ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Get Ready to Distribute on AppExchange
Use Managed Packages to Develop Your AppExchange Solution
Manage Orgs with Environment Hub
Architectural Considerations for Group and Professional Editions
Security Requirements for AppExchange Partners and Solutions
Security Policy Requirements
Prevent Secure Coding Violations
Secure Your B2C Commerce Solution
Secure Your Tableau Accelerator
Secure Your Agentforce Solution
Pass the AppExchange Security Review
Manage Your AppExchange Listings
Sell on AppExchange with Checkout
Report Orders to Salesforce with the Channel Order App
Provide Free Trials of Your AppExchange Solution
OEM User License Guide
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Security Policy Requirements

Requirements: Before you list your solution on AppExchange, you must have a security program that demonstrates your company’s commitment to security. Also, to help customers evaluate the quality of your solution, you must share your program info with them.

Recommendations: We recommend including these elements in your program.

Designate a Security Expert

Protecting your solution from security threats is easier when you integrate security considerations into all stages of development. One of the best ways to ensure that your solution follows security guidelines is to designate a security expert on your development team. Have your entire development team collaborate with the security expert through all stages of development: design, implementation, and testing. Postponing security considerations until the final stages of development increases the likelihood that your team unknowingly propagates security violations as they code. Regular collaboration prevents needless accumulation of security violations and helps avoid delays in preparing a successful AppExchange security review submission.

Implement a Security Policy

Build a corporate security policy that details how your company protects customer assets, such as user data. Inform the customer of the activities that they can do to help secure the solution from end to end.

List Services and Artifacts

List the services and artifacts included in your solution such as web and mobile solutions, web services, APIs, and SDKs.

Inventory Third-Party Libraries

Keep an inventory of the third-party libraries and the versions that are required for your solution to operate correctly.

Create Architecture Diagrams

Provide architecture diagrams that display data touch points, information flows, authentication, authorizations, and other security controls.

List Certifications

Share all applicable certification reports such as:

  • HIPAA: Health Insurance Portability and Accountability Act
  • PCI DSS: Payment Card Industry Data Security Standards
  • SOC 2: System and Organization Controls 2 criteria for managing customer data
  • ISO27001: Information security management

Get a Third-Party Audit

Have an independent third party conduct a security audit. Share the summary with your customers.

Document Security-Assurance Activities

Document company-level security-assurance activities including:

  • Software development lifecycle (SDLC) methodology
  • Vulnerability management
  • Remediation service-level agreements (SLAs)
  • Supplier and dependency security program
  • Security-awareness training
  • Security breach response procedures

List Sensitive Data

List all sensitive data that your solution processes or stores such as payment instrument data, personal data, and health data.

Disclose Data Storage Locations and Providers

If your solution stores or processes regulated data, such as personally identifiable data and health data, disclose a list of data storage locations. Identify countries and providers such as Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP).

Identify Third-Party Data Sharing

Provide a list of third-party suppliers that you share customer data with.

Share Contact Info

Publish contact information so that it’s easy for customers to get support and report security incidents.