Security Statement

Statement Scope

This document describes the architecture related to the SalesMethods products Plan2Close, Plan2Prosper, and OrgChartPlus, and the company SalesMethods.

General Architecture

SalesMethods does not maintain any infrastructure for the products as all products are fully native to Salesforce. All customer data is stored on and processing performed on the customers own infrastructure as maintained by Salesforce. The installation of SalesMethods products will not compromise any segregation of applications and databases managed by Salesforce.

Data Transmission

SalesMethods products do not transmit customer data in or out of the Salesforce data center, save for transmission to end user clients. This process is managed by Salesforce and their platform ensures encryption is maintained. SalesMethods products may send e-mails for administration purposes. The Salesforce mechanism for emailing data is used and security will not be compromised.

Identity and Access Management

As native products, Plan2Close, Plan2Prosper, and OrgChartPlus rely on the Salesforce infrastructure for identity and access management. No additional system is provided or required.

Auditing and Logging

As native products, Plan2Close, Plan2Prosper, and OrgChartPlus rely on the Salesforce infrastructure for auditing and logging. No additional system is provided or required. Customers requiring an audit of product usage may collect this data using the standard Salesforce report writing tool. SalesMethods products perform database writes and this in turn causes the Last Modified Date and Last Modified By fields to be updated. These can be reported on.

Application Hardening

The SalesMethods applications are security reviewed by Salesforce before being accepted onto the AppExchange. This includes checks for SQL Injection vulnerabilities and conformance with Salesforce security APIs. SalesMethods will ensure that the applications continue to pass the relevant Salesforce security reviews.
The application will not compromise Salesforce’s ability to be free of input validation flaws that allow for malicious script injection attacks, such as cross site scripting, SQL injection, denial of service attacks, phishing, and similar forms of attack.
Unnecessary application or system information will not be disclosed when the application encounters an error or when forbidden resources are accessed.

Data Protection

The application will not compromise Salesforce’s ability to segregate Customer Data from data of other clients. Production data will not be used in non-production environments without the explicit permission of the Customer Data owner. If production data is stored in non-production environments, the Customer must ensure same security control used in production must be implemented in the non-production environment.

Change Management

Segregation of duties must be enforced.
The SalesMethods development team will not have access to the production environment unless duly authorized by the Customer for specific events. A Customer team must be assigned to update code or data in the production environment.
Authorization procedures will be in place to ensure that only the approved version of the code/data/configurations will be made available for Customer to download into either test or production environments.
SalesMethods can assist the Customer team to perform final acceptance testing. SalesMethods will implement software development version controls that enable identification of each version of the SalesMethods software.

Business Continuity and Disaster Recovery

It is the responsibility of Salesforce and the customer to ensure business continuity in the event of a disaster. SalesMethods has no access to customer data and cannot perform a restoration of data in the event of loss.
It is the responsibility of the Customer to maintain backups of their data, SalesMethods can assist as required to restore the data into a production environment.

Third-Party Contracting

Where other third-party applications or services (other than those provided by Salesforce) must be engaged by SalesMethods, SalesMethods’ contract with any third-party will clearly state security requirements consistent with the security requirements of this Statement. In addition, service level agreements with the third party will be clearly defined. For the avoidance of doubt, the Customer will contract direct with Salesforce for those services that will be provided by Salesforce.

Any external party or resources gaining access to systems (other than in relation to Salesforce) SalesMethods will be covered by a signed agreement containing confidentiality language consistent with the confidentiality and security requirements of this Agreement. For the avoidance of doubt, the Customer will have a contract direct with Salesforce that will deal with system access by Salesforce.