Security Requirements for AppExchange Partners and Solutions

[Effective Date: August 9, 2023] As a Salesforce Partner, you’re responsible for implementing and maintaining a comprehensive security program and maintaining the security of all applications that you list on AppExchange or distribute under the AppExchange Partner Program.

These Security Requirements for AppExchange Partners and Solutions (“Requirements”) are current as of the listed effective date and remain in effect until or unless they’re superseded at this same or redirected URL by a version with a later effective date. SFDC updates or modifies these Requirements from time to time in its sole discretion, with or without notice. These Requirements are subject to and made part of the AppExchange Partner Program Policies and Salesforce Partner Program Agreement (“SPPA”) at https://www.salesforce.com/company/legal/agreements/. Capitalized terms not defined in these Requirements have the meaning given to them in the SPPA.

Note

Partner Applications, which includes managed packages, Salesforce Platform API solutions, Marketing Cloud Engagement API solutions, and other solutions referred to herein, are Non-SFDC Applications as defined in Salesforce’s Main Services Agreement (available at https://www.salesforce.com/company/legal/agreements or successor URL). Notwithstanding any security review of a Partner Application, Salesforce makes no guarantees regarding the quality or security of any Partner Application and Customers are responsible for evaluating the quality, security, and functionality of Partner Applications.

Important

As a condition of your participation in the AppExchange Partner Program, you must adhere to the security requirements outlined in this document. These requirements include general requirements applicable to all AppExchange Partners and Partner Applications, and additional requirements that are specific to Partner Applications that use or connect with specific technology or are intended for use in specific industries. In these requirements, Partner Applications are also referred to as “solutions.” When you create or edit an AppExchange listing, you’re required to confirm that you complied with these requirements.

The security requirements in this document aren’t exhaustive. We encourage Partners to follow all applicable industry security standards.

General AppExchange Requirements

  • All Partners must comply with the requirements described in Security Policy Requirements.
  • All Partner Applications must comply with the requirements described in Prevent Secure Coding Violations.
  • All Partner Applications must pass a Salesforce Security Review and Assessment where required under the AppExchange Partner Program Policies.

B2C Commerce Solution Security Requirements

If your Partner Application is a B2C Commerce Cartridge or Headless Integration, you must also follow the requirements described in Secure Your B2C Commerce Solution. These B2C Commerce specific requirements are in addition to the General AppExchange Requirements.

Tableau Accelerator Security Requirements

If your Partner Application is a Tableau Accelerator, you must also follow the requirements described in Secure Your Tableau Accelerator. These Tableau specific requirements are in addition to the General AppExchange Requirements.

Security Requirements Topics