) traffic was denied.

Observed a user attempt to establish a connection between the non- No exceptions noted.
production and production networks to determine the environments
were segregated to prohibit network access and information flow.

SC-07. The application is designed to Inspected architecture documentation to determine the application was No exceptions noted.
prevent customers from accessing the designed to prevent a customer from accessing another customer’s
data of other customers. data.

Created two customer accounts and attempted to access each other’s No exceptions noted.
data and account to determine that the data and account information of
the other customer were not accessible.

SC-11. Encryption is used to protect Inspected policy documentation to determine encryption requirements No exceptions noted.
the confidentiality and integrity of and customer options for encryption were defined.
information being transmitted over the
Inspected the certificate details for the services login pages to No exceptions noted.
Internet between the Customer and
determine login credentials over the internet to the services were
Salesforce.
encrypted.

Salesforce Services | 58
Control Description EY’s Test Procedures EY’s Test Results
SC-13. Customer data is encrypted Inspected Salesforce’s encryption standards and procedures to No exceptions noted.
based on the Customer’s selection of determine it documented details of the encryption methods.
platform encryption or field-level
Inspected system configurations from the code repository to determine No exceptions noted.
encryption.
field data encryption was enforced based on customer specifications.

Inspected the data fields within a demo customer account to determine No exceptions noted.
field level data was encrypted per selections made on the demo
customer account.

Additional controls addressing this control objective are covered in the Salesforce Corporate Services SOC report and AWS SOC report.

Salesforce Services | 59
Control Objective 3: Network Architecture and Management

Controls provide reasonable assurance that systems are in place to prevent and detect unauthorized production access attempts and to protect the
integrity of customer data.

Control Description EY’s Test Procedures EY’s Test Results

AC-09. The Network Protection Inspected Salesforce’s Network Protection Standard and related No exceptions noted.
Standard and related implementation implementation documents to determine security protocols were
documents specify the required defined and the standard was reviewed annually.
security protocols and the standard is
reviewed/updated on an annual basis.

AU-02a. Production network devices, Inspected the logging and monitoring policy document to determine No exceptions noted.
databases and servers are configured logging and auditing requirements, including activities of privileged
to log privileged operations, authorized users, were defined.
access, and unauthorized access
Inspected the baseline configurations applied to production instances No exceptions noted.
attempts.
to determine they were configured to log privileged operations,
authorized access, and unauthorized access attempts, and transmit the
logs to a centralized logging system.

Inspected configurations for a sample of data centers, network devices, No exceptions noted.
and databases selected from the asset inventory to determine they
were configured to log privileged operations, authorized and
unauthorized access attempts.

AU-02b. Production network device, Inspected the baseline configurations applied to production instances No exceptions noted.
database, and server logs are to determine they were configured to log privileged operations,
transmitted to a centralized logging authorized access, and unauthorized access attempts, and transmit the
system. logs to a centralized logging system.

Observed a successful and unsuccessful login attempt on a sample No exceptions noted.

asset and inspected the corresponding details within the centralized
logging system to determine the events were logged.

Salesforce Services | 60
Control Description EY’s Test Procedures EY’s Test Results
Observed a privileged event and inspected the corresponding details No exceptions noted.
within the centralized logging system to determine the event was
logged.

AU-05. Activities performed by support Observed a system administrator on a demo customer account grant No exceptions noted.
personnel using the login as login access for Salesforce Support to determine authorization was
functionality for a given customer are required.
logged and available for customer
Observed a Salesforce Support individual access the demo customer No exceptions noted.
review.
account through the application using the login as functionality and
inspected the corresponding access logs to determine activities
performed were logged and available for customer review.

Inspected the retention configurations to determine logs were retained No exceptions noted.
for 6 months.

SC-09. Sessions into the production Inspected the secure virtual gateway configurations to determine they No exceptions noted.
infrastructure (network, servers, and were configured to automatically terminate production sessions after a
database) and the application are period of inactivity in accordance with policy.
automatically terminated after a period
Inspected the application configurations to determine it was configured No exceptions noted.
of inactivity and requires
to automatically terminate production sessions after a period of
reauthentication.
inactivity in accordance with policy.

Additional controls addressing this control objective are covered in the Salesforce Corporate Services SOC report and AWS SOC report.

Salesforce Services | 61
Control Objective 4: Application Change Management

Controls provide reasonable assurance that changes to applications are tested, approved and function in accordance with specifications to result in
complete, accurate, and timely processing of transactions.

Control Description EY’s Test Procedures EY’s Test Results

CM-04. Application changes are Inspected Salesforce’s Global Change Management Policy to No exceptions noted.
documented and tracked in an internal determine requirements and procedures for changes made to
ticketing system. production systems were defined.

Inspected the configurations of the code repository tools to determine No exceptions noted.
application changes to production code were tracked via a ticket or a
pull request.

CM-07. Access to deploy application Inspected the job title, reporting chain, and performed inquiry of the No exceptions noted.
changes to production environments is control owner for a sample of users with access to make changes to
restricted to authorized personnel. production environments, obtained from the system access lists, to
determine access to make changes to production environments was
restricted to authorized Engineering personnel.

SA-03. Application releases into Inspected the ticket details for a sample of application releases into No exceptions noted.
production do not occur until production, selected from the release tool, to determine appropriate
appropriate sign-offs are obtained and sign-offs were obtained prior to release into production based on the
documented. release type.

SI-08. Application code changes are Inspected system configurations within the code repository tools to No exceptions noted.
tested and/or peer reviewed prior to determine testing and/or peer review of application code changes was
implementation into production. systematically required prior to being merged with the release.

Inspected details for a sample of application code changes selected No exceptions noted.
from the ticketing system and the code repository to determine testing
was successfully completed prior to production release.

Additional controls addressing this control objective are covered in the Salesforce Corporate Services SOC report and AWS SOC report.

Salesforce Services | 62
Control Objective 5: Incident Management

Controls provide reasonable assurance that incidents are identified, tracked, recorded, and resolved in a complete, accurate, and timely manner to
prevent the potential loss or access data as desired.

Control Description EY’s Test Procedures EY’s Test Results

AU-02a. Production network devices, Inspected the logging and monitoring policy document to determine No exceptions noted.
databases and servers are configured logging and auditing requirements, including activities of privileged
to log privileged operations, authorized users, were defined.
access, and unauthorized access
Inspected the baseline configurations applied to production instances No exceptions noted.
attempts.
to determine they were configured to log privileged operations,
authorized access, and unauthorized access attempts, and transmit the
logs to a centralized logging system.

Inspected configurations for a sample of data centers, network devices, No exceptions noted.
and databases selected from the asset inventory to determine they
were configured to log privileged operations, authorized and
unauthorized access attempts.

AU-02b. Production network device, Inspected the baseline configurations applied to production instances No exceptions noted.
database, and server logs are to determine they were configured to log privileged operations,
transmitted to a centralized logging authorized access, and unauthorized access attempts, and transmit the
system. logs to a centralized logging system.

Observed a successful and unsuccessful login attempt on a sample No exceptions noted.

asset and inspected the corresponding details within the centralized
logging system to determine the events were logged.

Observed a privileged event and inspected the corresponding details No exceptions noted.
within the centralized logging system to determine the event was
logged.

Salesforce Services | 63
Control Description EY’s Test Procedures EY’s Test Results
CP-07. Production systems are Inspected the monitoring configuration in the centralized configuration No exceptions noted.
monitored for availability. Performance management tool to determine hosts were monitored for availability.
incidents are documented in a
Inspected the availability monitoring dashboard to determine production No exceptions noted.
ticketing system.
systems were monitored for availability.

Inspected ticket details for a sample performance incidents selected No exceptions noted.
from the ticketing system to determine the incident was documented
and tracked to resolution.

Inspected the on-call monitoring schedule to determine on-call No exceptions noted.

personnel were assigned for responding to alerts.

IR-03. Incident handling capabilities for Inspected Incident Response documentation to determine No exceptions noted.
performance incidents have been requirements and procedures for handling performance incidents were
implemented. Performance incidents defined, including assignment of severity levels to prioritize their
are assigned a severity level to importance.
prioritize their importance.
Inspected ticket details for a sample of performance incidents selected No exceptions noted.
from the ticketing system to determine the incidents were documented
and assigned a severity level to prioritize their importance.

IR-04. Investigation and corrective Inspected ticket details for a sample of performance incidents selected No exceptions noted.
actions for performance incidents are from the ticketing system to determine investigation and corrective
documented and shared with key actions were documented and shared with key personnel.
personnel.

SC-03. Internal and external Domain Inspected the internal and external DNS configurations for the domain No exceptions noted.
Name Service (DNS) servers are to determine they were redundant and fault tolerant.
redundant and fault-tolerant.
Inspected the internal and external DNS configurations on a POD for a No exceptions noted.
sample of in-scope production data centers to determine they were
redundant and fault-tolerant.

Additional controls addressing this control objective are covered in the Salesforce Corporate Services SOC report and AWS SOC report.

Salesforce Services | 64
Control Objective 6: Backup and Recovery

Controls provide reasonable assurance that data is backed up and procedures are employed to maintain the integrity of the backup media to permit
timely restoration.

Control Description EY’s Test Procedures EY’s Test Results

CP-05. A disaster recovery plan is Inspected Salesforce’s Infrastructure Engineering Disaster Recovery No exceptions noted.
tested annually to determine the Plan to determine annual disaster recovery activities were required to
effectiveness of the plan and the test the established Recovery Time Objective (RTO), Recovery Point
results of testing are reviewed and Objective (RPO), and failover to alternate processing sites.
corrective action is taken as
Inspected the site switch schedule to determine a schedule for failover No exceptions noted.
necessary, or the system is configured
testing was defined.
for high availability across multiple
availability zones. Inspected tickets for a sample of site switches selected from the site No exceptions noted.
switch schedule to determine failover to alternative processing sites
was performed, the RTO and RPO were tested, the results were
reviewed, and corrective actions were taken as necessary.

Inspected system configurations of Private Connect to determine the No exceptions noted.

production systems were configured for high availability across multiple
availability zones.

CP-12. Database backups are Inspected Salesforce’s Database Backup Procedures to determine No exceptions noted.
performed and retained in accordance requirements and procedures for performing system backups were
with the defined schedule in the documented.
Database Backup Procedures.
Inspected the database backup schedule and associated backup No exceptions noted.
scripts for a sample of PODS selected from the trust.salesforce website
to determine backups were configured in accordance with the defined
schedule and retention requirements.

Salesforce Services | 65
Control Description EY’s Test Procedures EY’s Test Results
CP-13. Production data in Fileforce Inspected Fileforce replication settings for a sample of PODS selected No exceptions noted.
servers is replicated near real time from the trust.salesforce.com site to determine they were configured to
from the primary site to a secondary replicate Fileforce data from the primary site to the secondary site in
site. near real-time.

Observed a user create and save a file attachment to determine the file No exceptions noted.
was saved to the primary Fileforce site and replicated to the secondary
site in near real-time.

Inspected the Fileforce replication status for a sample of PODS No exceptions noted.
selected from the trust.salesforce.com site to determine production
data in Fileforce servers was successfully replicated from the primary
site to a secondary site.

Additional controls addressing this control objective are covered in the Salesforce Corporate Services SOC report and AWS SOC report.

Salesforce Services | 66
Control Objective 7: Infrastructure Change Management

Controls provide reasonable assurance that changes to the Covered Services infrastructure are documented, approved, and implemented in
accordance with specifications to provide for its availability of processing.

Control Description EY’s Test Procedures EY’s Test Results

CM-02. A version management Inspected the version management system to determine current and No exceptions noted.
system is utilized to maintain current prior configurations for production servers, network devices, and
and prior configurations for production databases were maintained.
servers, network devices, and
databases.

CM-05a. Changes to infrastructure Inspected ticket details for a sample of infrastructure changes selected No exceptions noted.
components are subject to peer review from the ticketing system to determine the change was peer reviewed
and/or approval by management. and/or approved by management prior to implementation and was
implemented by an individual separate from the approver.

CM-05b. Standard Pre-Approved Inspected the implementation details for a sample of Standard Pre- No exceptions noted.
changes relate to low-risk recurring Approved infrastructure changes selected from the ticketing system to
changes that utilize established pre- determine the changes were implemented using a standard pre-
approved templates or are approved template or were systematically implemented based on the
systematically implemented based on pre-approved change category.
the pre-approved change category.

CM-06a. A change risk impact Inspected the change details for a sample of the production No exceptions noted.
analysis is documented prior to infrastructure changes selected from the ticketing system to determine
implementing an infrastructure a change risk impact analysis was documented prior to implementing
change, as necessary based on the the infrastructure change, as necessary, based on the nature of the
nature of the change. change.

CM-06b. A roll-back plan is Inspected the change details for a sample of production infrastructure No exceptions noted.
documented prior to implementing an changes selected from the ticketing system to determine a roll-back
infrastructure change, as necessary, plan was documented prior to implementing the infrastructure change,
based on the nature of the change. as necessary, based on the nature of the change.

Salesforce Services | 67
Control Description EY’s Test Procedures EY’s Test Results
CM-13. A centralized management Inspected the centralized configuration management tool to determine No exceptions noted.
tool is utilized to configure and monitor it was configured to check in with the hosts periodically and
production infrastructure. automatically update hosts to the approved system baseline.

Inspected configurations for a sample of production hosts selected from No exceptions noted.
the asset inventory to determine the centralized configuration
management agent was installed.

Observed a user make a change directly on an example production No exceptions noted.

host to determine after the specified period of time, the configuration
management system automatically update the host to the approved
baseline.

Inspected network device configuration management tool to determine No exceptions noted.

it existed to support the initiation and set up of network devices using
pre-defined baseline configuration.

Inspected the database configuration management tool to determine No exceptions noted.

that changes to database configurations that are not within the baseline
configurations resulted in alert for investigation.

Additional controls addressing this control objective are covered in the Salesforce Corporate Services SOC report and AWS SOC report.

Salesforce Services | 68
Section V: Other Information
Provided by salesforce
Management Responses to Exceptions Identified
Control Description Exception Noted by EY Management Response
AC-13. Access privileges are For one (1) of five (5) users selected for testing from the Salesforce Salesforce is in process of
approved by management and Configure Price Quote (CPQ) and Salesforce Billing, and B2B migrating Salesforce
documented prior to provisioning or Commerce License Management Internal Admin Portals, we Configure Price Quote (CPQ)
access is granted by default based on determined that evidence of authorization prior to the role being and Salesforce Billing License
the user’s job function. granted did not exist. Management Internal Admin
Portal access to an automated
No population existed for testing of the Industry Cloud and Identity and Access
Salesforce.org License Management Internal Admin Portals. Management system that
includes an access
No issues were identified with our separate sample-based testing for provisioning and approval
Production Access (Network devices, Servers, Database, and the workflow in alignment with
Standard Internal Admin Portal). Salesforce Security
Standards.

AC-15. Internal Admin Portal user For six (6) of the total population of seven (7) terminated users with Salesforce is in process of
access is revoked timely following the access to Salesforce Configure Price Quote (CPQ) and Salesforce migrating Salesforce
creation of a termination case in Billing, and B2B Commerce License Management Internal Admin Configure Price Quote (CPQ)
accordance with Salesforce Security Portals, determined access was not removed timely in accordance with and Salesforce Billing License
Standard. policy. Management Internal Admin
Portal access to an automated
No population existed for testing of the Industry Cloud and Identity and Access
Salesforce.org License Management Internal Admin Portals which Management system to
follows a separate termination process. manage the deprovisioning
workflow in alignment with
No issues were identified with our separate sample-based testing for Salesforce Security
Standard Internal Admin Portal. Standards.

Salesforce Services | 70
Control Description Exception Noted by EY Management Response
AC-18. Production network and server Observed that while the quarterly access review for the Government Salesforce is in the process of
user account access is reviewed on a Cloud environment was completed and actions were taken as required enhancing the account review
quarterly basis. Accounts identified for based on the review, the review was not completed timely per policy process to incorporate
removal are investigated and resolved. (was completed 2 months after the review deadline). automation and assign
dedicated teams to conduct all
No issues identified related to the review for the other system reviews in a timely manner.
components in scope.

AC-20. Internal Admin Portal logical Management sign off for the Industry Cloud License Management The Salesforce Industry Cloud
access is reviewed on a quarterly Internal Admin Portal quarterly access review was not documented, team is making enhancements
basis. Accounts identified as not being and current and post user listings generated for the review were not to the quarterly access review
appropriate are investigated and retained to evidence the completeness and accuracy of the review. process to ensure the user
resolved. listing used to perform the
No exceptions were noted for separate testing performed for the access review, the post review
License Management Internal Admin Portal for the other in-scope user listing to demonstrate all
services and Standard Internal Admin Portal reviews. identified access issues were
resolved, and formal sign-off
upon completion of the
quarterly user access review is
captured and attached the
quarterly user access review
tickets.

Salesforce Services | 71
Glossary of Terms
Listed below are commonly used terms throughout the Salesforce SOC reports. Any other terms will be
defined in the report.

ACL Access Control Lists

AICPA American Institute of Certified Public Accountants
AWS Amazon Web Services
BCP Business Continuity Program
BIA Business Impact Analysis
BOD Board of Directors
CMT Crisis Management Team
Company Salesforce
COSO Committee of Sponsoring Organizations of the Treadway Commission
CSOCs Complementary Subservice Organization Controls
CSF Cybersecurity Framework
CSIRT Computer Security Incident Response Team
DPA Data Processing Addendum
FedRAMP Federal Risk and Authorization Management Program
GRC Governance, Risk and Compliance
IDS Intrusion Detection System
IPE Information Provided by the Entity
ISMS Information Security Management System
ISO International Organization for Standards
LLP Limited Liability Partnership
MSA Master Subscription Agreement
MFA Multi-factor Authentication
NIST National Institute of Standards and Technology
PCI-DSS Payment Card Industry Data Security Standard
SLA Service Level Agreement
SOC System and Organization Controls
SPARC Security, Privacy, and Architecture documentation
SR Site Reliability
SSDL Salesforce Secure Development Lifecycle
TLS Transport Layer Security
U.S. United States
VAP Vendor Audit Program
V2MOM Vision, Values, Methods, Obstacles and Measures

Salesforce Services | 72