Security Overview

Working draft ยท Last updated 6 July 2026

The service is built for teams who are โ€” rightly โ€” suspicious of tools that ask for access to their Salesforce org. This page describes the controls in plain language. Every claim maps to a specific implementation and an automated test in our codebase; enterprise reviewers can request the detailed mapping at hello@rootcase.io.

Read-only by design

We connect to Salesforce with a minimal OAuth grant and use it to read configuration metadata only โ€” validation rules, flows, layouts, required fields, permissions. We never query business records. The single exception is deliberate and yours to control: the optional Salesforce Case ticket destination, which is off by default, requires an explicit admin consent step, can only create Cases, and writes an audit entry for every Case it creates.

Hard tenant isolation

Every customer's rows are fenced by PostgreSQL row-level security, enforced in the database itself โ€” not just in application code. The application connects as a role that cannot bypass those policies, and an automated test seeds every tenant-scoped table and proves cross-tenant reads return nothing. Adding a table without an isolation policy fails the test suite.

Encryption

Salesforce OAuth tokens are encrypted at the application layer (Fernet, with key rotation support) before they touch the database, which is itself encrypted at rest by our hosting provider. All traffic โ€” browser, extension, and our calls to Salesforce โ€” uses TLS 1.2+. Tokens are never written to logs: a CI guard greps every change for raw-token usage outside an allow-list, and a dedicated test asserts log redaction.

Privacy enforced three ways, not promised once

The extension's "labels, never values" guarantee is enforced by three independent mechanisms:

Screenshots follow the same philosophy: masked on the user's machine before anything is sent, held server-side only in a 24-hour transient delivery buffer, never persisted.

Minimal browser footprint

The Chrome extension runs only on Salesforce domains with three narrow permissions (storage, activeTab, scripting). The permission surface is asserted exactly by CI โ€” widening it requires a deliberate, reviewed change.

Audit logging

Security-relevant actions โ€” connecting or disconnecting an org, deleting synced data, enabling or disabling ticket destinations, every ticket and every Case created โ€” are written to an audit log your admins can review.

Data deletion on your terms

Your admin can disconnect the Salesforce org (tokens cleared immediately) and delete all synced data from the product at any time โ€” no ticket to us required. On termination, we delete customer data from production within 30 days.

Responsible disclosure

Found a vulnerability? Email hello@rootcase.io with "SECURITY" in the subject. We acknowledge within 2 business days, keep you informed, and won't pursue good-faith research conducted without service disruption or access to data that isn't yours.