Salesforce Integration

Transcend's Salesforce integration provides data mapping and privacy request functionality allowing businesses to:

  • Scan Salesforce to surface systems and tools connected to Salesforce
  • Identify and classify data stored in Salesforce, including custom data
  • Programmatically fulfill privacy requests against data stored in Salesforce, with the ability to customize data redactions

In this guide:

Regardless of whether the Salesforce integration will be used for data mapping, privacy requests or both, the first step is to connect Salesforce to Transcend by authenticating the integration. After the integration is connected, data mapping and privacy request features can be enabled in the Salesforce data silo.

The Salesforce integration is authenticated using the OAuth2 protocol. This allows a Salesforce user to connect the Salesforce integration with the same login credentials used to access Salesforce. The user connecting the integration should be a Salesforce Admin with read and write permissions to ensure the integration functions as expected.

  1. Navigate to Integrations in the Transcend Admin dashboard and select or add the Salesforce data silo.
  2. In the Connection section, select Connect and input the same login credentials used to log in to Salesforce.
  3. A list of scopes used by the integration will be presented. Accept the scopes to finish authenticating the integration connection.

After authenticating the integration, privacy request and data mapping functionality can be enabled in the data silo. The following sections discuss use cases and setup for each.

Understanding where data is stored, what that data is and what it's used for is key for implementing a compliant privacy program. Salesforce is often one of the central data system for business operations where large quantities of data are synced from several connected systems. This makes Salesforce an ideal target for data mapping.

Transcend's integration with Salesforce supports data silo discovery functionality to help businesses identify where data is stored, as well as datapoint discovery & content classification features to programmatically identify and classify personal data in Salesforce.

The integration can be used to scan Salesforce to identify connected systems and Saas tools that sync or share data. At Transcend this is called 'data silo discovery'. Enabling data silo discovery for Salesforce is a fast and programmatic option to building out Data Inventory, as many companies have many, if not a majority of Saas and third party platforms connected to Salesforce. The integration continues to scan for new systems as well.

Data silo discovery in Salesforce works by retrieving the Connected Applications and mapping the objects to a known system. Each discovered system is recommended as a data silo in Transcend for review to be approved into Data Inventory.

  1. Navigate to the Configuration tab within the Salesforce data silo
  2. Enable the toggle for the data silo discovery plugin
  3. Select the frequency to re-scan Salesforce for new systems
  4. After the scan has run, review the discovered systems and approve any that should be included in Data Inventory. Approved data silos can be configured for further data mapping or privacy requests.

Out of the box, the Salesforce data silo is pre-configured with datapoints to represent standard Salesforce objects that are known to store personal information. This includes objects like Leads, Individuals and Contacts. However, it's also important to ensure custom data in Salesforce is accounted for in data mapping. The integration supports datapoint discovery functionality to identify custom objects. It works by scanning the Salesforce schema and recommending a datapoint for each custom object. In this way, the Salesforce data silo will contain a datapoint to represent each Salesforce object that may contain personal information.

Each datapoint discovered from Salesforce will include the property metadata (also known as sub-datapoints). Transcend's content classification algorithm assigns a recommended data category for each property on the datapoint. This makes it easy to quickly understand which properties represent personal information, and in turn which datapoints contain that personal info.

  1. Navigate to the Configuration tab within the Salesforce data silo
  2. Enable the toggle for the datapoint discovery plugin
  3. Select the frequency to re-scan Salesforce for new objects
  4. After the scan has run, review the discovered datapoints and the auto-classifications. Further configure additional custom attributes and data labels for the discovered data as needed.

The privacy request functionality of the integration allows for programmatic privacy request fulfillment directly against a Salesforce instance. Property-level settings are available for datapoints that support access and erasure requests to allow for fine-grained redaction customizations.

The integration works to find personal information from contact, lead and individuals objects in Salesforce using a data subject's email or phone number to uniquely identify the user record. When an erasure request is submitted, the contact/lead/individual object will be permanently deleted, unless the corresponding datapoint is configured for redaction. Note that if you use "Person accounts", it is not possible to delete these records.

For standard datapoints in the Salesforce data silo, it's possible to configure specify which fields on the corresponding object should be redacted for access and erasure requests.

For erasure requests, the default is to hard delete the object from Salesforce. If property settings are configured to redact specific fields, the object in Salesforce will be retained and the specific configured fields will be redacted. There are a few considerations when deciding whether to redact or delete data when responding to an erasure DSR for Salesforce. Deleting records from Salesforce may reduce compliance risk, but it may interrupt reporting and analytics flows. Additionally, hard deleting records may result in an issue if other integrations re-sync deleted data into Salesforce, in which case redaction would preserve the record and reduce risk of re-syncing data.

For access requests, an object matching the data subject's identifier (email or phone) will be returned to the data subject with all fields from the object. If property settings are configured for redaction, the specified fields on the object will not be returned to the data subject. In other words, using the visibility settings, gives flexibility in determining which fields on the object should be redacted from the final payload returned to the user. For example, there may be a field on the contact object that contains internal notes. It's possible to redact this field from the data returned to a data subject, if this information should be kept internal.

For more information about how to configure redaction for specific fields, see the next section on how to configure Salesforce for privacy requests.

  1. Navigate to the Manage Datapoints tab within the Salesforce data silo
  2. Configure the request types that should be available for each standard datapoint.
    • For the individuals, lead and contact objects, confirm which types of data actions will be enabled.
    • Data actions are enabled be default. Specifically review access and erasure actions to ensure configuration is as expected.

  1. Optionally configure property-level settings for redaction on datapoints that support access and/or erasure.

    • For each standard datapoint where redaction of certain fields is desired, select Review XX Properties to configure Property Visibility Settings.

    • Configure ACCESS REQUEST VISIBILITY and ERASURE PROPERTIES TO REDACT as desired.

  2. Set the data silo live for privacy requests.

    • Navigate back to the Configuration tab
    • Toggle the Status setting to Live Mode

There are multiple ways that the Salesforce integration can be used within Transcend. For the most expansive usage of the plugin, admin permissions are needed. However, it is possible to create a permissions set within Salesforce to scope down the integration's access to only the specific objects that you plan to operate on.

In order to support both Data Mapping and Privacy Requests, the integration will need the ability to both read and write all objects in Salesforce. This allows the integration to discover all custom fields using the Data Mapping plugins. Then, you can configure Privacy Requests to delete or modify any of the objects that are identified as having personal data. The permission set required to do this is close to that of a full admin.

In order to perform Data Mapping in Salesforce, but not Privacy Requests, it is possible to scope the integration down to simply have read access to the Salesforce objects and fields. With read access, you can index all the fields, pull sample data for each object, and even perform an Access request. Without write access, you will not be able to process data deletion or opt out requests into Salesforce.

In order to create the permission set, you can do the following:

  • As an admin of the Salesforce account, navigate to Setup > Users > Permission Sets in order to create a new Permissions
  • Create a permission set, or update an existing permission set to have the relevant read/write access to the objects that you wish to process by selecting Object Settings in the permission set view.
    • For each object, select an Object permission:
    • Read access is required to perform Data Mapping and process Data Access Requests for a particular object.
    • Delete access is required if you want to hard delete an object as a part of a Data Erasure request.
    • Edit access is required to redact an object as a part of a Data Erasure request, or if you want to persist opt out settings into Salesforce.
    • If field level access is needed, you can customize which Field Permissions you would like Transcend to have access to. In the case of an Erasure or Opt Out request, you will select fields that you decide to modify. Transcend is capable of modifying any field that you specify.
  • In the Find Settings search bar, search for API Enabled and enable this for the permission set. There are pre-requisites to this on the Salesforce side, such as which edition you have that supports this. You can read more about this here.
  • Assign the permission set to the user within Salesforce that will be used to connect the Salesforce instance to Transcend. This could be a service account or a real user.
  • Log into the user or service account with the desired permission set and then authenticate Salesforce to Transcend using OAuth