Metadata only — never your records

Security & trust at SchemaForce

We connect to your Salesforce org to document its schema — not to read your data. This is how we secure that connection, who we rely on, and where we are on the road to SOC 2.

Compliance status

SOC 2 — readiness in progress

We are pursuing a SOC 2 examination by an independent CPA across the Security, Availability, and Confidentiality criteria. We don’t display a certification we haven’t earned — this page tracks our real, current posture, and our report will be available here (on request) once issued.

Security

Protection against unauthorized access.

Availability

The system is available for operation and use.

Confidentiality

Information designated confidential is protected.

How we protect your data

Metadata only — never your records

We read the shape of your Salesforce org (objects, fields, relationships, permissions) through a strict SOQL allowlist. Record data is structurally out of reach.

Encrypted at rest and in transit

OAuth tokens are encrypted with AES-256-GCM in an isolated database schema not exposed by our public API. All traffic is TLS, with HSTS in production.

Tenant isolation by default

Every row is scoped to an account and enforced by Postgres row-level security — one tenant can never read another’s metadata.

Least privilege & read-only

Role-based permissions with a read-only fail-safe. The single write back to your org (a field description) requires an explicit, separately-gated permission.

MFA & enterprise identity

Multi-factor auth is available to every user and required for administrators. SSO (SAML/OIDC) and SCIM provisioning are available for enterprise plans.

Audit trail

Security-relevant events and schema changes are recorded in append-only logs for accountability and evidence.