Security FAQs
Yes, we use FileVault 2 on all laptops and logically prohibit all external storage devices.
Production data is mirrored to remote systems and automatically backed up daily to an offsite location. Every change to a database is stored in the ‘writeaheadlog’ and immediately shipped offsite. We test our recovery procedures regularly by restoring from backup and simulating recovery of a production database. Our backup retention varies by function and business impact, the minimum backup retention for all systems is seven (7) days. Our production applications are deployed in multiple availability zones and leverage AWS MultiAZ technology which can sustain the loss of an entire data center in a region.
Yes. EU-US Privacy Shield Compliant.
We used a CREST certified vendor that follows the OWASP model.
All employees are required to take security awareness training when they join and annually on their anniversary.
Yes, we have CAIQ and SigLite.
Yes – SOC2 Type2, ISO27001.
Yes. If a prospect asks to be forgotten, Salesloft has the ability to remove all data specific to that person.
Countries around the world are tightening up on Global Telecommunication Regulations. All provisioned phone numbers must follow a set of constantly evolving rules and regulations that vary from country to country. The Salesloft’s Dialer follows these regulations diligently.
When provisioning a new international number, regulation standards are kept through a phone number approval process. This process involves providing various levels of documentation to carriers or local enforcement agencies based on country regulations.
AWS Virginia, US; US-East-1 Region and Google Cloud US-Central1.
The Salesloft application stores and processes certain data from your company’s CRM instance, as well as e-mails related to Salesloft from the user’s inbox. E-mails not pertaining to Salesloft e-mails are discarded and never ingested by our systems.
AWS EC2 instances are launched from an Amazon AMI with a bare minimum of packages required to run Docker. If there is an issue with a node, EC2 instances are replaced with an instance running the same OS and patch levels as the cluster. At a minimum, upgrades and patching occur every quarter.
We also use a third party system to track our code dependencies and alert us if one ever becomes vulnerable. Critical vulnerabilities are prioritized above all other work efforts until resolution. High risk vulnerabilities discovered are resolved within 14 days or less. Medium risk vulnerabilities are resolved within 30 days. Low risk vulnerabilities are resolved as time allows.
We retain your account data in our systems for a minimum period of 30 days in the event you request to reactivate your account. We cannot guarantee accounts closed longer than 30 days can be reopened. After your account has been closed for 30 days, all the data in the account may be permanently deleted from our systems within a reasonable time period, as permitted by law, and will disable your access to any other services that require a Salesloft Platform account.
We will respond to any such request, and any appropriate request to access, correct, update, or delete your personal information within the time period specified by law (if applicable) or without excessive delay. We will promptly fulfill requests to delete personal data unless the request is not technically feasible or such data is required to be retained by law (in which case we will block access to such data, if required by law).
Yes, using AES 256.
It does not. We enforce it by limiting access to production to only those that absolutely need it, and train all engineers on acceptable data handling practices. We also log all user activity in production and regularly check for suspicious activity.
Only people who need access, get access. Production system access is limited to key members of the Salesloft engineering team and passwords are expressly forbidden. At a minimum, authentication requires two factors including asymmetric public/private keys and a time-based crypto token.
Salesloft’s Account Managers will communicate any breach affecting a customer’s data as soon as possible once the extent of the breach has been assessed and understood internally.
Passwords are never stored in Salesloft. To integrate with SFDC and Gmail systems, Salesloft uses Oauth tokens. Tokens are encrypted before they are stored in the database.
No. Salesloft mail never accesses your email client. Instead, you update your DNS info during implementation to route Salesloft-related mail back through a custom domain and forward to your work email.
Yes. Credentials are encrypted before they are stored in the database.
No. To integrate with Salesforce, Salesloft uses Oauth tokens. Tokens are encrypted before they are stored in the database.
Yes, all Salesloft employees are subject to criminal, educational, and employment history checks. Credit checks are performed for senior financial positions.
We use third party services for several services in the platform that have all been vetted through our vendor security evaluation process. Specifically we use:
- AWS – data center hosting
- Google Cloud – data center hosting
- Twilio – dialer infrastructure
- Nylas – email sync engine for Exchange customers only
- Elastic.co – ElasticSearch hosting services
- Mailgun – email delivery service (applicable only to customers on Salesloft’s Europe-based data center)
Note: All subprocessors for US-hosted customers store Salesloft customer data in the US, and all subprocessors for EU-hosted customers store Salesloft customer data in the EU. To ensure a legal basis for processing (as such term is defined by the GDPR) in any country not expressly deemed adequate by the European Commission and the UK ICO, Salesloft has executed with each subprocessor a DPA with model clauses acknowledging regulatory and contractual obligations when supporting Salesloft.
Yes. All vendors must undergo an internal security audit and receive approval from our information security team. Vendors are re-evaluated on an annual basis.
Yes, all subcontractors must undergo a security evaluation. Any subcontractors determined to be high-risk undergo annual reviews thereafter.
Yes, we perform an internal risk assessment once a year, as well as undergo SOC 2 Type 2, and ISO 27001s audit once a year via a third-party auditor. Finally, we have a third-party pentest our application and public facing websites. All new software that has access to company data undergoes an internal vendor security evaluation before implementation.
Our development team follows OWASP secure coding practices.