Manage Security Contacts for Your Salesforce Organization

If your organization is impacted by an information security incident, your organization’s Security Contact(s) will be notified. 

Who should be a Security Contact for my organization?

Security incidents are often complex and raise questions about the scope and impact of the event as well as what actions your organization may need to take to address the situation. 

As these questions are best assessed by a member of your security team, it is critical that we have a Security Contact on file. 

We recommend designating the email address of a distribution list or including two Security Contacts as a contingency. 

Important Note for Administrators and Designated Contacts

The process for managing security contacts depends on the specific Salesforce products you manage, your assigned user role, and your service tier:

• For Core Clouds: System Administrators (for all Success Plans, including Standard) must manage security contacts directly within the production org on the Company Information page in Setup. For step-by-step instructions, please refer to: Managing Your Security Contact in Salesforce Setup (Core Clouds).
  • Sales Cloud
  • Service Cloud
  • Industry Cloud

• For All Other Salesforce Products and Clouds: Designated Contacts who have at least one tenant, cloud, or product with Signature or Premier service onboarded on the Help Portal must continue to manage security contacts through the Salesforce Help Portal using the instructions provided below on this page. This applies to:
  • Net Zero Cloud
  • Government Cloud Plus
  • Quip
  • Commerce
  • Datorama
  • MuleSoft (including PCE, Gov)
  • Marketing Cloud
  • Slack
  • Data Cloud
  • Heroku

Please note that while Tableau has been onboarded into the Help portal, security notifications are still delivered to the Security Point of Contact designation, which can be managed through the Tableau Customer Portal.

Notes:

• Security Contact email addresses cannot be private email addresses (e.g., @gmail.com, @yahoo.com). 
• Federal Government Security Contacts must have a .gov email address or one that identifies the government agency. Contracting company email addresses cannot be used.  

How do I create and maintain a Security Contact? 

For a given account, all individuals added as Security Contacts will receive notifications related to security events for all tenants listed under that account.

Here’s how an organization’s admin can add, edit, or delete a Security Contact.  These steps are applicable to Signature and Premier accounts only and the Primary Designated Contact:

• The Primary Designated Contact (PDC) must begin by logging into Salesforce Help. (Note: Designated Contacts can log in here to see the Security Contacts listed for their account, but cannot edit them)
• Once logged in, click on your Avatar in the upper-right corner and select Support Settings.  It is also possible to go directly to Support Settings via this URL.  You will be prompted to log in, if not already signed in.
• Select Your Org Information.
• Scroll down to the section "Customer Security Contacts".  Here you will find the Security Contacts for the account the tenant is associated with. 
• You can add new Security Contacts, modify existing ones, or delete contacts that are no longer relevant. You can add multiple Security Contacts to one account, however, a minimum of one Security Contact is required (once added).
• PDCs will also be able to see any Designated Contacts listed for the account listed in this section.

Need Help? You can reach out to Support to answer any questions you may have by logging a case via Salesforce Help.