This page explains how DataTools Pro protects your data and keeps our Salesforce AppExchange solutions secure and available.
Last updated: 2025-10-10
Our Commitment
- Security by design across the full software lifecycle.
- Privacy first: we collect the minimum required to operate the service.
- Transparency: clear documentation, responsible disclosure, and uptime reporting.
What We Operate
- Products: Salesforce AppExchange managed package(s), web app/portal, and public APIs.
- Hosting: AWS US-West1 is our primary AZ
- Tenancy: Shared‑schema (single‑schema), logically isolated by customer; strict least‑privilege access enforced.
Security by Design (SSDLC)
- Threat modeling for new features and major changes.
- Secure coding standards; peer reviews; automated SAST/DAST and dependency scanning.
- Infrastructure as Code with policy guardrails and change approvals.
Data Protection
- In transit: TLS 1.2+.
- At rest: AES‑256 encryption for databases, object storage, and backups.
- Access control: Role‑based access (RBAC), MFA for admin accounts, least‑privilege and just‑in‑time elevation.
- Audit logging: Centralized, immutable logs for admin actions, data exports, and auth events.
Tenancy Model
We operate a shared-schema, logically isolated architecture. All data access is scope-limited by a required per-tenant identifier enforced through database row-level policies and application-level checks. Administrative actions, background jobs, caches, logs, and exports are tenant-aware. We continuously monitor for cross-tenant access and enforce least-privilege service roles.
Why this meets Salesforce expectations: Salesforce’s security review accepts logical segregation when it’s properly enforced. Our design implements layered controls (DB policies + application checks), tenant-aware operations, monitoring, and auditable access trails to demonstrate effective isolation.
Compliance & Assurance
- Independent testing: We conduct annual third‑party penetration testing; an executive summary is available on request (under NDA).
- Control alignment (not certified): We align our controls to SOC 2 (Security, Availability, Confidentiality). We are not currently SOC 2 certified.
- Policies: Information Security, Incident Response, Business Continuity, Vendor Risk, Vulnerability Management.
Privacy & Data Residency
- Data minimized to business need; retention aligned to contract and law.
Subprocessors
We use carefully vetted service providers for hosting, monitoring, and support.
- Cloudways / AWS
- AWS
- Cloudflare
Availability & Continuity
- Nightly encrypted backups; periodic restore tests.
- Documented Disaster Recovery and Business Continuity plans, exercised at least annually.
- Status and uptime history:
Customer Responsibilities
Security is a shared responsibility. We recommend:
- Enforce SSO/MFA for your users and administrators.
- Grant least‑privilege roles and review access regularly.
- Keep Salesforce/org IP allowlists and data sharing rules current.
- Follow our hardening guides and apply updates promptly.
Responsible Disclosure
We value the security research community. If you believe you’ve found a vulnerability:
- Email support@datatoolspro.com with details and steps to reproduce.
We do not offer a public bounty program today, but we acknowledge researchers who responsibly report issues and qualify for safe harbor under our policy.
How to Reach Us
Quick FAQ
Do you store my Salesforce credentials?
No. We rely on secure OAuth flows and store tokens with AES 256 encryption. We never store tokens in code or logs.
Where is my data stored?
AWS West1 is our primary AWS region. We utilize AWS RDS for data storage. Region pinning may be available for enterprise tiers. Contact our support team for more details.
Can I get your latest security report?
Yes. Our annual third‑party penetration test executive summary is available on request (under NDA).
How fast do you remediate critical issues?
We prioritize immediate mitigation (hours) and target permanent fixes within days based on severity.
Subprocessors
| Subprocessor | Role | Data Types | Primary Locations |
|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | Infrastructure provider (compute, RDS , object storage, web application logging/monitoring) | Application data stored in databases and object storage; operational logs/metrics | Primary AZ – US West -1 |
| Cloudways Ltd. | Managed hosting layer operating on AWS infrastructure (provisioning/orchestration, maintenance, limited administrative access) | Same categories as hosted workload when providing management services; operational metadata | Same AWS regions as above (infrastructure resides on AWS) |
| Cloudflare, Inc. | DNS, CDN, WAF, DDoS protection | IP addresses, request headers, URLs, cached static assets | Global edge network; origin in AWS region(s) above |
Trust Center Resources
