Questions
Security FAQ
The questions we hear most often from security and procurement teams.
- Do you read the data in our Salesforce records?
- No. We read metadata only — the definitions of objects, fields, relationships, and permissions — through a strict allowlist that structurally cannot query record values.
- How is our connection secured?
- You connect over OAuth. The resulting tokens are encrypted at rest with AES-256-GCM in an isolated database schema that is not exposed by our public API. All traffic is TLS, with HSTS enforced in production.
- How do you keep tenants isolated?
- Every record is scoped to an account and enforced by Postgres row-level security, so one customer can never access another customer’s metadata.
- Do you support MFA and SSO?
- Yes. Multi-factor authentication is available to every user and required for administrators. Enterprise SSO (SAML/OIDC) and SCIM provisioning are available for enterprise plans, with automatic deprovisioning on offboarding.
- Which subprocessors do you use?
- We maintain a current subprocessor list with each vendor’s purpose and processing location. See the Subprocessors page.
- Are you SOC 2 compliant?
- We are pursuing a SOC 2 examination by an independent CPA across the Security, Availability, and Confidentiality criteria. We show our real status here and never display a certification we haven’t earned; the report will be available on request once issued.
- How do we get your SOC 2 report or security documents?
- Request them from the Documents page. Confidential documents are shared under a click-through NDA via a time-limited link.
- How do we report a security vulnerability?
- Email security@schemaforce.com, or see our security contact page for our coordinated-disclosure policy and security.txt.