Salesforce is the market-leading CRM platform that provides an unparalleled level of functionality and customization which companies all over the world value so much. Companies from different industries use the capabilities of this platform to maintain relationships with their customers, track progress on deals at all stages of the funnel, and facilitate lead and customer acquisition with tools provided by Salesforce.
It’s not a secret that one Salesforce instance can be used by companies to service customers from multiple countries. But the market landscape is evolving, and more and more countries have introduced new data protection regulations (and specifically data residency regulations) that greatly affect how companies will need to operate around the world.
Compliance with local regulations, especially with data localization and distribution requirements, can become a real challenge even for a technology company. The problem can get even worse when data residency needs to be implemented for a company’s existing SaaS applications that are used globally. Many of these applications do not allow the necessary level of customization required for the task, especially as it relates to data communications.
Some countries with more stringent data protection regulations, require sensitive and regulated data that is currently stored in Salesforce, to be localized within their domestic borders and prohibit any cross-border transfers without extensive government approvals (ie. China). Even then, a copy of the data must remain in the country. This can become a real challenge for IT and marketing departments. To address these issues, options to consider include:
The implementation of a new standalone CRM platform will impose some real costs. These include rolling out another set of servers or cloud instances in each affected country, training the sales and marketing teams to work with a new system, obtaining the necessary compliance certifications, properly securing the new system, troubleshooting regular issues, maintaining additional services and updates for the new system, and so on.
Implementation of compliance requirements within the Salesforce org from scratch is a very challenging and non-trivial custom development effort for an IT department, which tends to make this approach a non-starter for most.
The more reasonable integrated approach is to use an existing on-demand platform that provides data residency for Salesforce data. Solutions like InCountry’s Data Residency-as-a-Service platform or the Alibaba Cloud InCountry Service (in China), are best suited to meet the needs of organizations interested in better leveraging their existing Salesforce orgs to gain a global view of their business.
There is also a third option to consider. Simply leave the market. This can be easily achieved by closing offices in affected countries or by being penalized by local regulators and still being forced to leave the market with a negative brand reputation.
The InCountry Data Residency-as-a-Service (DRaaS) platform or the Alibaba Cloud InCountry Service (ACIS) offers a data residency solution that allows for the localization and distribution of sensitive and regulated data of a country’s citizens in full compliance with the data residency regulations of affected countries. In China, for example, PIPL (Personal Information Protection Law) has garnered much attention given that it requires special handling of Chinese citizens' data. For this case, the ACIS provides a variety of tools that can help with the implementation of the most complicated scenarios for handling and localizing sensitive and regulated data with minimal tradeoffs in functionality and none in data protection.
This solution works in two parts, first by installing the InCountry Data Residency for Salesforce managed package, then configuring it to direct the regulated data to the appropriate country(ies) point(s)-of-presence. From there all that remains is to configure the data regulation policies for the Salesforce objects. These policies determine how regulated data is to be handled, where it will be stored, whether cross-border transfers are allowed, and whether a copy of the regulated data can be stored in Salesforce itself.
That’s all! Not much to do to be compliant with Salesforce in most countries with data residency requirements. Let’s just evaluate this solution in more detail to better understand the advantages of the ready-to-use solution.
The InCountry Data Residency for Salesforce package is a standard managed package that can be installed on Salesforce. Once installed the package needs to be configured. The configuration is pretty straightforward.
An endpoint is a connection to the InCountry DRaaS that needs to be established for communication of regulated and sensitive data between Salesforce and the InCountry DRaaS (or ACIS in China).
The InCountry Data Residency for Salesforce package supports three data regulation policies, as follows:
Data Handling | Salesforce without DRaaS or ACIS | Data Residency Model | ||
Replication | Restriction | Redaction | ||
Storage | Outside Only | Outside | Outside | Inside Only |
Processing | Outside Only | Outside | Outside | Inside Only |
Viewing | Inside & Outside | Inside & Outside | Inside & Outside | Inside Only |
In China, the two most prominent data regulation policies are:
The InCountry Salesforce Data Residency managed package allows for configuring data regulation policies at the object and record levels. When using the object-level policy, the package will regulate all records that pertain to a specific Salesforce object. While the record-level policy will be applied only to specific records with some pre-defined attribute, such as a country attribution. As a result, not only can this support keeping track of relevant policies for customer records that need to be stored in different countries, but it also helps support the ability to combine policies in one country (ie. using both redacted and replicated data residency models in China).
In configuring data regulation policies, fields that contain regulated data need to be marked as such. The package saves values from such fields to the ACIS and saves their hashed values to Salesforce, while non-regulated fields will be saved to Salesforce as clear-text values.
When managing protected fields, the appropriate hash function applied to the original can be defined so the produced hash value will resemble the original pattern, for example, the email address (“xxxxx@yyy”). If needed, a default value can be applied to protected fields of the pattern needed.
The last step is the replacement of native UI components with custom package components. This needs to be done, as native components will automatically send regulated data to the Salesforce backend, which could violate compliance regulations. The package’s components first save the values of protected fields to the ACIS, then hash these values, and save hashed values of protected fields and clear-text values of non-regulated fields to Salesforce.
The package supports all the commonly used UI components in order to streamline this process. The configuration is handled by dragging the necessary components to the page layout and, if needed defining additional configuration as required by the component.
Once the package configuration is complete, the Salesforce functionality remains the same. The InCountry Data Residency for Salesforce package re-creates the native UI components, so the user experience will not be affected, adding no training requirements. The only real difference is that the package’s components consider the current Salesforce user’s location and show values for protected fields depending on the configured data regulation policies.
Using the redaction policy, when the Salesforce user accesses protected data from a location different from the country of origin of this data they will see the REDACTED label instead of clear-text values in protected fields. By contrast, clear-text values can be displayed in replication and restriction policies, as cross-border transfer of values for viewing is not prohibited.
Want to use Salesforce in a compliant way in China? Follow the next steps to get started with the Alibaba Cloud InCountry Service:
For other countries:
Now you are ready to handle sensitive and regulated data in full compliance with data residency regulations in your chosen countries.
How to Optimize Your Network in the Mobile Internet Era – Domain Name System Resolution
Alibaba Cloud Launches Cloud ONE Program to Accelerate Digitalization of Philippine Businesses
1,044 posts | 257 followers
FollowAlibaba Cloud Community - August 5, 2022
Alibaba Cloud Community - October 21, 2022
Alibaba Cloud Community - August 5, 2022
Alibaba Cloud Community - November 3, 2023
Alibaba Cloud Community - December 19, 2023
Alibaba Cloud Community - September 16, 2021
1,044 posts | 257 followers
FollowExpand your business to China quickly and efficiently while complying with applicable local rules and regulations
Learn MoreBring the world-renowned CRM platform to China
Learn MoreA cloud solution for smart technology providers to quickly build stable, cost-efficient, and reliable ubiquitous platforms
Learn MoreAlibaba Cloud Service Mesh (ASM) is a fully managed service mesh platform that is compatible with Istio.
Learn MoreMore Posts by Alibaba Cloud Community