Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Management

Desk.com Security, Privacy, and Architecture

DESK.COM SECURITY, PRIVACY, AND
ARCHITECTURE
Last Updated: September 9, 2016
Salesforce’s Corporate Trust Commitment
Salesforce is committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a
robust security and privacy program that carefully considers data protection matters across our suite of services, including
data submitted by customers to our services (“Customer Data”).
Services Covered
This documentation describes the architecture of, the security and privacy-related audits and certifications received for, and
the administrative, technical, and physical controls applicable to the services branded as Desk.com (“Desk.com Services”).
Third-Party Architecture
The architecture used by Salesforce to host Customer Data submitted to the Desk.com Services is provided by a third-party
provider, Amazon Web Services, Inc. (“AWS”). Currently, the physical architecture hosted by AWS in the provisioning of
the Desk.com Services is located in the United States.
Audits and Certifications
The following security and privacy-related audits and certifications are applicable to the Desk.com Services:
●
TRUSTe Privacy Seal: Salesforce has been awarded the TRUSTe Privacy Seal signifying that the Desk.com Web
Site Privacy Statement and associated practices related to the Desk.com Services have been reviewed by TRUSTe
for compliance with TRUSTe’s program requirements, including transparency, accountability, and choice regarding
the collection and use of personal data.
The Desk.com Services undergo security assessments by internal personnel and third parties, which include infrastructure
vulnerability assessments and application security assessments, on at least an annual basis.
Information about security and privacy-related audits and certifications received by AWS, including information on ISO
27001 certification and Service Organization Control (SOC) reports, is available from the AWS Security Web site and
AWS Compliance Web site.
Copyright 2000 – 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of
salesforce.com, inc., as are other names and marks. Other marks appearing herein may be trademarks of their
respective owners.
Security Controls
The Desk.com Services include a variety of configurable security controls that allow customers to tailor the security of the
Desk.com Services for their own use. These controls include:
●
Unique user identifiers (user IDs) to ensure that activities can be attributed to the responsible individual.
●
Controls to revoke access after several consecutive failed login attempts.
●
Password length controls.
●
Customer-specific SSL certificates to permit site URL validation.
Security Procedures, Policies and Logging
The Desk.com Services are operated in accordance with the following procedures to enhance security:
●
User access log entries will be maintained, containing date, time, URL executed or entity ID operated on, operation
performed (viewed, edited, etc.) and source IP address. Note that source IP address might not be available if NAT
(Network Address Translation) or PAT (Port Address Translation) is used by a customer or its ISP.
●
Logs will be kept in a secure area to prevent tampering.
●
Passwords are not logged under any circumstances.
●
User passwords are stored using a salted hash format and are never transmitted unencrypted.
Intrusion Detection
Salesforce will monitor the Desk.com Services for unauthorized intrusions using intrusion detection services. Any security
events are monitored and escalated to the Salesforce Security Operations Center for triage. Salesforce may analyze data
collected by users' web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type
and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect
compromised browsers, to prevent fraudulent authentications, and to ensure that the Desk.com Services function properly.
Security Logs
All systems used to provide the Desk.com Services and end user functionalities log their respective information while
employing a log management framework that ensures that log rotation and retention policies are enforced. Information on
security-related events is also shipped offsite to a hardened, read-only log retention service.
Incident Management
Salesforce maintains security incident management policies and procedures. Salesforce promptly notifies impacted customers
of any actual or reasonably suspected unauthorized disclosure of their respective Customer Data by Salesforce or its agents
of which Salesforce becomes aware to the extent permitted by law.
2
Copyright 2000 – 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of
salesforce.com, inc., as are other names and marks. Other marks appearing herein may be trademarks of their
respective owners.
User Authentication
Access to the Desk.com Services requires a valid user ID and password combination, which are encrypted via SSL while in
transmission. Following a successful authentication, a random session ID is generated and stored in the user’s browser to
preserve and track session state.
Physical Security
Production data centers used to provide the Desk.com Services have access system controls in place. These facilities are
designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around-the- clock
guards, two-factor access screening, and escort-controlled access, and are also supposed by on-site back-up generators in
the event of a power failure. Further information about physical security provided by AWS is available from the AWS
Security Web site, including AWS’s overview of security processes.
Reliability and Backup
All components of the Desk.com Services are configured in a redundant configuration. All Customer Data submitted to the
Desk.com Services is stored on a primary server that is clustered with a backup database server for higher availability. All
Customer Data submitted to the Desk.com Services, up to the last committed transaction, is automatically replicated on a
near real-time basis at the database layer and is backed up on a regular basis. Encrypted backups are stored offsite in a
geographically disparate location.
Disaster Recovery
Salesforce has disaster recovery plans in place and tests them at least once a year. The Desk.com Services utilize secondary
facilities that are geographically remote from their primary data centers, along with required hardware, software, and Internet
connectivity, in the event Salesforce production facilities at the primary data center were to be rendered unavailable.
Viruses
The Desk.com Services do not scan for viruses that could be included in attachments or other Customer Data uploaded into
the Desk.com Services by a customer. Uploaded attachments, however, are not executed in the Desk.com Services and
therefore will not damage or compromise the Desk.com Services by virtue of containing a virus.
3
Copyright 2000 – 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of
salesforce.com, inc., as are other names and marks. Other marks appearing herein may be trademarks of their
respective owners.
Data Encryption
The Desk.com Services use industry-accepted encryption products to protect data at rest, such as user password hashes
stored in the database, and Customer Data and communications during transmissions between a customer’s network and the
Desk.com Services, including minimum 128-bit SSL certificates and 1024-bit RSA public keys.
Return of Customer Data
Within 30 days post contract termination, Salesforce provides customers with access to Customer Data via API for purposes
of exporting, via a file and attachments in their native format, their respective Customer Data that is submitted to the
Desk.com Services. During the term of the contract, Salesforce shall provide such Customer Data via API and attachments
in their native format. Salesforce reserves the right to reduce the number of days it provides access to such data after
contract termination. Salesforce will update this Desk.com Security, Privacy, and Architecture Documentation in the event
of such change.
Deletion of Customer Data
Post contract termination, to request deletion of Customer Data submitted to the Desk.com Services, contact
support@desk.com. This process is subject to applicable legal requirements.
Tracking and Analytics
Salesforce may track and analyze use of the Desk.com Services for purposes of security and helping Salesforce improve
both the Desk.com Services and the user experience in using the Desk.com Services. Without limiting the foregoing,
Salesforce may share data about Salesforce’s customers' or their users' use of the Desk.com Services to Salesforce’s service
providers for the purpose of helping Salesforce in such tracking or analysis, including improving its users’ experience with
the Desk.com Services, or as required by law.
Sensitive Personal Data
Important: The following types of sensitive personal data may not be submitted to the Desk.com Services:
government-issued identification numbers; financial information (such as credit or debit card numbers, any related security
codes or passwords, and bank account numbers); information related to an individual’s physical or mental health; and
information related to the provision or payment of health care.
For clarity, the foregoing restrictions do not apply to financial information provided to Salesforce for the purposes of
checking the financial qualifications of, and collecting payments from, its customers, the processing of which is governed
4
Copyright 2000 – 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of
salesforce.com, inc., as are other names and marks. Other marks appearing herein may be trademarks of their
respective owners.
by the Desk.com Web Site Privacy Statement.
Interoperation with Other Salesforce Services
The Desk.com Services may interoperate with other services provided by Salesforce. The Security, Privacy and
Architecture documentation for such services is available in the Trust and Compliance Documentation section of
help.salesforce.com.
5
Copyright 2000 – 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of
salesforce.com, inc., as are other names and marks. Other marks appearing herein may be trademarks of their
respective owners.
Related documents
Technology and Evaluation
Technology and Evaluation
job description - Project Transition
job description - Project Transition
POSITION: Salesforce Developer REPORTS TO: Systems
POSITION: Salesforce Developer REPORTS TO: Systems
Download