Certified Security | ISO 27001

Independent audits confirm that our security goes far beyond what most companies have been able to achieve on their own.
Using the latest firewall protection, intrusion-detection systems, and SSL encryption, Force.com gives you the peace of mind only a world-class security infrastructure can provide.

Third-party validation

Security is a multidimensional business imperative that demands consideration at every level, from security for applications to physical facilities and network security. In addition to the latest technologies, world-class security requires ongoing adherence to
best-practice policies. To ensure this adherence, we continually seek relevant third-party certification, including ISO 27001, the SysTrust audit (the recognized standard for system security), and SysTrust SAS 70 Type II (an attestation for internal corporate controls).

Protection at the application level

Salesforce.com & Power Broker protect customer data by ensuring that only authorized users can access it. Administrators assign data security rules that determine which data users can access. Sharing models define company-wide defaults and data access based on a role hierarchy. All data is encrypted in transfer. All access is governed by strict password security policies. All passwords are stored in MD-5 hash format. Applications are continually monitored for security violation attempts.

Protection at the facilities level

Salesforce.com security standards are on par with the best civilian data centers in the world, including the world’s most security-conscious financial institutions. Authorized personnel must pass through five levels of biometric scanning to reach the salesforce.com system cages. All buildings are completely anonymous, with bullet-resistant exterior walls and embassy-grade concrete posts and planters around the perimeter. All exterior entrances feature silent alarm systems that notify law enforcement in the event of suspicion or intrusion. Data is backed up to disk and to tape, with tape providing a second level of physical protection. Neither disks nor tapes ever leave the data center.

Protection at the network level

Multilevel security products from leading security vendors and proven security practices ensure network security. To prevent malicious attacks through unmonitored ports, external firewalls allow only http and https traffic on ports 80 and 443, along with ICMP traffic. Switches ensure that the network complies with the RFC 1918 standard, and address translation technologies further enhance network security. IDS sensors protect all network segments. Internal software systems are protected by two-factor authentication, along with the extensive use of technology that controls points of entry. All networks are certified through third-party vulnerability assessment programs.