Salesforce Tool Security

SALESFORCE DIAGNOSTIC TOOL SECURITY CHECKLIST.

Before using any Salesforce diagnostic tool, understand what it accesses, what it exports, what it stores, and whether it can write back to Salesforce.

Read-only diagnostics · Review-ready workbooks · No package install · No Connected App

Connecting an external tool to Salesforce is a reasonable thing to be cautious about.

Salesforce orgs can hold customer information, financial data, permission structures, automation logic, files, reports, and operational history. Before any tool touches an org, it is worth understanding exactly what it reads, what it stores, what it exports, and what it can change.

This checklist is vendor-neutral. It is useful whether or not you ever use KeelCadence, and it ends with a factual description of how KeelCadence defines its own data boundary.

01

WHY SALESFORCE ADMINS ARE RIGHT TO BE SKEPTICAL.

Salesforce is rarely just a contact list. Over time, an org accumulates sensitive business data, customer information, permission structures, automation, files, reports, and years of operational history.

Any external tool should be evaluated on what it reads, what it stores, what it exports, and what it changes. That skepticism is not an obstacle. It is the correct starting point for a review.

The most useful question is not only what the tool does. The more revealing question is: what is the tool's data boundary?

02

TL;DR SECURITY CHECKLIST.

Before connecting any Salesforce diagnostic tool, ask:

  • Does it export Salesforce records?
  • Does it download files or attachments?
  • Does it store OAuth refresh tokens?
  • Does it store long-lived access tokens?
  • Does it require a package install?
  • Does it require a Connected App?
  • Can it write back to Salesforce?
  • What data appears in the final report?
  • How long are reports retained?
  • Can access be revoked immediately?
  • Can downloaded reports be controlled after export?
  • Is the tool clear about limitations?

If a tool cannot answer these questions clearly, that lack of clarity is itself a finding.

03

START WITH THE DATA BOUNDARY.

A tool's value matters, but the data boundary matters first. Admins and IT reviewers should be able to describe what the tool reads, what it stores, what it exports, what it never collects, and what it can change.

A data boundary describes what information a tool can access, what information leaves the source system, what is stored by the vendor, and what appears in the output.

Once the boundary is clear, most other questions become easier to evaluate. A narrow, well-described boundary is easier to review than a broad one that is left unstated.

04

METADATA DIAGNOSTICS VS. DATA EXPORT TOOLS.

Not every Salesforce tool carries the same review weight, because not every tool touches the same data.

Metadata diagnostic tools review configuration, metadata, permissions, automation metadata, and aggregate counts. Data export tools move or expose row-level customer data, files, attachments, emails, Chatter content, or transactional records.

The distinction matters because the two categories create very different review questions.

Metadata diagnostic tool versus data export tool comparison
QuestionMetadata Diagnostic ToolData Export Tool
Reads metadataYesSometimes
Reviews configurationYesSometimes
Exports recordsNoYes
Downloads files or attachmentsNoOften
Stores customer dataNoOften
Produces review evidenceYesVaries
Requires data handling reviewLowerHigher
Can write back to SalesforceUsually noSometimes
Typical review riskLowerHigher

Both categories can be legitimate. The point is not that one is good and one is bad. The point is that they belong in different review tracks.

05

HOW IT AND SECURITY TEAMS EVALUATE SALESFORCE TOOLS.

When a tool reaches a formal review, IT and security teams tend to look at a consistent set of areas:

  • Data access scope
  • Data storage
  • Credential handling
  • Token handling
  • Report retention
  • Write permissions
  • Package or Connected App requirements
  • Third-party dependencies
  • Admin revocation process
  • Downloaded report handling
  • Auditability and transparency

A tool that can answer each of these clearly is far easier to approve than one that leaves them open. KeelCadence publishes its answers to many of these on its security and IT review pages.

06

CREDENTIAL AND TOKEN HANDLING QUESTIONS.

Credential and token handling deserves its own set of questions, regardless of which tool you are reviewing:

  • Are OAuth refresh tokens stored?
  • Are long-lived access tokens stored?
  • Are credentials ever collected?
  • Is access session-based?
  • Can access be revoked?
  • Are tokens logged?
  • Are tokens sent to analytics tools?
  • What happens when the session expires?

For reference, here is how KeelCadence answers the storage question factually: KeelCadence does not store persistent Salesforce OAuth refresh tokens or long-lived Salesforce access tokens.

07

PACKAGE INSTALL AND CONNECTED APP REQUIREMENTS.

Package installs and Connected Apps are normal in many Salesforce tools. They are not inherently a problem, but they can add review friction because they introduce components into the org.

Useful questions include:

  • Does the tool require a managed package?
  • Does it add permission sets?
  • Does it add Apex, LWC, remote site settings, named credentials, or custom metadata?
  • Does it require Connected App approval?
  • What OAuth scopes are requested?

KeelCadence's model is intentionally narrow on this point: no package install, no Connected App setup, read-only diagnostics.

08

READ-ONLY ACCESS AND SALESFORCE WRITES.

Read-only access reduces writeback risk, but it does not remove the need to evaluate what the tool reads, exports, and stores. Read-only is one part of the boundary, not the whole boundary.

Questions to ask:

  • Can the tool create records?
  • Can it update records?
  • Can it delete records?
  • Can it modify metadata?
  • Can it change permissions, fields, automations, or layouts?

KeelCadence diagnostics do not create, update, delete, or modify Salesforce records, metadata, permissions, fields, automations, or layouts.

09

WHAT REPORTS SHOULD AND SHOULD NOT CONTAIN.

A diagnostic report should contain enough evidence to support review, without exposing unnecessary customer data. The output is part of the data boundary too.

KeelCadence workbooks contain

  • Diagnostic findings
  • Supporting metadata evidence
  • Review priority
  • Confidence labels where applicable
  • Recommendations
  • Remediation tracking fields

KeelCadence workbooks do not contain

  • Customer record exports
  • Salesforce Files or Attachments
  • Chatter content
  • Email content
  • Full data backups
  • Record-level transactional datasets
  • Automated remediation or Salesforce writes
  • End-to-end dependency tracing claims
10

QUESTIONS TO ASK BEFORE USING A SALESFORCE DIAGNOSTIC TOOL.

A practical pre-use checklist, suitable for an admin, consultant, or reviewer:

  • What data does the tool read?
  • What data does it export?
  • What data does it store?
  • Does it store refresh tokens?
  • Does it store long-lived access tokens?
  • Can it write to Salesforce?
  • Does it require an installed package?
  • Does it require a Connected App?
  • What OAuth scopes does it require?
  • Are reports retained?
  • How long are reports retained?
  • Who can access reports?
  • Can reports be deleted?
  • Are downloaded reports protected after export?
  • Is the tool transparent about limitations?
  • Does the tool distinguish metadata findings from customer data exports?
11

HOW KEELCADENCE DEFINES ITS DATA BOUNDARY.

KeelCadence is not a Salesforce data export tool. KeelCadence is a metadata diagnostics tool.

It reviews Salesforce metadata, configuration, permission structures, automation metadata, and aggregate counts where needed for diagnostic scoring. It does not export customer records, files, attachments, emails, Chatter content, or transactional data.

It produces review-ready XLSX workbooks for cleanup, permission review, automation review, imports, UAT, and admin handoff.

How KeelCadence uses each data type and what is exported in the workbook
Data TypeKeelCadence UseExported in Workbook?
MetadataReviewedYes, where relevant
Profiles and permission setsReviewedYes
Field definitionsReviewedYes
Automation metadataReviewedYes
Aggregate countsUsed where neededYes, as summary metrics
Individual record valuesNot usedNo
Files and attachmentsNot usedNo
Emails or ChatterNot usedNo
Salesforce writesNot performedNo
OAuth refresh tokensNot storedNo
12

WHEN TO INVOLVE IT OR SECURITY.

Some teams should involve IT or security before using any external tool, especially when internal policies require review of browser tools, third-party SaaS, Salesforce session access, downloaded reports, or external diagnostics.

If that applies to your org, the following pages are written to support that review:

Diagnostic Workbooks

READ-ONLY DIAGNOSTIC WORKBOOKS.

Permission & FLS Audit

Profiles, permission sets, object permissions, FLS exposure, and user-assignment patterns.

Learn more →

Field & Object Audit

Field utilization, layout coverage, hidden populated fields, and cleanup review candidates.

Learn more →

Automation Inventory

Available automation metadata across Flows, Apex, triggers, validation rules, and approval processes.

Learn more →

Impact Awareness

Selected-object readiness signals for imports, UAT, migrations, bulk updates, and record operations.

Learn more →
Common Questions

COMMON QUESTIONS.

Is a read-only Salesforce diagnostic tool automatically safe?

No. Read-only access lowers writeback risk, but admins should still understand what the tool reads, exports, stores, and retains.

What is a Salesforce tool data boundary?

A data boundary describes what a tool can access, what leaves Salesforce, what is stored by the vendor, what appears in the output, and whether the tool can make changes.

What is the difference between Salesforce metadata and Salesforce record data?

Metadata describes the structure and configuration of the org, such as objects, fields, profiles, permission sets, field-level security, and automation. Record data is the actual business data stored in records, files, emails, Chatter, and transactions.

What credential-handling questions should I ask any Salesforce diagnostic tool?

Ask whether the tool stores OAuth refresh tokens, long-lived access tokens, credentials, session data, or access logs, and how access can be revoked.

Does KeelCadence export Salesforce records?

No. KeelCadence does not export customer records, files, attachments, emails, Chatter content, or transactional data.

Does KeelCadence store OAuth refresh tokens?

No. KeelCadence does not store persistent Salesforce OAuth refresh tokens or long-lived Salesforce access tokens.

Does KeelCadence install a Salesforce package?

No. KeelCadence does not require a package install or Connected App setup.

Can KeelCadence change Salesforce data or metadata?

No. KeelCadence diagnostics are read-only and do not create, update, delete, or modify Salesforce records, metadata, fields, permissions, automations, or layouts.

What does a KeelCadence workbook contain?

KeelCadence workbooks contain diagnostic findings, supporting metadata evidence, review priority, confidence labels where applicable, recommendations, and remediation tracking fields.

Diagnostic Tool Security

Review the KeelCadence data boundary before running a diagnostic.

KeelCadence is built for metadata-based Salesforce diagnostics, not Salesforce data export. Review the security model and IT review notes before connecting an org.

Read-only · No package install · No Connected App setup · No Salesforce writes

KeelCadence uses session cookies and Google Analytics 4 for site usage insights. GA4 does not receive Salesforce credentials, Org IDs, Report IDs, or payment data. You can opt out for this browser.