Security Assessment Agreement

SECURITY ASSESSMENT AGREEMENT 

This Salesforce Security Assessment Agreement (the “Agreement”) shall only apply to products and services that are ordered by Customer and made available online by SFDC or its Affiliates (“Services”). As of the Effective Date of this Agreement, an Assessment may only be performed on the Services (and associated mobile applications made available by SFDC in connection with the foregoing), except an Assessment may not be performed on the Services listed at https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/misc/usla-excluded-services.pdf, which may be updated from time to time.

The parties agree as follows: 

1. Permission to Perform a Security Assessment. 

This Agreement shall only apply to products and services that are ordered by Customer and made available online by SFDC or its Affiliates (“Services”).  “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

Solely in accordance with the terms of this Agreement, SFDC grants Customer permission to perform a web application security assessment of an applicable Service and/or non-intrusive network testing of domain URLs, in each case as directly connected to Customer's Account (each, an “Assessment”).       

Customer may conduct the Assessment using a combination of commercial off-the-shelf tools along with manual inspection (e.g. hidden fields examination, etc.) to examine the level of protection of the applicable Customer Account, and/or using penetration, intrusion, and/or analysis services using intrusive or passive techniques and software tools, subject to any policies or procedures outlined herein or related Security Assessment documentation.  The results of all Assessments shall only be included in a Report which shall be prepared in accordance with this Agreement. SFDC reserves the right to establish product-specific testing blackout windows as needed. 

2. Restrictions. 

a. The Assessment will be subject to the following restrictions:  

(i)     No tests (i.e., no submission of traffic) against any Accounts other than Customer’s Accounts;
(ii)     If remote code execution is attained, Customer will notify SFDC immediately. At no point will Customer attempt to escalate privileges or move laterally;
(iii)    No denial of service attacks against any servers or network equipment;
(iv)    No attempts at server reboots; 
(v)     No installation of bots, viruses, trojans, “rootkits” or other executables;
(vi)    No uploading of EICAR files;
(vii)    No posting of test sales leads; 
(viii)    No testing of SFDC IP addresses;
(ix)       All automated testing must be restricted to the following times: Friday 21:00 PST - Sunday 23:59 PST;
(x)   No testing on the instance applicable to Customer’s Account during a major upgrade or maintenance window (see https://trust.salesforce.com/en/#systemStatus for specific instance related schedules); 
(xi) No testing of lead capture, sign-up, contact us and/or any other form pages (e.g. https://www.salesforce.com/form/contact/contactme/, https://developer.salesforce.com/signup?d=70130000000td6N, https://www.salesforce.com/form/datorama/request-a-demo/); and 
(xii) When testing Mulesoft runtimes, Customers may only conduct the Assessment of CloudHub workers in Customer dedicated environments within Mulesoft. Customer may not audit any workers in the Mulesoft shared worker environment.

b. Customer shall not access, retrieve, transfer, download, or modify (collectively, “Access”) any data other than data residing on Customer’s Account(s) being tested hereunder. In the event that Customer Accesses any data other than data residing on Customer’s Account(s) being tested here under, Customer shall immediately report this via an email to security@salesforce.com and SFDC reserves the right to discontinue the Assessment. 

c. Customer may not subcontract, assign, or transfer any rights or obligations granted under this Agreement without the prior written approval of SFDC. If Customer uses a third party to do the Assessment, the third party must be subject to confidentiality and security obligations no less restrictive than those applicable to Customer. Customer shall ensure any such third party complies with all requirements related to the Assessment under this Agreement, and shall be primarily and fully responsible for all actions or omissions of such third party in any  way related to such Assessment.

3. Third Party Hosting Provider Related Assessments. In the event Customer’s Assessment relates to a Service that utilizes a third party hosting provider for Customer Data Storage (as described in the  Service’s applicable Infrastructure and Sub-processor document accessible from https://help.salesforce.com/articleView?id=Trust-and-Compliance-Documentation&type=1), Customer agrees to comply with the applicable requirements of such third party hosting provider (including but not limited to requirements stated at (i) https://aws.amazon.com/security/penetration-testing/, (ii) https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement and (iii) https://cloud.google.com/security/overview/). 

4. Discontinuance of Assessment. Upon SFDC’s request, Customer shall immediately discontinue any Assessment, which in SFDC’s sole judgment and sole discretion disrupts, degrades, or otherwise is harmful in any manner to SFDC’s service. SFDC, in its sole discretion for business sustainability or service protection may block or cause a forced disconnect of any Customer Assessment access.

5. Reports. Promptly following the completion of the Assessment, Customer shall email security@salesforce.com a written report containing the information generated from the Assessment, including without limitation, the information listed in Exhibit A (“Reporting Requirements”). Customer agrees to strictly maintain the confidentiality of this Report per the terms of this Agreement and shall not disclose the Report to any individual or entity other than its employees on a need‐to‐know basis. Customer agrees to report all vulnerabilities classified as “High” in the Report immediately.

6. Confidentiality. Customer agrees to regard and preserve as confidential all information related to the  technology, business and activities of SFDC and its customers, clients, suppliers and other entities, and all information and data discovered by Customer in performing the Assessment, including without limitation, any Reports generated therefrom (“Confidential Information”). Confidential Information shall also include any information a reasonable person would consider confidential. Customer agrees to hold such Confidential Information in trust and confidence for SFDC and not to disclose such Confidential Information to any person, firm or enterprise, or use (directly or indirectly) any such Confidential Information for its own benefit or the benefit of any other party, unless authorized by SFDC in writing, and even then, to limit access to and disclosure of such Confidential Information to such SFDC‐approved party’s employees on a “need to know” basis only. Confidential Information shall not be considered confidential to the extent, but only to the extent, that such Confidential Information is: (i) already known to the receiving party free of any restriction at the time it is obtained from the other party; (ii) subsequently learned from an independent third party free of any restriction and without breach of this Agreement or such independent third party’s agreement with SFDC; or (iii) is or becomes publicly available through no wrongful act of either party. To the extent any Confidential Information is required to be disclosed pursuant to a requirement of a governmental agency, regulator or law, Customer shall provide, to the extent legally permitted, SFDC with timely advance written notice of such requirements to allow SFDC to contest such disclosure, and shall only disclose the Confidential Information required by law to be disclosed. In such event Customer shall cooperate with SFDC’s efforts to maintain the confidentiality of such Confidential Information and to so limit such disclosure.

7. Customer Responsibilities. Customer will perform all Assessments in a competent and professional manner, using personnel who have the proper skill, qualifications, training and background to perform the Assessment in the manner specified herein.  Customer shall make reasonable efforts to validate all findings prior to reporting.  Customer shall not infringe upon or violate the rights of any third party in performing the Assessment or preparing any Reports under this Agreement. Customer agrees to provide SFDC with any information related to the manner of Assessment, including without limitation any ideas, methods processes or techniques, and SFDC shall have a right to use such information without restriction, liability or obligation, except as may be expressly specified herein. 

8. SFDC Services. Any production or commercial use of SFDC products and services will be governed by a separate subscription agreement between SFDC and Customer. Nothing in this Agreement shall be construed to mean that any Assessment performed shall constitute a certification or warranty that SFDC’s services and systems are secure.

9. Indemnification. Customer shall indemnify SFDC from and against any and all judgments, costs, awards, losses, expenses (including reasonable attorneys’ fees) and liability of any kind arising out of any failure of Customer (or any third party acting on Customer’s behalf) to: (i) comply with the terms of this Agreement relating to the Assessment; (ii) abide by SFDC’s instructions in conducting the Assessment; and (iii) cease the Assessment upon SFDC’s request.

10. Disruption. Customer agrees that SFDC shall not have any liability arising out of or related to delays, failures or other deficiencies in the performance of the Services if and to the extent that they are caused by an Assessment.

11. SFDC Security Team. To the extent that Customer has any questions regarding the Assessment results, Customer shall first consult the Resources noted in Exhibit A (“Resources”). If the answer or explanation to the Customer’s question is not contained in the Resources, Customer may request assistance by sending an email to security@salesforce.com, which includes a written report containing the information generated from the Assessment, including without limitation, the information listed in Exhibit A (“Reporting Requirements”). In no event will SFDC provide feedback to Customer in relation to any application or custom code developed by Customer for use in connection with the SFDC services. Customer acknowledges and agrees that SFDC has no obligation to comment on any Reports generated from, or questions regarding, the Customer’s Assessment, and that SFDC’s answering of any such questions as set forth above or otherwise is at SFDC’s sole discretion as an accommodation, and that Customer is solely responsible for the interpretation of any Assessment Reports and results. 

12. Governing Law. This Agreement shall be construed and enforced under the internal substantive laws of the State of California. The state and federal courts located in San Francisco County, California will have exclusive jurisdiction over any dispute relating to this Agreement, and each party consents to the exclusive jurisdiction of those courts.  If any provision of this Agreement is held invalid, illegal or unenforceable, the remaining provisions will continue unimpaired

13. Equitable Relief. A breach of any of the promises or agreements contained herein will result in irreparable and continuing damage to SFDC for which there will be no adequate remedy at law, and SFDC shall be entitled to injunctive relief and/or a decree for specific performance, and such other relief as may be proper (including monetary damages if appropriate).

14. Term of Agreement. This Agreement will expire upon the expiration of the Main      Services Agreement between the parties, or if no such Main      Services Agreement exists between the parties within 60 days after the Effective Date of this Agreement, then upon the completion of the initial Assessment period. Upon expiration, Customer’s permissions under this Agreement shall cease. Sections 5 through 13 shall survive termination of this Agreement. 

15. No Third Party Beneficiaries. This Agreement is for the sole and exclusive benefit of the parties hereto and their respective successors and permitted assigns. The parties do not intend to create any third party beneficiaries or other incidental beneficiaries and nothing herein, express or implied, is intended to or shall confer upon any other person any legal or equitable right, benefit or remedy of any nature whatsoever under or by reason of this Agreement.

EXHIBIT A 

Reporting Requirements 

1. “Report” means a report containing: a findings section aimed at technical staff, detailing the  following information for each vulnerability found as part of the penetration efforts: 

a. Summary of all findings and associated severity level of each finding. 

b. Detail assessment report noting each finding. 

c. Definitively demonstrate how to reproduce the vulnerability. 

d. Provide applicable HTTP requests/responses. 

e. Notation as to why this example is believed to be a finding 

Any use of proprietary and/or commercial vulnerability scanning tools will be documented and  raw results provided in addition to the summary in the format listed above. Raw data alone, absent  an organized summary of findings, is not an acceptable report. 

Resources 

2. The following resources are available to assist in validating vulnerability findings:

a.  Vulnerability Reporting Policy

b.  Security Vulnerability Finding Submittal Guide 

c. Salesforce CRM Services Platform Security FAQs

d. Salesforce help/support page

e. Salesforce Secure Coding Guidelines

f. Heroku Security Policy and general guidelines

g.  Mitigate SOQL Injection in Salesforce

h.    Salesforce Session Security Settings

i.   Building secure applications on Salesforce