Questions

Security FAQ

The questions we hear most often from security and procurement teams.

Do you read the data in our Salesforce records?
No. We read metadata only — the definitions of objects, fields, relationships, and permissions — through a strict allowlist that structurally cannot query record values.
How is our connection secured?
You connect over OAuth. The resulting tokens are encrypted at rest with AES-256-GCM in an isolated database schema that is not exposed by our public API. All traffic is TLS, with HSTS enforced in production.
How do you keep tenants isolated?
Every record is scoped to an account and enforced by Postgres row-level security, so one customer can never access another customer’s metadata.
Do you support MFA and SSO?
Yes. Multi-factor authentication is available to every user and required for administrators. Enterprise SSO (SAML/OIDC) and SCIM provisioning are available for enterprise plans, with automatic deprovisioning on offboarding.
Which subprocessors do you use?
We maintain a current subprocessor list with each vendor’s purpose and processing location. See the Subprocessors page.
Are you SOC 2 compliant?
We are pursuing a SOC 2 examination by an independent CPA across the Security, Availability, and Confidentiality criteria. We show our real status here and never display a certification we haven’t earned; the report will be available on request once issued.
How do we get your SOC 2 report or security documents?
Request them from the Documents page. Confidential documents are shared under a click-through NDA via a time-limited link.
How do we report a security vulnerability?
Email security@schemaforce.com, or see our security contact page for our coordinated-disclosure policy and security.txt.