SECURITY POLICY

Chrome Extension

SalesHud delivers users a connection between CRM and browser data displaying on selected websites providing context relative to the information viewed, delivered via a Google Chrome Extension served from the Google Chrome Webstore. The Chrome extension acts as a proxy between Chrome and Salesforce with data transmitted between systems via SalesHud but no data stored.

SalesHud Cloud Storage (Firebase)

SalesHud Cloud Storage (Firebase) is used only to manage the accounts and licenses necessary to access SalesHud. APIs in the SalesHud Cloud are accessed by the Chrome Extension to confirm the user’s rights to use SalesHud. No data from sources such as Salesforce or third-parties is exfiltrated from those systems and stored in the SalesHud Cloud. The SalesHud Cloud does store some personally identifiable, business critical data having to do with license management and the user’s relationship with SalesHud.

SalesHud accounts can be (usually are) linked to Salesforce.com accounts. SalesHud will accept Salesforce as an OAuth identity provider such that logging on to Salesforce is all most users will need to do in order to use SaleHud. To that end, the (hash of) the Salesforce User ID and Organization ID are used and stored in a table within the SalesHud Cloud in order to support user creation, user assignment to org, licensing and proper use of the application (for details of information gathered see our Privacy Policy).

Additional metadata such as user preference settings may also be stored. But no security sensitive data pertaining to Salesforce.com or other third party sites or accounts is stored there.

The SalesHud Cloud uses services such as access monitoring, firewall, threat detection, application performance monitoring and follows Google’s best practice recommendations.

GCP (Google Cloud Platform) Best Practice

Salesforce.com

The SalesHud Chrome Extension interacts with the Salesforce REST API on behalf of the currently logged in Salesforce user for the purpose of extending the Salesforce.com functionality and user experience. In addition data from selected third party websites may be linked to, or stored in, Salesforce. The SalesHud Chrome Extension does not grant its users any further privileges or access  to Salesforce data than that of the currently logged in Salesforce. At any time a Salesforce Organization Administrator can rescind SalesHud access to a Salesforce account via Salesforce connected app settings.

Third-Party sites

SaleHud does not have direct access to third-party sites. The Chrome Extension has access only to data for which the current user is entitled. This data may be copied or linked to Salesforce but it is never copied anywhere else; for example it is never copied to the SalesHud Cloud Storage.

Data Retention

SalesHud account data required to deliver the service is stored for the period of the contract. Upon contract termination customer data is destroyed after 30 days. Backup data is retained for 30 days.

Data Access

Access to the production environment is logged and limited to assigned staff through IP whitelisting, VPN tunnels, and multi-factor authentication.

Incident Response & Disaster Recovery

The SalesHud platform is entirely cloud based. Core services are redundant across multiple data centres and we rely on the BC/DR capabilities of GCP (Google Cloud Platform).

In the case SalesHud determined that any customer information was compromised, SalesHud will immediately notify the customer primary contact within 72 hours.

Application Development

SalesHud implements security consideration at design time and employs best practice secure coding principles (OWASP), including extensive employee training.

SalesHud runs testing environments which contain no client data. Transition of code between environments is subject to peer review and software based analysis before continuous integration. Application and source code is scanned by vulnerability detectors and we are subject to 3rd party security reviews and penetration testing.

Employees & Contractors

All employees and contractors are vetted before placement and must sign binding confidentiality agreements.

Issue Reporting

To report any security concern or suspected vulnerability please contact the SalesHud Security Team

Policies & Further Information

SalesHud Privacy Policy – https://www.saleshud.com/privacy
SalesHud Terms and Conditions – https://www.saleshud.com/terms
GCP (Google Cloud Platform) Compliance & Regulations – https://cloud.google.com/security/compliance/
GCP (Google Cloud Platform) Best Practices – https://cloud.google.com/storage/docs/best-practices
GCP (Google Cloud Platform) Trust & Security – https://cloud.google.com/security/