Salesforce Integration

Transcend's Salesforce integration provides data mapping and privacy request functionality allowing businesses to:

  • Scan Salesforce to surface systems and tools connected to Salesforce
  • Identify and classify data stored in Salesforce, including custom data
  • Programmatically fulfill privacy requests against data stored in Salesforce, with the ability to customize data redactions

In this guide:

Regardless of whether the Salesforce integration will be used for data mapping, privacy requests or both, the first step is to connect Salesforce to Transcend by authenticating the integration. After the integration is connected, data mapping and privacy request features can be enabled in the Salesforce data silo.

The Salesforce integration is authenticated using the OAuth2 protocol. This allows a Salesforce user to connect the Salesforce integration with the same login credentials used to access Salesforce. The user connecting the integration should be a Salesforce Admin with read and write permissions to ensure the integration functions as expected.

  1. Navigate to Integrations in the Transcend Admin dashboard and select or add the Salesforce data silo.
  2. In the Connection section, select Connect and input the same login credentials used to log in to Salesforce.
  3. A list of scopes used by the integration will be presented. Accept the scopes to finish authenticating the integration connection.

After authenticating the integration, privacy request and data mapping functionality can be enabled in the data silo. The following sections discuss use cases and setup for each.

Understanding where data is stored, what that data is and what it's used for is key for implementing a compliant privacy program. Salesforce is often one of the central data system for business operations where large quantities of data are synced from several connected systems. This makes Salesforce an ideal target for data mapping.

Transcend's integration with Salesforce supports data silo discovery functionality to help businesses identify where data is stored, as well as datapoint discovery & content classification features to programmatically identify and classify personal data in Salesforce.

The integration can be used to scan Salesforce to identify connected systems and Saas tools that sync or share data. At Transcend this is called 'data silo discovery'. Enabling data silo discovery for Salesforce is a fast and programmatic option to building out Data Inventory, as many companies have many, if not a majority of Saas and third party platforms connected to Salesforce. The integration continues to scan for new systems as well.

Data silo discovery in Salesforce works by retrieving the Connected Applications and mapping the objects to a known system. Each discovered system is recommended as a data silo in Transcend for review to be approved into Data Inventory.

  1. Navigate to the Configuration tab within the Salesforce data silo
  2. Enable the toggle for the data silo discovery plugin
  3. Select the frequency to re-scan Salesforce for new systems
  4. After the scan has run, review the discovered systems and approve any that should be included in Data Inventory. Approved data silos can be configured for further data mapping or privacy requests.

Data silo discovery configuration

Out of the box, the Salesforce data silo is pre-configured with datapoints to represent standard Salesforce objects that are known to store personal information. This includes objects like Leads, Individuals and Contacts. However, it's also important to ensure custom data in Salesforce is accounted for in data mapping. The integration supports datapoint discovery functionality to identify custom objects. It works by scanning the Salesforce schema and recommending a datapoint for each custom object. In this way, the Salesforce data silo will contain a datapoint to represent each Salesforce object that may contain personal information.

Each datapoint discovered from Salesforce will include the property metadata (also known as sub-datapoints). Transcend's content classification algorithm assigns a recommended data category for each property on the datapoint. This makes it easy to quickly understand which properties represent personal information, and in turn which datapoints contain that personal info.

Salesforce integration content classification tab

  1. Navigate to the Configuration tab within the Salesforce data silo
  2. Enable the toggle for the datapoint discovery plugin
  3. Select the frequency to re-scan Salesforce for new objects
  4. After the scan has run, review the discovered datapoints and the auto-classifications. Further configure additional custom attributes and data labels for the discovered data as needed.

Datapoint discovery configuration for Salesforce integration

The privacy request functionality of the integration allows for programmatic privacy request fulfillment directly against a Salesforce instance. Property-level settings are available for datapoints that support access and erasure requests to allow for fine-grained redaction customizations.

The integration works to find personal information from contact, lead and individuals objects in Salesforce using a data subject's email or phone number to uniquely identify the user record. When an erasure request is submitted, the contact/lead/individual object will be permanently deleted, unless the corresponding datapoint is configured for redaction. Note that if you use "Person accounts", it is not possible to delete these records.

For standard datapoints in the Salesforce data silo, it's possible to configure specify which fields on the corresponding object should be redacted for access and erasure requests.

For erasure requests, the default is to hard delete the object from Salesforce. If property settings are configured to redact specific fields, the object in Salesforce will be retained and the specific configured fields will be redacted. There are a few considerations when deciding whether to redact or delete data when responding to an erasure DSR for Salesforce. Deleting records from Salesforce may reduce compliance risk, but it may interrupt reporting and analytics flows. Additionally, hard deleting records may result in an issue if other integrations re-sync deleted data into Salesforce, in which case redaction would preserve the record and reduce risk of re-syncing data.

For access requests, an object matching the data subject's identifier (email or phone) will be returned to the data subject with all fields from the object. If property settings are configured for redaction, the specified fields on the object will not be returned to the data subject. In other words, using the visibility settings, gives flexibility in determining which fields on the object should be redacted from the final payload returned to the user. For example, there may be a field on the contact object that contains internal notes. It's possible to redact this field from the data returned to a data subject, if this information should be kept internal.

For more information about how to configure redaction for specific fields, see the next section on how to configure Salesforce for privacy requests.

  1. Navigate to the Manage Datapoints tab within the Salesforce data silo
  2. Configure the request types that should be available for each standard datapoint.
    • For the individuals, lead and contact objects, confirm which types of data actions will be enabled.
    • Data actions are enabled be default. Specifically review access and erasure actions to ensure configuration is as expected.

Salesforce Datapoints tab

  1. Optionally configure property-level settings for redaction on datapoints that support access and/or erasure.

    • For each standard datapoint where redaction of certain fields is desired, select Review XX Properties to configure Property Visibility Settings.

    Review Property Settings in Salesforce datapoints

    • Configure ACCESS REQUEST VISIBILITY and ERASURE PROPERTIES TO REDACT as desired.

    Configure redaction for Salesforce property-level settings

  2. Set the data silo live for privacy requests.

    • Navigate back to the Configuration tab
    • Toggle the Status setting to Live Mode