ARPEDIO Security Document - FAQ
© 2016 ARPEDIO Solutions Aps All Rights Reserved
First of all it is important to re-iterate that ARPEDIO Sales and ARPEDIO Stakeholder Matrix are native Salesforce.com products and therefore approved for Salesforce for sale on the Salesforce.com Appexchange. This means that the app’s have gone through a detailed security process for acceptance and all the details can be found here Force.com security review.
The installation into customer environments are controlled as SFDC Managed package and can be installed, upgraded and uninstalled from the instance via the “Installed packages” functionality in Salesforce.
What is the application workflow?
- Application installed from AppExchange
- Templates configured by Salesforce admin user
- Template published and app access granted to users
- Sales reps and/or account managers make assessments and plans on opportunities and/or accounts
- Sales managers review Sales strategies and account plans in one pager reports
- VP Sales and sales mangers review consolidated pipeline data and/or customer overviews in heatmap reports
What data will be stored at ARPEDIO?
All customer data is stored and utilized in customer’s own SFDC instance.
Where will the customer data be stored?
See previous. And great efforts have been made to minimize the data storage needs.
How is customer data separated from other customers at ARPEDIO?
As data only resides in the customer SFDC instance that is not an issue.
Who will have access to customer data?
The App is a managed package and thus it takes advantages of all the features of a managed package. In addition user setup and user access control are controlled with standard SFDC access control, selected and managed by the system administrator. System admin will have access to template builder and other users will have access to only ARPEDIO data on objects that they would otherwise have access to with their SFDC user.
Can I review the last 2 security tests from salesforce.com?
All of the security review documentation is public, but we do not have access to the specific review results around ARPEDIO. ARPEDIO gets an Approved or Rejected from SFDC. The app cannot be on Appexchange without being in approved stage. The links below should help understand the process:
OWASP Best Practices (linked from Requirements)
How often does the ARPEDIO application go through a security review?
Security review is a periodic, pointintime review at an interval determined by salesforce.com (typically anywhere between 6 months 2 years). When partners upload a new package version to the AppExchange and attempt to associate it with their listing, we automatically run a source code analysis against the Force.com code to identify potential security vulnerabilities. If issues are identified, partners receive a report via email and are requested to address issues immediately.
SFDC reserve the right to conduct random security penetration tests on partner applications at any time. If they find that partners have deviated from the security standards and best practices, SFDC may remove their application from the Appexchange.
What is the MTTR for outages?
ARPEDIO has no outages in current lifetime but any customer issues are handled via tiered customer support with max. response times within 24 hrs. for standard severity issues. Depending on customer requirements SLA’s are negotiable
Will ARPEDIO be liable to any penalties if the service is not up?
Depending on SLA’s but typically not since the app is running on customer environments on the SFDC instance.
What is the process to on-board and decommission user accounts?
Licenses and control of user accounts are handled via the functionality in “Installed packages”.
If customer data is compromised, what is the policy for notifying customers?
As all the customer data is stored and utilized in customer’s own SFDC instance, this is not an issue.
Is data encrypted at rest? If so, by what method?
All the customer data is stored and utilized in customer’s own SFDC instance and encrypted as such.
How long is the data stored on site?
All the customer data is stored and utilized in customer’s own SFDC instance.
If the data is stored off site is it encrypted? If so, by what method?
If you have questions or comments please send them to us at firstname.lastname@example.org or contact us at:
ARPEDIO Solutions APS
Frederiksgade 7, 2nd floor
1265 Copenhagen K