top of page

Salesforce AppExchange: Best Practices for Storing Sensitive Data

Avinash Mahajan

Handling sensitive data — whether it’s personal information, encryption keys, or API tokens — is a critical responsibility for developers working in the Salesforce ecosystem. Mishandling this data can lead to serious security breaches, so knowing the right strategies for storage isn’t just about compliance — it’s about keeping your users' trust intact.


In this blog, we’ll break down what qualifies as “sensitive data” and explore secure methods Salesforce provides to manage it, helping you safeguard information and meet your app’s specific needs.

What is Sensitive Data?


Salesforce AppExchange: Best Practices for Storing Sensitive Data

Sensitive data refers to any information that must be kept safe and inaccessible to unauthorized individuals. This can include personal, legal, or financial details, as well as project-specific information that requires restricted access.


The definition of sensitive data can vary by country, state, or compliance standards. Examples of sensitive data include, but are not limited to:


  • Passwords

  • Passphrases

  • Encryption keys

  • OAuth tokens


How to Securely Store Sensitive Data in Salesforce


When developing AppExchange applications, certain sensitive data (such as API secrets) must be protected from unauthorized access. Salesforce provides several options for securely storing and retrieving this data, depending on your app’s requirements:


  1. Protected Custom Metadata Types

Custom metadata types, when included in a managed package and marked as protected, are not visible to subscribing organizations through Apex or the API. These are only accessible by Apex code within the same package, making them ideal for storing secrets like API keys. Subscribers cannot see the secret data used within the package.


For example, a common mistake is to store tokens directly in the code:


apex

Copy code

public with sharing class SampleIntegrationService { private static final String appToken = ‘exampleToken’; }


A better approach would be to use protected custom metadata to store tokens, app secrets, and other sensitive information, ensuring alignment with Salesforce's security requirements.

Storage Limit: 10 million characters per package

Advantages:

  • Secure storage of application secrets (API keys, tokens)

  • Support for complex data structures, custom fields, and relationships

  • Efficient access with cached data, avoiding governor limits

Disadvantages:

  • More complex deployment when changes are needed

  • No dynamic updates at runtime (requires package versioning)


For more information, refer to Salesforce Custom Metadata Protection.


  1. Protected Custom Settings


Custom settings are useful when sensitive data is created by the client and needs to be securely stored in Salesforce. AppExchange apps can have a UI to collect client data and store it securely in protected custom settings. External code or logic cannot modify these settings.


Types of Custom Settings:

List Custom Settings: Store org-wide sensitive data (e.g., integration details used by all users).

Hierarchical Custom Settings: Store data at user, profile, or org levels (e.g., user-specific integration details).

Compared to custom metadata, custom settings are easier to update through Apex, making them more dynamic and flexible in certain use cases.


Storage Limit: 6 MB per package


Advantages:

  • Secure and hidden data storage

  • Cached data for improved performance

  • Easy maintenance without widespread code changes


Disadvantages:

Data migration and setup require post-install scripts For more information, refer to Salesforce Custom Settings.


For more information, refer to Salesforce Custom Settings.


  1. Named Credentials


Named credentials offer a secure, declarative way to manage authentication details for external services. They store the callout URL and authentication parameters and support various authentication protocols like OAuth 2.0 and JWT.

Salesforce recently introduced a separation between the URL (stored in Named Credentials) and authentication parameters (stored in External Credentials), making it easier to maintain and reuse authentication settings across multiple endpoints.

Storage Limit: Not applicable

Advantages:

Declarative storage of external authentication details

Multiple endpoints can share authentication parameters

Disadvantages:


Users with "Customize Application" permission can view named credentials, which may pose a security risk. Use protected custom settings or metadata for stricter security.


For more details, see Named Credentials Packaging Guide.


  1. Custom Objects (For Special/Exception Scenarios)


In cases where large volumes of sensitive data need to be stored, custom objects may be the solution. To secure data within custom objects, Apex Crypto functions can be used to encrypt sensitive information, with the encryption key stored in protected custom metadata.


Use Case: If a large-scale application needs to store secret records, the encryption key can be safely stored in protected custom metadata, with custom objects used for the data itself.


Storage Limit: No limit


Advantages:


  • No package-specific storage limits


Disadvantages:


  • Data can be viewed or deleted by admins

  • Encryption and decryption require custom code


At a Glance



By carefully selecting the right storage method, you can ensure that sensitive data is handled securely within Salesforce, protecting both your app and its users.


To know more about Extentia's Salesforce expertise, visit https://www.extentia.com/salesforce


134 views6 comments

Recent Posts

See All

6 Comments


Guest
Dec 11, 2024

When it comes to buying lottery tickets, I always choose Khelraja. Their secure platform ensures that my transactions are safe, and the process is quick and easy. As a betting personnel, I appreciate how simple it is to select my numbers and confirm my ticket. The site even offers options to play India lottery tickets for different draws, making it convenient to try my luck anytime. Plus, I can check the latest lottery results directly on the site. It’s a hassle-free experience, and every time I play, I feel one step closer to winning big.

Like


Guest
Nov 26, 2024

https://www.gevezeyeri.com/cinsel-sohbet/

https://www.gevezeyeri.com/yetiskin-sohbet/

https://ruscasinos3.info/gabile-sohbet-ve-cinsel-sohbet-uygulamasi/

https://casinovulcanplatinum.info/gabile-sohbet-ve-cinsel-sohbet-uygulamasi/

https://casino-promocode.info/gabile-sohbet-ve-cinsel-sohbet-uygulamasi/

https://casinoonlinewildjackpots.info/gabile-sohbet-ve-cinsel-sohbet-uygulamasi/

https://pokerproffi7.info/gabile-sohbet-ve-cinsel-sohbet-uygulamasi/

https://citykino.info/gabile-sohbet-ve-cinsel-sohbet-uygulamasi/

https://hausratversicherungde.info/gabile-sohbet-ve-cinsel-sohbet-uygulamasi/

https://casinoh.info/gabile-sohbet-ve-cinsel-sohbet-uygulamasi/

https://honiejoiiz.info/gabile-sohbet-ve-cinsel-sohbet-uygulamasi/

https://legalrex.com/gabile-sohbet-ve-cinsel-sohbet-uygulamasi/

http://yetiskinchat.yousher.com/edebi-bitiren-gabile-sohbet-ve-edebi-bitiren-gabile-chat

http://yetiskinsohbet.iamarrows.com/edebi-bitiren-gabile-sohbet-ve-edebi-bitiren-gabile-chat

http://yetiskinsohbet.lucialpiazzale.com/edebi-bitiren-gabile-sohbet-ve-edebi-bitiren-gabile-chat

http://yetiskinchat.lowescouponn.com/edebi-bitiren-cinsel-sohbet-ve-edebi-bitiren-cinsel-chat

http://yetiskinchat.trexgame.net/edebi-bitiren-cinsel-sohbet-ve-edebi-bitiren-cinsel-chat

http://yetiskinchat.theburnward.com/edebi-bitiren-cinsel-sohbet-ve-edebi-bitiren-cinsel-chat

http://opensource.platon.sk/forum/projects/viewtopic.php?t=10945435

http://opensource.platon.sk/forum/projects/viewtopic.php?t=10945437

https://teletype.in/@sohbetedin/sohbet

https://joy.link/sohbetedin

https://linkpop.com/canlisohbet

https://www.iglinks.io/sohbet-qgd?preview=true

https://flow.page/sohbetodalari

Like

Guest
Nov 11, 2024

For sensitive data, users should know about fish eat fish storage.

Like

Guest
Nov 07, 2024

EPTU Machine ETPU Moulding…

EPTU Machine ETPU Moulding…

EPTU Machine ETPU Moulding…

EPTU Machine ETPU Moulding…

EPTU Machine ETPU Moulding…

EPS Machine EPS Block…

EPS Machine EPS Block…

EPS Machine EPS Block…

AEON MINING AEON MINING

AEON MINING AEON MINING

KSD Miner KSD Miner

KSD Miner KSD Miner

BCH Miner BCH Miner

BCH Miner BCH Miner

Like
bottom of page