There are many things that go into building great customer relationships -- personalization, communication, consistency -- but few are as foundational as trust. Consumers don’t want to give their business to companies they don’t trust with their information. Since doing business and sharing personal information are two entwined activities in the modern world, trust has become more important than ever.
While new laws have started regulating how businesses use and store personal information (such as GDPR and CCPA), companies who proactively improve their security practices have big opportunities to continue building successful customer relationships and winning over the trust of new prospects.
If you’re using Salesforce, the good news is you’re already ahead of the curve. Salesforce incorporates a large array of security services out of the box, and there are countless options available to fine-tune your security preferences to your business and industry standards.
The thing is, most companies that use Salesforce don’t use it by itself -- over 71% of Salesforce customers use applications downloaded from the Salesforce AppExchange, and that number is only growing as more solutions are added to the marketplace every day. While you can rest assured that Salesforce will keep your data safe (it's trusted by top government and healthcare organizations around the world), the same can’t always be said for the applications that you use with the platform.
The S-Docs team compiled this guide to help you evaluate the security of Salesforce AppExchange apps, drawing from over ten years of experience as a trusted document generation and e-signature solution for Salesforce. Here are a few of our biggest recommendations for choosing the most secure solutions.
Our first piece of advice for evaluating the security of AppExchange apps is simple: head over to the app’s listing detail page to get a first impression of the app. It’s true that you can’t judge a book by its cover, and you can’t judge an app’s security by its AppExchange listing page -- but there are a few things on that page that can give you a head-start into your app analysis. Here are a couple things to look for as you glance through the page:
The top of every AppExchange listing will include a star rating, the date the app was first listed, and the date that the most recent version of the app was added to the AppExchange. This is the date you need to look out for.
You’ll likely come across many apps with latest releases ranging from a couple months ago to a couple years ago -- but sometimes you’ll find apps with “Latest Release” dates that are closer to the birth of the AppExchange itself than they are to the present.
It’s possible that installing an old application might pose a security risk simply by the nature of the app’s age. Since Salesforce’s security infrastructure and data security best practices are constantly updating, older applications may not incorporate the latest security advancements.
However, an old “Latest Release” date doesn’t always mean that the app hasn’t been updated in a while; it could also mean that a newer version of the app exists that just isn’t on the AppExchange. If you’ve found an older app that you think your business might really benefit from, contact the app vendor for information about a more up to date version.
While it’s true that an app’s reviews aren’t necessarily a good indication of that app’s security infrastructure, it doesn’t hurt to glance through them and see what others have said about the app in the past. It’s possible that a reviewer has pointed something out about the app that you didn’t notice during your initial evaluation.
Pay attention to the dates on the reviews, too -- older reviews might not be a good representation of the app in its current state.
After you’re done looking through an app’s listing detail page, it’s time to dive in a little deeper. The next thing to look for during your app security review is whether or not the application requires external services or platforms to work, as well as whether or not it stores data on those external platforms.
There are a few ways to figure this out. The easiest way is to click the “Get It Now” button on the app’s listing detail page to begin the installation process (but you don’t actually have to complete it at this time). If during this process the app prompts you to authorize access to third-party websites, then you can be sure that it uses external services or platforms.
It’s also possible to figure this out by visiting the application’s website and poking around in their documentation, if it’s available; they’ll likely have information there about the external platforms or services that their app utilizes.
We’ve established that Salesforce itself is a secure solution with multiple data security measures in place -- after all, your team already trusts it with your sensitive business data. However, an application that uses external services or platforms is only as secure as its weakest link.
Although Salesforce isn’t the only secure platform available, whenever a new platform or service that handles your data is added, another security risk is introduced. Applications that rely on external platforms by nature require your data to be transferred away from Salesforce for processing. Each time your data changes possession, another vulnerability is created.
If an AppExchange application also stores data on a platform other than Salesforce, this could be a problem for your organization for a number of reasons. Like we said before, introducing another platform introduces another opportunity for a data breach. Your IT department probably spent a great deal of time and resources vetting Salesforce as a secure platform to trust with your company’s data; the same process would likely need to be repeated for the additional platforms that an app is using to store data. Additionally, it's hard to know who really has access to your data when it's being stored (even temporarily) on other platforms. The more platforms with access to your data, the less secure it is.
We get it -- evaluating the security of any new Salesforce application is going to take some time; data security is of the utmost importance, and it shouldn’t be taken lightly. However, it doesn’t have to take too much time. There is one thing you can do that will significantly cut down on your evaluation timeline: choose native Salesforce applications first.
Native Salesforce applications are built on the Salesforce platform, meaning that they are hosted and operated entirely within the Salesforce cloud. When you choose a native app, you don’t have to worry about whether or not that application uses or stores data on third-party platforms or services. Native apps live completely within Salesforce, and the data they process does too. Native apps allow your security team to rest assured that no additional platform vetting will be required, since all of your organization’s data will remain in your already-approved Salesforce environment.
Native Salesforce applications have more out-of-box security benefits than any other type of application on the AppExchange. While native solutions are not a universal answer to every Salesforce need, we recommend looking to them first before seeking out non-native alternatives. Here are just a few of the security benefits that come with native apps:
Seeking out native applications first is a significant step towards finding and implementing the most secure solutions for your Salesforce org. However, discerning which apps are truly native can be surprisingly difficult. Some apps that aren’t 100% native try to capitalize on the marketing advantage that being native comes with, using phrases in their listings like “native integration,” “on-platform,” and “without ever leaving Salesforce.” Apps that include some native aspects, but still require you to connect your Salesforce org to external URLs, are not truly native, and do not come with all of the security features that 100% native apps do.
To figure out whether or not an AppExchange app is truly native, head back to the AppExchange listing detail page, and look under the highlights table on the left. Only 100% native applications will be designated as native in this table.
If you’re still not convinced, click the Get It Now button, and initiate the installation process again. If you’re prompted to grant access to any 3rd party sites, then the app is not native. If not, you can rest assured that the application is truly native.
When in doubt, asking the right questions can help give you a better understanding of an app’s security infrastructure. Here are some additional key questions to ask your vendor during your evaluation of an AppExchange application:
S-Docs is the only 100% native document generation and e-signature solution available on the Salesforce AppExchange, and it’s free with up to 2 templates. S-Docs holds all of the security benefits that come with native applications -- documents are designed, generated, emailed, and signed within Salesforce, and your data doesn’t leave your org.
The native benefits don’t stop at security -- S-Docs is faster, more reliable, and easier to use. Top government, healthcare, and financial service firms around the world trust S-Docs with all of their Salesforce document generation and e-signature needs. Being native allows it to work great with any Salesforce product, from Service Cloud, to Shield, to Government and Healthcare Clouds.
Get started today by contacting us to request a customized demo, or reach out directly to sales@sdocs.com.