WithSecure™ Cloud Protection for Salesforce Privacy Policy
November 2025
In brief
WithSecure™ Cloud Protection for Salesforce is a cloud-based security solution that is designed to complement and extend the native security capabilities of the Salesforce platforms. The solution protects organizations against threats posed by files and web links (URLs) uploaded to or shared via the Salesforce cloud and the solution’s Identity Protection feature scans Salesforce user email addresses to detect potential data breaches.
The core privacy aspects of this solution are:
- the focus of data collection is on the customer’s Salesforce organization, not on individuals;
- much of the processed and collected data remains in the customer’s Salesforce organization;
- when data is sent to WithSecure Security Cloud, it is anonymous to WithSecure by design;
- the customer’s Salesforce administrator has access to the data collected in identifiable format.
In full
This privacy policy focuses on the items we believe are the most relevant for you. Such items are in particular:
- the type of personal and private data that the solution collects,
- what we use it for,
- our justification,
- typical disclosures, and
- for how long we store it.
More information on such topics as well as on other aspects (including data subject rights and contact information) of the processing of your personal data is available via the detailed version of the privacy policy available at WithSecure’s Trust Center as well as embedded links to our General privacy policy.
What data is collected and what it is used for
Content Protection
The solution is composed of a native Salesforce application and WithSecure’s Security Cloud.
The WithSecure Cloud Protection application is installed in the customer’s Salesforce organization. The application inspects all files uploaded and stored as Salesforce Files or Attachments with standard or custom objects in the Salesforce platform and may send a copy of a file of unknown reputation to WithSecure’s Security Cloud. Such copy is scanned in WithSecure’s Security Cloud and deleted near-instantaneously after the analysis. See the ‘Retention’ section for more information.
To check the security reputation and classification of web links, the WithSecure Cloud Protection application sends them to WithSecure’s Security Cloud. The application does not send actual message or body texts that contain web links.
WithSecure’s Security Cloud is a cloud-based threat analysis and reputation system that scans data for any malicious or harmful content. Data sent to Security Cloud is always anonymized and cannot be connected to an individual user in any way. For further information please refer to the WithSecure™ Security Cloud whitepaper available here.
The results available to the customer’s Salesforce administrators may include but not limited to user name (given and surname) and name, type, and size of file accessed (uploaded or downloaded). For more specific information on the data accessed by the customer and by WithSecure, please refer to the detailed version of the privacy policy available at WithSecure’s Trust Center.
The customer’s Salesforce administrator means a person who is granted with the Salesforce admin rights to the customer’s Salesforce organization.
Identity Protection
The Identity Protection feature in the solution scans Salesforce user email addresses to detect potential data breaches. Some personal data may be processed in the Identity Protection feature and that is stored in encrypted form and processed in accordance with the Data Processing Agreement. For further information, please refer to the detailed version of the privacy policy available at WithSecure’s Trust Center.
Technical support
If the solution does not work as intended and there are no workarounds for the problem, the customer’s Salesforce administrator may utilize WithSecure’s expertise to investigate and resolve issues. In such rare cases, WithSecure’s support engineers may log in and access data in the customer’s Salesforce organization remotely via the support tool provided by Salesforce. The remote login access is explicitly granted by the customer’s Salesforce administrator, is always time-limited and is subject to the Data Processing Agreement.
When investigating problems with the solution via remote login access, no data except debug logs relevant to the solution are collected from the customer’s Salesforce organization. WithSecure is the controller for such data.
Contact
The contact data of the customer’s contact persons is processed as explained in our General privacy policy.
Legal grounds
WithSecure acts as a data processor on behalf of the customer when processing personal data that is temporarily stored in the solution’s backend for encryption purposes. WithSecure also acts as a data processor on behalf of the customer in the Identity Protection feature. When acting as a data processor, the Data Processing Agreement available here applies.
To the extent that WithSecure processes other data in the solution that is identifiable to an individual, WithSecure processes such data as an independent controller to safeguard the following legitimate interests:
- providing the solution to secure our customers’ networks and devices as well as the confidentiality and availability of the data therein;
- enabling WithSecure to detect emerging threats and security-relevant trends among all of its customers so that our solution can keep on par with evolving threats;
- enabling WithSecure to provide a centralized security solution framework across multiple continents to a large number of customers and partners.
Transfers and disclosures
The security data produced by the solution is visible to the customer’s Salesforce administrator for its determined purposes. If the company has outsourced its Salesforce administration, including the monitoring of this solution, that data may also be available to such outsourcing partner.
WithSecure further employs its own affiliates and subcontractors so we can provide our solution globally.
More information on transfers and disclosures is available in the detailed version of the privacy policy available at WithSecure’s Trust Center and in our General privacy policy.
Retention
Data controlled by the customer
Results of scanning activity, such as alerts as well as file and URL scanning events, are stored inside the customer’s Salesforce organization depending on the retention intervals configured in the WithSecure Cloud Protection for Salesforce application. The customer’s Salesforce administrators can delete them at any time and make backups if/as needed.
Data in WithSecure environment
With default settings, WithSecure does not store any customer data.
Anonymized security data and service statistics are stored without a set end date as long as the data is useful for the purpose it was collected for. As an exception, and to protect the confidentiality and privacy of the customer’s file contents, the service automation deletes any contents that are not found to be suspicious near-instantaneously after analysis.
Please read our detailed version of the privacy policy available at WithSecure’s Trust Center and our General privacy policy for possible exceptions or typical reasons why we may need to deviate from the primary retention rules set out above.
Security
We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.
We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.
All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.
Your rights
Please read our General privacy policy for information on your statutory rights and how to contact us.
General
Please note that this privacy policy and the more detailed version available at WithSecure’s Trust Center will regularly be updated to reflect any changes in the way we handle your personal data or any changes in applicable laws.
This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time.
More information on definitions and change management is available in our General privacy policy.
We are committed to high compliance
We provide all necessary certificates and information to reassure you and your stakeholders. See more details on our Trust Center.
ISAE 3000 Type 2
WithSecure™ Cloud Protection for Salesforce has ISAE 3000 Type 2 (international equivalent of SOC2 Type 2) assurance report, ensuring your data is managed securely,
ISO 27001
WithSecure™ is ISO 27001 certified, validating our rigorous data security practices. This prestigious certification confirms our adherence to the highest information standards.
EU GDPR
WithSecure™ helps organizations adhere to General Data Protection Regulation (GDPR) requirements, ensuring the secure handling of European citizens’ personal data.
SecurityScoreCard
WithSecure™ holds the highest cyber security vendor ranking from SecurityScoreCard, which evaluates companies on 10 key security factors, including remediation speed and risk mitigation.
Get a Free Demo
THE #1 SALESFORCE MALWARE PROTECTION SOLUTION
Fill the form and get:
Free 15-day trial – test the product without limitations
Real attack simulation and product demo
Free customized and actionable risk assessment
