Loading

B2C Commerce Platform Security Overview

Fecha de publicación: Dec 11, 2025
Descripción

To ensure the confidentiality and availability of customers' data, the B2C Commerce platform takes a holistic approach to data security. We are constantly monitoring our service to ensure that systems are running properly, and resolving problems before they impact customers’ storefronts. Our approach to data security allows customers to leverage our service where they see fit, and follow their own internal security processes and procedures in a complimentary fashion. Security is an evolving element of our service, and we approach each potential threat as a threat not only on our customers, but to our company.

Solución

Data Centers

The B2C Commerce platform's PODs are collocated at top-tier data centers around the world. These locations are audited as part of our PCI compliance. They provide services to us, including:

  • Physical Security
    • 24-hour manned security
    • Biometric scanning for access
    • Individually controlled cages
    • Video surveillance
    • Building engineered with environmental risks accounted for (flood, etc)
  • Environmental controls
    • Humidity and temperature control
    • N+1 cooling systems
  • Power
    • Underground utility power feed to facility
    • N+1 UPS Systems
    • Multiple PDUs (Power Distribution Units)
    • Sufficient generator capacity to run indefinitely without utility power
  • Network
    • Redundant networks connections to multiple carriers
    • High bandwidth capacity
    • All secure connections to customer environments are via TLS 1.0/SSL 3.0 with certificate strength and CA decisions being made by customer
    • Any password strength or session parameters are PCI compliant
    • Multi-factor authentication for low-level administrative access
    • Border firewalls only allow inbound HTTP and HTTPS connections (port 80/443)
    • Internal firewalls segregate customers' traffic for quality of service and security decisions
    • Intrusion detection systems externally and internally with PCI compliant reviews
    • Periodic external penetration testing and vulnerability scans of B2C Commerce platform
    • Customer data is replicated to geographically different secondary location
    • All customer data is replicated to ensure continuity in the case of a disaster
    • B2C Commerce personnel constantly monitoring replication status
    • Minimally quarterly testing of procedures
    • Salesforce views data integrity as a core part of Business Continuity plans and as such leverages replications to secondary location as our data backup plan
    • Customers can export data and follow their internal policies as to where to store those archives

 

Secure Connections

TLS 1.0 and 1.1 have been disabled for inbound & outbound for B2C Commerce platform. TLS 1.2 and 1.3 are supported as outlined below:


Any password strength or session parameters are PCI compliant

 

Network Security

  • Border firewalls only allow inbound HTTP (Port 80) and HTTPS (Port 443) connections.
  • Internal firewalls segregate customers' traffic for quality of service and security decisions.
  • Intrusion detection systems externally and internally with PCI compliant reviews.
  • Periodic external penetration testing and vulnerability scans of B2C Commerce platform.

 

Business Continuity & Disaster Recovery

  • Customer data is replicated to geographically different secondary location
  • All customer data is replicated to ensure continuity in the case of a disaster
  • B2C Commerce personnel constantly monitoring replication status
  • Minimally quarterly testing of procedures

 

Data Backup

  • Salesforce views data integrity as a core part of Business Continuity plans and as such leverages replications to secondary location as our data backup plan
  • Customers can export data and follow their internal policies as to where to store those archives

 

Operational Security

Salesforce applies general operational security (OPSEC) principles to administering and maintaining the security posture of the B2C Commerce platform. This includes periodic threat assessments and customized countermeasure development, if appropriate. Additionally, all Salesforce employees authorized to access the B2C Commerce platform undergo a comprehensive background check, as permitted by applicable regulations.
 

Third Party Testing & Audits

Salesforce tests any release for security vulnerabilities as part of our QA process. In addition as part of PCI compliance we monitor security mailing lists and OWASP threat profiles. We also do penetration tests and vulnerability scans internally and external to our service. Customers are encouraged to follow their own security procedures and test their storefront as part of their compliance efforts.
 

Service Monitoring

There is continuous testing of our service internally and from at least three external locations to ensure system availability. The B2C Commerce platform is designed to ensure that any component failure (drive, networking, processor etc.) doesn't compromise the availability of a customer’s storefront, but only the total capacity of that storefront. As part of the monitoring we are constantly evaluating any security risks that customers would encounter as part of their normal day to day operations and notifying customers as needed.

Recursos adicionales

B2C Commerce Security Guide

Número del artículo de conocimiento

000391174

 
Cargando
Salesforce Help | Article