Resource Hero is built for organizations that take data security seriously. Because Resource Hero is 100% native to the Salesforce platform, your data never leaves your own Salesforce org, and the application inherits the security, encryption, and compliance controls Salesforce already provides. This page explains how we build, secure, and support the application.
Built 100% Native to Salesforce
Resource Hero is a managed package that installs and runs entirely inside your own Salesforce organization. There is no separate Resource Hero cloud, no external database, and no middleware that your data passes through.
- All Resource Hero data (resources, assignments, forecasts, time entries, rates, and skills) is stored as custom objects inside your own Salesforce org.
- Resource Hero does not host, copy, or store your data on any external infrastructure, and operates no data centers of its own.
- Resource Hero has no access to your data unless you explicitly grant it for a support request.
- Because each customer runs the package in their own Salesforce instance, your data is naturally isolated from every other customer.
This architecture is the foundation of every other point on this page. When your data stays inside your Salesforce org, the controls you already trust Salesforce to provide apply to Resource Hero automatically.
Salesforce Security Review
Resource Hero has passed the Salesforce AppExchange Security Review, the mandatory security assessment every AppExchange application must clear before it can be listed and installed. We re-submit for review with each major and minor release, so the version you install has been scanned and approved through Salesforce’s process.
The AppExchange review includes static and manual code analysis, CRUD and field-level security verification, sharing-rule compliance, and testing for SOQL/SOSL injection, cross-site scripting, CSRF, and clickjacking. You can verify Resource Hero’s standing on our AppExchange listing at any time.
Authentication and Access Control
Resource Hero does not maintain its own login, password store, or user directory, and requires no VPN or remote access into your network. Access is governed entirely by your Salesforce org.
- Authentication is handled by Salesforce. Users sign in with their existing Salesforce credentials, so your org’s single sign-on (SAML, LDAP, Active Directory) and multi-factor authentication policies apply to Resource Hero with no additional setup. Session timeout, IP restrictions, and account-lockout policies are likewise enforced by Salesforce under your control.
- Authorization respects Salesforce object-level permissions, field-level security, and sharing rules. Resource Hero enforces CRUD and field-level security checks throughout the application, and user-facing data access runs in Salesforce user mode so each person sees only the records and fields they are permitted to see.
- Role-based access is delivered through 13 Resource Hero permission sets, covering standard user access, component-specific features, and administrative functions, so you can grant exactly the access each role needs.
Encryption
Because Resource Hero runs natively inside Salesforce, your data is protected by Salesforce platform encryption:
- In transit: all communication uses TLS 1.2 or higher over HTTPS.
- At rest: your data is stored and encrypted (AES-256) within your Salesforce org. Customers using Salesforce Shield can apply Platform Encryption, including customer-managed keys, to Resource Hero custom fields.
Resource Hero does not transmit or store your data outside of Salesforce, so there is no separate Resource Hero data store to secure.
Audit Logging
Activity is logged through Salesforce’s native audit capabilities within your org, including the Setup Audit Trail, field history tracking, and login history. You retain full access to these logs. Resource Hero does not maintain a separate log of your users’ activity.
Compliance
Resource Hero inherits its infrastructure compliance posture from the Salesforce platform. Resource Hero does not separately hold SOC 2 or ISO 27001 certifications; instead, because your data resides entirely within your audited Salesforce org, the certifications and attestations Salesforce maintains for its infrastructure apply to where your Resource Hero data lives.
- Salesforce maintains SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, and FedRAMP, among others. You can review the current certifications and request reports at Salesforce Compliance.
- GDPR: All processing occurs within your Salesforce org under your control. Resource Hero does not independently collect, store, or transfer EU personal data, and we will execute a Data Processing Agreement where one is required.
- CCPA: Resource Hero does not sell personal information, and all data remains under your control within your org.
- HIPAA: Resource Hero does not receive, store, or process Protected Health Information. Healthcare customers maintain HIPAA compliance through their Salesforce configuration, and Resource Hero operates within those controls without accessing PHI.
- Data Processing Agreements are available on request.
We routinely complete customer security and vendor risk assessments for organizations with strict compliance requirements. To request one, use the contact below.
Secure Development
Security is built into how we develop and release the application, not bolted on at the end. Our software development lifecycle includes:
- Code review on every change. All changes are submitted through a pull request and reviewed before merging, combining manual human review for design and correctness with AI-assisted analysis for potential defects and security concerns.
- Continuous security scanning. All code is scanned with Checkmarx (the Salesforce-approved scanner) and the Salesforce Code Analyzer prior to every release, with findings remediated and re-scanned before the package ships.
- Layered testing. Functionality, installation, upgrade, and regression testing run throughout development, backed by a code-coverage requirement well above the platform minimum.
- Separated environments and consistent process. Development, testing, and release environments are logically separated, and the same lifecycle applies to every change, including urgent fixes. No emergency path bypasses code review, testing, or security scanning.
- Software Bill of Materials. We maintain an SBOM documenting the application’s components and third-party libraries.
- Data discipline. Customer production data and personally identifiable information are never placed in our source control, even when investigating a customer-reported issue.
Vulnerability Management
Resource Hero code is continuously scanned through Checkmarx and the Salesforce Code Analyzer, and the underlying Salesforce platform undergoes regular internal and external penetration testing by Salesforce (reflected in their SOC 2 reports). Identified vulnerabilities are prioritized by severity: critical issues are addressed immediately, and high-severity issues are resolved in the next scheduled release. Significant security fixes are noted in release notes, and we provide direct notification and expedited patches for any critical issue that may affect customers.
Artificial Intelligence
Today, AI is used only to assist our development team with code suggestions and documentation drafting. All AI-assisted output is reviewed, tested, and approved by human engineers before release, and customer data is never provided to AI tools. The Resource Hero product itself contains no AI: it makes no automated decisions affecting users and does not use AI to process your data.
As AI capabilities for the Salesforce platform mature, we are evaluating how to bring AI-assisted features (such as Agentforce-based capabilities) into Resource Hero. Any such feature will be built natively on Salesforce, governed by the same secure development and review practices described above, will operate under your org’s permissions and controls, and will not use your data to train external models. We will update this page before any AI capability is released in the product.
Incident Response
Resource Hero maintains a documented Incident Response Plan covering incidents that originate from Resource Hero code, configuration, or supporting systems.
- We classify incidents by severity and follow a defined response lifecycle of verification, containment, eradication, and recovery.
- When a confirmed incident attributable to Resource Hero affects your data or service availability, we notify affected customers without undue delay, with relevant detail about impact and remediation, consistent with applicable data-protection regulations.
- We preserve relevant evidence (logs, code history, and scan results) and conduct post-incident reviews to identify root causes and corrective actions.
Salesforce platform outages and infrastructure incidents are managed under Salesforce’s own 24/7 incident management and communication processes, published at trust.salesforce.com.
Subprocessors and Vendors
No third party receives, processes, or stores the data inside your Salesforce org. Resource Hero shares your application data with no one.
- For our own subscription billing we use Stripe, which processes payment information only. Resource Hero retains subscription identifiers, not payment card data, and Stripe has no access to the data in your Salesforce org.
- Resource Hero’s internal business operations run on Microsoft 365 and Salesforce. These systems do not contain your Resource Hero application data.
- All Resource Hero operations are US-based, with no offshore resources and no fourth-party data sharing.
Your Data, Your Control
- Your Resource Hero data lives in your Salesforce org and is governed by your org’s data management, backup, and retention settings.
- Resource Hero does not retain customer data. When you uninstall the package, your data remains in your org for you to manage or delete under your own policies.
- For business continuity and disaster recovery, Resource Hero relies on the Salesforce platform’s program. See Salesforce Disaster Recovery and Business Continuity.
Governance and Reporting
Information security at Resource Hero is overseen by William Kuehler, Co-Founder and Managing Partner. Resource Hero maintains active cyber liability coverage under its Errors & Omissions policy.
If you believe you have found a security vulnerability in Resource Hero, or have a question about our security practices, contact us at [email protected]. We review all reports promptly and will work with you on responsible disclosure.
