Protecting your data

Protecting your data is our number one concern. MosaicRM’s technology is built and runs on the® platform (SFDC), one of the most secure and robust development and hosting platforms in the world.

Application Security

Multi-Tenant Security – Every row in the database contains the customer’s orgID. Every request to the database is restricted by the user’s orgID and any application-specific privileges that apply.

Code Reviews – All SFDC code is subject to coding standards and peer reviews. High-risk features go through a threat-modeling exercise to further anticipate and reduce risk.

Testing – Manual and automated testing techniques are used to test all SFDC code.

Penetration Testing – Critical features are penetration tested by the SFDC product security team.

Server Security – All servers are subject to standard build specifications that include removing unnecessary processes, accounts, and protocols. All services are run on non-root accounts.

Password Encryption – User passwords are cryptographically hashed via SHA 256 before being stored in the database.

Password Security – Password settings can be configured to include security measures such as expiration timers, re-use restrictions, complexity rules, and failed login limits.

Login Restrictions – Access can be limited by source IP address and/or time of day.

Session Timeout – The number of minutes a session can be idle before the server automatically logs the user out can be specified.

Single Sign-On – Access to the application can be granted automatically via corporate directory.

Identity Confirmation – The first time a user logs in using a new computer, they must request an activation link, which then comes to them via email. Once installed on the computer, logins proceed without interruption. This is a defense against phishing and stolen
user credentials.

Login History – A six-month login history is available for review at
any time.

Network Security

Firewalls – Access is limited to certain ports by a series of firewalls, including ones between the application servers and the database servers.

Antivirus – Antivirus software is active on all servers.

Log Files – Activity logs from all production devices and servers are sent in real-time to a Security Event Management (SEM) system that correlates, reports, and alerts on events.

System Monitoring – All networks and servers are monitored to ensure they are up and running properly.

SSL – All data transferred between the user’s browser and SFDC’s servers are protected using Secure Sockets Layer (SSL) encryption.

Intrusion Detection – Intrusion detection systems proactively monitor for malicious network traffic.

Access Control – A specific process defines the requirements for access management, code development and release, encryption, change management, and disciplinary action.

Administrative Access – Administrator access to the production infrastructure requires two-factor authentication.

Threat Monitoring – Threat alerts from SANS, CERT, OWASP, Cisco, F5, Red Hat, and others are reviewed by the information security team and escalated as appropriate.

Perimeter Monitoring – Periodic vulnerability scanning and continuous perimeter monitoring are done by third-party firms to detect changes in IP addresses, ports opened, service versions, and SSL certificate expirations.

Patches – Security patches are applied proactively based on vendor recommendations.

Employee Security

Background Check – A background check is done for all employees (the SFDC environment is managed by full-time employees), including criminal history, job history, and educational credentials.

Security Training – All SFDC employees attend security awareness training and re-certify annually.

Hosting Facility Physical Security

Unmarked Buildings – Facilities are low-profile buildings with no company signage.

Locations – Facilities have multiple transit access routes and are within close proximity of law enforcement and emergency services.

Security Personnel – 24/7/365 on-site staff provides protection against unauthorized entry.

Visitor Sign-In – All facility visitors are required to sign-in at the security desk.

Alarmed Exits – All emergency exit doors are alarmed.

Video Surveillance – Cameras record all motion throughout the facility.

Security Badges – All physical access to the facility is electronically logged.

Biometric Scanning – Multifactor biometric scanning is required to access the computer room.

Production Environment

UPS – Upon power loss, uninterruptible power supply (UPS) systems can provide 30 minutes of battery life under peak load.

Generators – Enough fuel is stored to provide 48 hours of power under full load.

Network Redundancy – Multiple communication providers are used, and they enter the building through numerous secure, protected paths.

Storage Redundancy – RAID storage ensures that there will be no interruption of service if a hard drive fails.

Disaster Recovery – In the event of a major disaster at the primary data center in San José, users will be able to login to the full-scale disaster recovery site in Northern Virginia. The RPO (recovery point objective) is four hours and the RTO (recovery time objective) is 12 hours.

Disaster Recovery Test – The disaster recovery process is tested at least annually.

Server Redundancy – The application tier has load-balanced, redundant servers. If an application server fails, users are able to login immediately with no data loss. The database tier has redundant servers as well. If the database server fails, users are able to login again within minutes with no data loss.

Backups – At the primary data center, database backups are done in real-time. Also, near real-time backups are done to the disaster recovery site.

Backup Media – No backup media leave the data center. Secure destruction methods are used to destroy backup media at the end of their usable life.

Audits – SFDC is ISO 27001 certified and SAS 70/SSAE 16 Type II certified.

Exporting Your Data

You own your data. Each object in the database can be exported into a CSV file. Uploaded documents are downloaded as a Zip file in their native format and are tagged with their associated record.

Additional information

Salesforce Technical Details Download