True Record
Back to Home

Security & FAQ

How we handle Salesforce access, what we store, and how to test or disconnect safely.

Last updated: December 8, 2025

Scoped Salesforce access

OAuth-only; we request api, refresh_token, offline_access. No passwords, no managed package.

Encrypted tokens

Salesforce tokens are encrypted at rest with managed keys and never logged (only hashed when referenced for diagnostics).

Data stays minimal

We store org identifiers and dedupe result snapshots (record pairs & audit trail). No data resale.

Salesforce permissions we request

  • apiRead/write via standard REST endpoints for the objects you choose (Leads, Contacts, Accounts, etc.).
  • refresh_token & offline_accessAllows rotating the session without asking users to log in again.
  • No managed packageEverything runs over the API; nothing is installed in your org.

Data handling

What we store

  • Org identifiers, instance URL, and the connected user ID/email for membership.
  • Encrypted Salesforce access & refresh tokens (managed keys, access tightly limited).
  • Dedupe artifacts: matched record snapshots and audit trail entries to explain actions.

How we protect it

  • TLS in transit; tokens hashed when referenced in logs for debugging.
  • Least-privilege OAuth scopes; recommend connecting a sandbox first, then production.
  • Revoke anytime in Salesforce Connected Apps or ask us to purge stored data.

FAQ

Can I test this safely?

Yes, connect a sandbox first. We operate over the API and do not install a package.

Which objects do you read?

We start with suggested fields on Leads, Contacts, Accounts, Opportunities, and Campaigns, but you can build matching rules for any standard or custom object. We only read the fields you configure for that object.

How do I disconnect?

Revoke the Connected App session inside Salesforce or email support@truerecord.app and we’ll remove stored tokens and related org data.

Do you log my data?

Operational logs hash tokens and include only structural info (object names, counts). Record content stays in your org and in the dedupe snapshots we show you.

Legal & Compliance

We are committed to data protection and transparency. Review our legal documentation:

Privacy Policy

How we collect, use, and protect your data

Terms of Service

Terms governing your use of True Record

Cookie Policy

Information about cookies we use

Data Processing Agreement

GDPR-compliant DPA for enterprise customers

Subprocessors

Third-party services and data regions

GDPR Compliant

Data subject rights, encryption, audit trails

Need something specific?

Email security questions or reports to support@truerecord.app.

Contact Security