Security & Privacy - Revenue Growth Agent for Salesforce

Last Updated: November 2, 2025
Audience: Salesforce Administrators, IT Teams, Security Officers
Purpose: Security overview for AppExchange submission and customer evaluation

📋 Table of Contents

1. Overview
2. Authentication & Authorization
3. Data Security
4. Privacy & Compliance
5. Network Security
6. Audit & Monitoring
7. Security Support

Overview

Revenue Growth Agent integrates with Salesforce using industry-standard security practices to protect your data and ensure compliance with enterprise security requirements.

Security Principles

• 🔒 Zero Credential Transmission - Your Salesforce credentials never leave your org
• 🔐 Secure Authentication - Salesforce signed request with OAuth 2.0
• 🛡️ Data Minimization - Only essential data is processed, nothing stored unnecessarily
• ✅ Compliance Ready - GDPR, CCPA, and SOC 2 Type II aligned
• 🚨 Continuous Monitoring - Automated security monitoring and incident response

Authentication & Authorization

How Authentication Works

Revenue Growth Agent uses Salesforce Signed Request authentication, which provides secure, automatic login without requiring users to manually authorize the app.

Signed Request Flow

1. User opens Contact/Lead record in Salesforce
2. Salesforce creates signed request using HMAC-SHA256 encryption
3. Signed request sent to RGA via Canvas app
4. RGA verifies signature using your org's Consumer Secret
5. User authenticated automatically without credential transmission

Key Security Features:

• Consumer Key and Secret stay in your Salesforce org
• Signed requests expire after 3 minutes
• HMAC-SHA256 cryptographic signing prevents tampering
• No password transmission or storage required

OAuth 2.0 Configuration

Your Connected App uses OAuth 2.0 for API access with these scopes:

Required Scopes:

• id - Access identity URL service (user profile, email)
• api - Manage user data via Salesforce APIs
• custom_permissions - Access custom permissions

Security Policies:

• Permitted Users: Admin approved users are pre-authorized
• IP Relaxation: Relaxed IP restrictions for Canvas apps
• Refresh Token Policy: Immediately expire refresh tokens
• Access Token Lifetime: 2 hours (Salesforce default)

Note: Refresh tokens are NOT used for Canvas apps with signed request authentication. This follows Salesforce security best practices for AppExchange compliance.

User Permissions

Users must have:

• Read/Write access to Contact and Lead objects
• Access to Connected App "Revenue Growth Agent"
• Read/Write access to RGA custom fields

Administrators control access through:

• Standard Salesforce profiles
• Permission sets
• Connected App policies

Data Security

What Data is Accessed

Revenue Growth Agent reads the following data from Salesforce:

Contact/Lead Standard Fields:

• First Name, Last Name
• Email, Phone
• Company Name, Title
• Website, Industry
• Mailing Address

Custom Fields (Created During Setup):

• RGA Last Prep Date
• RGA Prep Document URL
• RGA Prep Status
• RGA Prep Count
• RGA Prep History (JSON)

Data Processing

How Data is Used:

1. Read from Salesforce - Contact/Lead data retrieved when user generates meeting prep
2. Stored for processing - Meeting prep form data saved to secure database
3. AI processing - Data analyzed to create strategic intelligence
4. Document generated - Meeting prep created as Google Doc
5. Salesforce updated - Custom fields updated with document link and status

Data is NOT:

• ❌ Shared with third parties for marketing
• ❌ Used to train AI models without explicit consent
• ❌ Accessible to other customers (multi-tenant isolation)
• ❌ Sold to data brokers or advertisers

Data Storage

Meeting Prep Data:

• What's Stored: Contact/Lead information from meeting prep forms (name, email, company, title, phone, website, industry)
• Where: Secure database (Airtable) with encryption at rest
• Why: Generate meeting preps, track prep history, populate form fields for repeat preps
• Retention: Active subscription + 3 months, then deleted (or upon written request)

Generated Documents:

• Storage: Google Drive (company-designated account)
• Access: Unique, non-guessable URLs
• Contents: Meeting prep documents with research and insights
• Retention: Stored until customer requests deletion

Metadata:

• Storage: Secure database with encryption at rest
• Contents: Document URLs, prep timestamps, prep counts, CRM connection settings
• Retention: Active subscription + 3 months (or upon written request)

Encryption

In Transit:

• TLS 1.3 for all connections
• HTTPS required for all endpoints
• Certificate pinning for Salesforce connections

At Rest:

• AES-256 encryption for stored metadata
• Google Drive encryption for generated documents
• Encrypted database backups

Privacy & Compliance

GDPR-Aligned Data Protection

Revenue Growth Agent implements data protection practices aligned with GDPR principles:

Data Subject Rights:

• Right to Access - Customers can request copies of their data
• Right to Deletion - Data deleted within 30 days of written request
• Right to Portability - Data provided in machine-readable format
• Right to Rectification - Incorrect data corrected upon request

Data Processing Agreement:

• Available upon request for enterprise customers
• Covers data processing, security, and breach notification
• Contact: support@revenuegrowthagent.com

Note: Revenue Growth Agent follows GDPR best practices and principles. We have not completed formal GDPR compliance certification. For customers requiring formal GDPR compliance documentation, please contact our team.

CCPA-Aligned Privacy Practices

For California residents, Revenue Growth Agent implements CCPA-aligned privacy practices:

• Do Not Sell My Personal Information - RGA does not sell personal data
• Data Disclosure - Categories of data collected disclosed in Privacy Policy
• Deletion Rights - Data deleted within 30 days of written request

Note: Revenue Growth Agent follows CCPA best practices and principles. We have not completed formal CCPA compliance certification.

SOC 2 Type II Alignment

Revenue Growth Agent implements security controls following SOC 2 Type II principles:

Security Controls:

• Access controls and authentication (OAuth 2.0, signed requests)
• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Network security and rate limiting (100 req/min Canvas, 30 req/min webhooks)
• Vulnerability management and continuous monitoring
• Incident response procedures

Availability Controls:

• Automated backups and disaster recovery
• System monitoring and alerting
• Comprehensive test coverage (361/363 backend tests, E2E tests)

Confidentiality Controls:

• Data classification and handling procedures
• Non-disclosure agreements with staff
• Secure development lifecycle

Note: Revenue Growth Agent is pursuing formal SOC 2 Type II certification. Current security practices align with SOC 2 principles. For enterprise customers requiring detailed security documentation, contact support@revenuegrowthagent.com.

Privacy Policy

Full privacy policy available at:

• www.revenuegrowthagent.com/privacy

Covers:

• What data is collected and why
• How data is used and processed
• Third-party services and integrations
• User rights and data retention
• Cookie policy and analytics

Network Security

Allowed Domains

The Canvas app connects to these domains:

Primary Application:

• www.revenuegrowthagent.com - Main application domain

Third-Party Services:

• docs.google.com - Document generation
• apis.google.com - Google API services
• accounts.google.com - Google authentication

Firewall Configuration

If your organization uses strict firewall rules, allow outbound HTTPS (443) to:

• *.revenuegrowthagent.com
• *.google.com
• *.googleapis.com

IP Allowlisting

RGA does not use static IP addresses. The application runs on cloud infrastructure with dynamic IPs. If your Salesforce org requires IP restrictions:

Recommendation: Use OAuth policies to restrict access instead of IP allowlisting

• Setup → Connected Apps → Revenue Growth Agent → Manage → Edit Policies
• Set "IP Relaxation" to appropriate level for your security requirements

Audit & Monitoring

Salesforce Audit Trail

Track RGA activity in Salesforce:

Setup Audit Trail:

• Connected App installations and modifications
• Permission changes
• Custom field creation

Field History Tracking:

• Enable field history on RGA custom fields
• Track when documents are generated
• Monitor prep count changes

Login History:

• Canvas app access logged in Login History
• Review under Setup → Login History

RGA Activity Logs

Revenue Growth Agent maintains logs for:

Authentication Events:

• Signed request validations
• OAuth token requests
• Failed authentication attempts

API Activity:

• Salesforce API calls (read/write)
• Document generation requests
• Error responses and failures

Security Events:

• Rate limiting triggers
• Suspicious activity detection
• System errors and exceptions

Log Retention: 90 days for standard logs, 1 year for security events

Security Monitoring

Automated Monitoring:

• Real-time alerting for authentication failures
• Rate limiting to prevent abuse
• Anomaly detection for unusual patterns
• Automated threat detection

Regular Reviews:

• Quarterly security audits
• Penetration testing (annual)
• Vulnerability scanning (continuous)

Security Support

Reporting Security Issues

If you discover a security vulnerability:

Email: support@revenuegrowthagent.com
Subject: "SECURITY - [Brief Description]"

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Your contact information

Response Time:

• Critical Issues: Within 4 hours
• High Priority: Within 24 hours
• Medium/Low: Within 3 business days

Security Incident Response

In the event of a security incident:

1. Detection & Assessment - Incident identified and severity assessed
2. Containment - Immediate actions to limit impact
3. Customer Notification - Affected customers notified within 72 hours
4. Investigation - Root cause analysis and forensics
5. Remediation - Fixes implemented and tested
6. Post-Incident Review - Lessons learned and process improvements

Security Questions

For security-related questions or concerns:

• General Inquiries: support@revenuegrowthagent.com
• Enterprise Security Review: Request detailed security documentation
• Compliance Questions: GDPR, CCPA, SOC 2 information available
• Data Processing Agreement: Available for enterprise customers

Additional Resources

Documentation

• Installation Guide - Secure setup instructions
• Quick Start Guide - Getting started
• Privacy Policy - Complete privacy information
• Terms of Service - Legal terms and conditions

Security Best Practices

For Administrators:

1. Use Permission Sets to control access instead of modifying standard profiles
2. Enable Field History Tracking on RGA custom fields for audit trail
3. Review Login History regularly to monitor Canvas app access
4. Set up Alerts for failed authentication attempts
5. Restrict Connected App to specific profiles if needed

For Users:

1. Use strong passwords for your Salesforce account
2. Enable Two-Factor Authentication in Salesforce
3. Don't share document links publicly (they contain access credentials)
4. Report suspicious activity to your administrator immediately
5. Keep browser updated for latest security patches

Security Standards & Best Practices

Revenue Growth Agent follows industry-standard security frameworks and best practices:

• ✅ GDPR-Aligned - Implements GDPR data protection principles (formal compliance certification in progress)
• ✅ CCPA-Aligned - Follows CCPA privacy best practices (formal compliance certification in progress)
• ✅ SOC 2 Aligned - Security controls following SOC 2 Type II principles (formal certification in progress)
• ✅ OWASP Top 10 - Application security best practices
• ✅ Comprehensive Testing - 361/363 backend tests passing (99.4%), E2E authentication tests, 20 rate limiting tests
• ✅ Salesforce Security Review - Designed for AppExchange security requirements

Note: Revenue Growth Agent has implemented comprehensive security controls and privacy practices aligned with industry standards. We have not completed formal compliance audits or certifications for GDPR, CCPA, or SOC 2. For enterprise customers requiring formal compliance documentation, please contact support@revenuegrowthagent.com.

Contact Information

Customer Support:
support@revenuegrowthagent.com

Security Issues:
support@revenuegrowthagent.com
(Use subject line: "SECURITY - [Issue]")

Business Inquiries:
www.revenuegrowthagent.com/contact

Last Updated: November 2, 2025

For the most current security information, visit docs.revenuegrowthagent.com/salesforce