Security

Security overview

SF Agent is designed for controlled Salesforce delivery with server-side authorization, tenant isolation, origin validation on mutating APIs, encrypted secret storage, and an append-only hash-chained audit trail.

Sessions use HttpOnly secure cookies. Credentials, refresh tokens, API keys, and private keys are stored as encrypted secrets and are not returned in plaintext once written. Sensitive admin and deployment actions are recorded in the audit log for operator review.

Operational questions, vendor security reviews, and incident reports can be sent to security@sfagent.dev.

Additional documents: Subprocessors, Data Processing Addendum, Vulnerability disclosure.

Back to home
Security | SF Agent | SF Agent