×
Community Blog Implementing Data Residency in Salesforce with Alibaba Cloud InCountry Service (ACIS)

Implementing Data Residency in Salesforce with Alibaba Cloud InCountry Service (ACIS)

This article explains the importance of data residency and getting started with data residency in SalesForce.

Salesforce is the market-leading CRM platform that provides an unparalleled level of functionality and customization which companies all over the world value so much. Companies from different industries use the capabilities of this platform to maintain relationships with their customers, track progress on deals at all stages of the funnel, and facilitate lead and customer acquisition with tools provided by Salesforce.

It’s not a secret that one Salesforce instance can be used by companies to service customers from multiple countries. But the market landscape is evolving, and more and more countries have introduced new data protection regulations (and specifically data residency regulations) that greatly affect how companies will need to operate around the world.

Compliance Is No Longer a Nice-To-Have Option

Compliance with local regulations, especially with data localization and distribution requirements, can become a real challenge even for a technology company. The problem can get even worse when data residency needs to be implemented for a company’s existing SaaS applications that are used globally. Many of these applications do not allow the necessary level of customization required for the task, especially as it relates to data communications.

Some countries with more stringent data protection regulations, require sensitive and regulated data that is currently stored in Salesforce, to be localized within their domestic borders and prohibit any cross-border transfers without extensive government approvals (ie. China). Even then, a copy of the data must remain in the country. This can become a real challenge for IT and marketing departments. To address these issues, options to consider include:

  1. Implement a local or on-premise CRM solution in the affected country that is fully disconnected from the global system.
  2. Enable the Salesforce instance to support data localization and geographically controlled data distribution.

The implementation of a new standalone CRM platform will impose some real costs. These include rolling out another set of servers or cloud instances in each affected country, training the sales and marketing teams to work with a new system, obtaining the necessary compliance certifications, properly securing the new system, troubleshooting regular issues, maintaining additional services and updates for the new system, and so on.

Implementation of compliance requirements within the Salesforce org from scratch is a very challenging and non-trivial custom development effort for an IT department, which tends to make this approach a non-starter for most.

The more reasonable integrated approach is to use an existing on-demand platform that provides data residency for Salesforce data. Solutions like InCountry’s Data Residency-as-a-Service platform or the Alibaba Cloud InCountry Service (in China), are best suited to meet the needs of organizations interested in better leveraging their existing Salesforce orgs to gain a global view of their business.

There is also a third option to consider. Simply leave the market. This can be easily achieved by closing offices in affected countries or by being penalized by local regulators and still being forced to leave the market with a negative brand reputation.

Solution in Brief

The InCountry Data Residency-as-a-Service (DRaaS) platform or the Alibaba Cloud InCountry Service (ACIS) offers a data residency solution that allows for the localization and distribution of sensitive and regulated data of a country’s citizens in full compliance with the data residency regulations of affected countries. In China, for example, PIPL (Personal Information Protection Law) has garnered much attention given that it requires special handling of Chinese citizens' data. For this case, the ACIS provides a variety of tools that can help with the implementation of the most complicated scenarios for handling and localizing sensitive and regulated data with minimal tradeoffs in functionality and none in data protection.

This solution works in two parts, first by installing the InCountry Data Residency for Salesforce managed package, then configuring it to direct the regulated data to the appropriate country(ies) point(s)-of-presence. From there all that remains is to configure the data regulation policies for the Salesforce objects. These policies determine how regulated data is to be handled, where it will be stored, whether cross-border transfers are allowed, and whether a copy of the regulated data can be stored in Salesforce itself.

That’s all! Not much to do to be compliant with Salesforce in most countries with data residency requirements. Let’s just evaluate this solution in more detail to better understand the advantages of the ready-to-use solution.

Solution in Detail

The InCountry Data Residency for Salesforce package is a standard managed package that can be installed on Salesforce. Once installed the package needs to be configured. The configuration is pretty straightforward.

Setup of Endpoints

An endpoint is a connection to the InCountry DRaaS that needs to be established for communication of regulated and sensitive data between Salesforce and the InCountry DRaaS (or ACIS in China).

1

Setup of Data Regulation Policies

The InCountry Data Residency for Salesforce package supports three data regulation policies, as follows:

Data Handling Salesforce without DRaaS or ACIS Data Residency Model
Replication Restriction Redaction
Storage Outside Only Outside Outside Inside Only
Processing Outside Only Outside Outside Inside Only
Viewing Inside & Outside Inside & Outside Inside & Outside Inside Only

In China, the two most prominent data regulation policies are:

  1. redaction is a default option. If you do not collect consent from Chinese prospects and customers, nor obtain the necessary regulator (Cyberspace Administration of China (CAC)) approval, it is important to ensure that user PII data does not leave the borders of China under any circumstances.
  2. replication is a less stringent option when comparing it to the redaction policy. In this case, where consent of the PII owner has been obtained and appropriate reviews and approvals have take place with the CAC and in some cases necessary standard clauses have been put in place, a primary copy of data is stored on the ACIS, before a copy of this data can then be stored on the main Salesforce instance.

2

The InCountry Salesforce Data Residency managed package allows for configuring data regulation policies at the object and record levels. When using the object-level policy, the package will regulate all records that pertain to a specific Salesforce object. While the record-level policy will be applied only to specific records with some pre-defined attribute, such as a country attribution. As a result, not only can this support keeping track of relevant policies for customer records that need to be stored in different countries, but it also helps support the ability to combine policies in one country (ie. using both redacted and replicated data residency models in China).

Definition of Protected Fields

In configuring data regulation policies, fields that contain regulated data need to be marked as such. The package saves values from such fields to the ACIS and saves their hashed values to Salesforce, while non-regulated fields will be saved to Salesforce as clear-text values.

3

When managing protected fields, the appropriate hash function applied to the original can be defined so the produced hash value will resemble the original pattern, for example, the email address (“xxxxx@yyy”). If needed, a default value can be applied to protected fields of the pattern needed.

4

Swapping UI Components

The last step is the replacement of native UI components with custom package components. This needs to be done, as native components will automatically send regulated data to the Salesforce backend, which could violate compliance regulations. The package’s components first save the values of protected fields to the ACIS, then hash these values, and save hashed values of protected fields and clear-text values of non-regulated fields to Salesforce.

5

The package supports all the commonly used UI components in order to streamline this process. The configuration is handled by dragging the necessary components to the page layout and, if needed defining additional configuration as required by the component.

How it Looks in Salesforce

Once the package configuration is complete, the Salesforce functionality remains the same. The InCountry Data Residency for Salesforce package re-creates the native UI components, so the user experience will not be affected, adding no training requirements. The only real difference is that the package’s components consider the current Salesforce user’s location and show values for protected fields depending on the configured data regulation policies.

6
7

Using the redaction policy, when the Salesforce user accesses protected data from a location different from the country of origin of this data they will see the REDACTED label instead of clear-text values in protected fields. By contrast, clear-text values can be displayed in replication and restriction policies, as cross-border transfer of values for viewing is not prohibited.

8
9

Get Get Started with Data Residency in Salesforce

Want to use Salesforce in a compliant way in China? Follow the next steps to get started with the Alibaba Cloud InCountry Service:

  1. Create a free account on the ACIS Portal.
  2. Create an empty environment.
  3. Register a Salesforce service and save its credentials.
  4. Install the InCountry Data Residency for Salesforce package.
  5. Configure the package.

For other countries:

  1. Create a free account on InCountry Portal.
  2. Create an empty environment.
  3. Register a Salesforce service and save its credentials.
  4. Install the InCountry Data Residency for Salesforce package.
  5. Configure the package.

Now you are ready to handle sensitive and regulated data in full compliance with data residency regulations in your chosen countries.

0 0 0
Share on

Alibaba Cloud Community

1,080 posts | 265 followers

You may also like

Comments