Security, data collection and compliance
At Apsona, security and data protection are primary drivers in the design of all our products and services. We strive to ensure that customer data is never compromised
in any way. Here we summarize the security-related aspects of our products.
Apsona's products are add-ons to Salesforce, and work within your browser connected to Salesforce. They can only operate within the browser window in the Salesforce
context. Therefore, all of the security protections afforded by Salesforce are automatically inherited by Apsona products.
Data traffic boundaries
With all our products, data traffic is entirely limited to between your browser and your Salesforce database, with no
third-party servers involved. There are two exceptions to this assertion, the PDF generator and the Scheduler, which are described further below. This data
traffic is encrypted via the industry-standard SSL (Secure Sockets Layer) between your browser and Salesforce.
We do not collect or store customer data. No customer data passes through our servers, so we have no access to it. Throughout our
product designs, we take particular care to ensure that all our code and processes are data-independent, so as to maximize data security.
License provisioning and usage data
We collect two types of information, neither of which includes customer data:
- User information, comprising the user's full name, user name and email address, so that we can provision licenses for users; and
- Usage information, containing logs of user actions within the application (e.g., the use of "Add to Campaign" or "Send email" functionality). This
helps us to quickly identify and fix software bugs as well as determine focus areas for future development. This information does not contain any
data from your Salesforce database.
We do not share data with any partners or others outside of Apsona. All data access is strictly limited to qualified and experienced personnel within Apsona.
As noted above, we do not collect or store any customer data on any of our servers. The only exception occurs with our PDF conversion service, and it
applies to you only if (a) you use the Document Generator add-on, and (b) you use the PDF format for generating your documents. (In other words, if you
don't use the Document Generator add-on, or you never use the add-on to generate documents in PDF format, this doesn't apply to you.) In this specific case:
- Only the docx and pdf files are stored on our server file systems, and
- Stored files are erased within two hours.
Our software uses servers for
- delivering the software assets to your browser
- managing and provisioning licenses
- converting docx files to pdf format
- managing usage logs for the purposes noted above.
Our servers are located in secure hosting environments, across geographically distributed locations in the United States. This ensures high redundancy and resilience.
- To minimize intrusion and attack vectors, our servers expose the bare minimum of services to the public internet: only a web server. No other services are
- Our server software is very lean: We do not use any publicly-available software frameworks. This has the benefit of preventing attacks that exploit known
security vulnerabilities in frameworks.
- Server operating systems receive regular software updates to ensure that they are not compromised. All our servers are grade A on the
well-known SSL labs tests.
- Access to servers is limited to experienced systems professionals at Apsona.
The Scheduler product
If you purchase and use Apsona's Scheduler product, you know that the Scheduler needs access to your data to produce reports non-interactively (i.e.,
outside of the browser). The Scheduler's design ensures the best possible security:
- None of the data used for generating reports is ever maintained in a file store, not even temporarily. The Scheduler operates by retrieving your Salesforce data, composing
the email and sending it immediately, entirely within the server's volatile memory.
- All traffic between the Scheduler and your Salesforce org occurs via the same industry-standard SSL encrypted channel that your browser uses, and
therefore is just as protected against intrusion attacks.
As noted above, we do not store any customer data on any of our servers, with the exception of document format conversion.
Given the range of verticals and domains that we service and the nature of data in documents, we are unable to detect sensitive information in
them. Consequently, we rely on you, our customers, to safeguard your data. In general, you would want ensure that sensitive data is not included in
generated documents, so that your security is not compromised.