GRAX Security and Compliance

This page details the security and compliance information about the GRAX platform, specifically the AWS deployed version.

GRAX Security

GRAX allows your organization to maintain complete ownership and control of your Salesforce data by capturing and storing it in public cloud environments that you own and operate. This creates the most effective way to enable data backup, archive, and restore capabilities for your Salesforce instances while preserving compliance with the regulatory requirements that you are subject to when handling sensitive corporate and customer data.

GRAX Commitment To Your Data

At GRAX we know we are in the privileged position of handling our customers' most valuable asset - their data. We are driven every day by our commitment to our customers that they can rely on the GRAX product to handle their data correctly and in accordance with the regulatory frameworks they need to comply with. As an organization, we are committed to operating with honesty, integrity, and compliance

GRAX allows you to bring your own cloud object storage provider to ensure that you control the location of your data throughout the entire backup, archiving, and restore processes.

GRAX Security and Compliance

GRAX has been audited to achieve SOC 2 Type 1 compliance across the platform. Alongside our security audits, our Salesforce Managed Package has been vetted and passed a rigorous and ongoing security review by Salesforce. The GRAX Data Value Platform is deployed into a managed AWS runtime and builds upon the security and compliance posture of the underlying services provided. For details on our compliance audit, please contact our team.

If you require the provision of a BAA to support your HIPAA compliance, please contact our team.

GRAX provides customers with mechanisms for authorized users to delete data related to an individual (or multiple individuals) across the GRAX Data Value Platform. This is a basic feature of the platform and is included at all license levels world wide.

Salesforce customers can support their PCI compliance by using Encrypted Custom Fields as the mechanism to store sensitive payment data in their Salesforce application. The GRAX application respects the Salesforce sharing and permissions model, so individual customers can configure the GRAX user with "View Encrypted Data" permission according to their needs. Data that is handled by GRAX is encrypted in transit using TLS 1.2 and data at rest can be encrypted according to the service provider chosen.

GRAX Runtime Service Providers

The GRAX Data Value Platform provides a unique value to customers by unifying data across a number of different service providers./ this is made possible by services that build on the existing features of these platforms. For the underlying security and compliance documentation, please refer to the relevant provider's documentation.

Salesforce Security and Compliance
AWS Security and Compliance

Data Processing

The GRAX Application is deployed into a fully managed compute environment, securely connected to your Salesforce instances and chosen object stores. All data that flows through the GRAX Data Value Platform is encrypted using TLS 1.2. Data at rest is encrypted by leveraging the platform-specific mechanism of your chosen data service provider.

AWS Elasticsearch
AWS S3
Azure Blob Storage
GCP Object Store

Secrets Management

GRAX utilizes the AWS Secrets Manager to manage the tokens that are used for communicating with the various services that make up the GRAX Data Value Platform. Things like Salesforce OAuth tokens, Management Plane tokens, S3 access keys, and Elasticsearch keys are all managed and accessed using the Secrets Manager.

In the Salesforce Managed Package, GRAX uses a Protected Custom Setting inside Salesforce to store tokens required for authentication. This is recommended practice as part of the Secure Coding Guidelines provided by Salesforce.

For any further questions or details, please contact the team.

Previous versions of the GRAX Data Value Platform have been deployed to customers using the Heroku PaaS. Heroku provides customers a network isolated environment called a Private Space that has previously been used when provisioning GRAX for customers. If you would like the compliance and security information that is particular to this type of legacy configuration, please contact the team.