Earning Your Trust
We’re sitting right between your CRM data and your email — clearly a sensitive position to be in. We recognize that and built Cirrus Insight around the premise of earning your trust.
Transparency has always been important to us and we think the information on this page will raise your expectations for what other cloud-based service providers should do to earn your trust.
A lot of people first hear about Cirrus Insight from the Salesforce AppExchange. We've had a great run on the AppExchange, including being the #1 app overall for over 4 months, #1 app in our category, and getting 900+ 5-star reviews.
Every app listed on the AppExchange must go through a regular security review with Salesforce's "Trust" team in order to maintain their listing. The security review is notorious for being very difficult to pass, especially for apps like Cirrus Insight that live outside of the Force.com platform.
The security review includes a variety of automated and manual testing/hacking exercises in addition to reviews of physical security procedures around personnel and access to production credentials.
Additionally, we've participated in security reviews with many customers that have their own unique requirements for 3rd-party apps. Please contact us if your own Information Security team has additional questions about Cirrus Insight.
What information do we see?
The first thing you may notice when you sign in to Cirrus Insight is that you sign in from the standard salesforce.com sign-in screen. We never see your password. Ever. And we’ll never ask you for it. You also don’t need to worry about changing a password for Cirrus Insight when you change your Salesforce password - Salesforce handles that for us.
After signing in, you’re asked to approve our request for access to Salesforce (this is the “OAuth handshake”). To request access, we tell Salesforce what level of access we need -- this is called the “scope.” The levels of access that we request are:
- “id” - so we can “ID” you and see who you are. See “What do we know about you” below.
- “api” - so we can search Salesforce and create leads and contacts for you.
- “refresh_token” - so we can get a new session with Salesforce on your behalf so we can run background jobs for you like calendar sync.
- “web” - so we can take you to a specific record in salesforce without forcing you to sign back in.
With this access, we can search Salesforce and create records on your behalf. A few important things to point out:
- We can’t do anything you can’t do. For example, if you don’t have access to edit Contracts, we wouldn’t be able to edit a Contract record.
- We can do almost everything you can do. If you can see every account in the system, our API access gives us access to see every account in the system.
- You can revoke our access at any time from your Salesforce user record (more info)
If you're using Chrome, you'll also see a notice about granting Cirrus Insight permission to run on two specific domains mail.google.com and secure3.cirrusinsight.com which enables the app to run securely inside Gmail.
When you open an email, we’ll search for the sender’s or recipient’s email address in Salesforce and return related information. All communication between your browser and our servers is protected by the same level of encryption that banks use for online banking services (SSL if you're keeping track).
When you save an email to Salesforce, that email is encrypted and sent to our servers, where we look for contacts to relate the email to and then save it to Salesforce. We do not store the email.
If you’ve enabled our attachments support, you were asked to grant us permission to view emails in Gmail. After you save an email to Salesforce we’ll look for that email in Gmail, pull the attachment from Gmail and save it to Salesforce. We never save the file attachment to our server. Attachment support is disabled by default and must be explicitly enabled by you.
Additionally, we also support saving Google Drive attachments with an email in Salesforce. Saving Google Drive attachments does not require any additional permission, and the link can be saved right in Chatter.
What information do we store?
When we search salesforce for information about a specific email address we get related information about the account and any opportunities, cases, and activities the person is associated with. Salesforce’s APIs aren’t the speediest, and each new query can cost 2-3 API calls - so we cache the data that is sent back to your browser for a period of 5-10 minutes. Information is cached in RAM only – no data is written to disk. Any searches for an email address in the cache will instead be returned from the cache, resulting in a much faster response and many fewer API calls (in other words, better performance all around). Once the cache expires, it is deleted permanently.
To improve performance, we cache a snapshot of each user’s permissions. This is generally a list of fields the user has access to on each object.
Our Calendar Sync app keeps your Salesforce and Google Calendars in sync. It’s pretty slick: /calendar-sync. In order to keep everything straight, we store the event IDs for each calendar and a list of the attendee emails for each event (we’re the only Calendar Sync app that can sync attendees). All information about the events will be deleted from our database once the events are more than two weeks past.
3rd Party Services
To provide the best experience and level of service, we utilize a number of third party services to monitor systems and track application usage. In a few cases, we have partnered with other cloud software providers to bring additional features to users of Cirrus Insight.
RingLead provides a service that allows Cirrus Insight to suggest contact information for new leads and contacts. RingLead does not store any transmitted data.
What do we know about you?
After you register for Cirrus Insight we ask Salesforce for some basic information about who you are. This information includes your name, email, timezone, and language preference in addition to which salesforce org you belong to.
We keep track of when specific events in the application occur like sign ins, saved emails, logged calls, etc - but only information that includes when the event occurred and interesting details like how many attachments were included.
Our Continuing Commitment
We are continuously improving Cirrus Insight to take advantage of new technologies and enhanced capabilities in the Salesforce and Google platforms.
Recent product releases have included security-first features, such as:
- Salesforce Sandbox support: We released support for testing Cirrus Insight with Salesforce Sandbox because we know that it takes time to earn our users’ trust and they need to be able to try the app without giving us access to their real data.
- Single Sign-On Support: We released support for Single Sign-On for those organizations that have centralized their identity services in order to squelch password proliferation.
- oAuth forPartner Portal: We are upgrading our partner portal support to take advantage of oAuth support for partner portal.
- HTTP Strict Transport Security: HSTS is a web security policy mechanism whereby a web server declares that complying web browsers are to interact with it using only secure HTTPS connections.
If you have questions that this page didn't answer, please let us know.