Skip to main content

Security

No Duplicates is built on top of Salesforce. Your data never leaves your Salesforce org — there are no external servers, no third-party data transfers, and no outside infrastructure. Everything runs inside Salesforce.

This page answers the security questions we hear most often from customers and their compliance teams.

Architecture

No Duplicates is a native Salesforce application — built with Apex and Lightning Web Components (LWC), running entirely on the Salesforce platform (Force.com). You can verify this under Supported Features on our AppExchange listing, where it is listed as Native App.

  • No external servers — the app does not use any off-platform services or infrastructure
  • No HTTP callouts — the app makes zero outbound API calls to external systems
  • No external data storage — all data stays in your Salesforce org at all times
  • Managed package — installed via Salesforce AppExchange, delivered exclusively as a managed package

Because it is a native app, No Duplicates inherits the full security infrastructure of the Salesforce platform — the same infrastructure that protects your CRM data.

Data Handling

No Duplicates processes your Salesforce records to identify and merge duplicates. Here is what the app accesses:

  • Standard objects: All standard objects except Task and Event (full list)
  • Custom objects: Any custom object in your org (configurable by admin)
  • Related records: Attachments, notes, and activities are reparented during merge (standard Salesforce merge behavior)

All matching and merging operations are executed by Apex code running on Salesforce servers within your org. No data is copied, cached, or transmitted to any external system.

Salesforce Platform Compliance

Because No Duplicates is built on top of Salesforce with no external infrastructure, it inherits all Salesforce platform security certifications:

SOC 1 Type II, SOC 2 Type II, SOC 3, ISO 27001, ISO 27017, ISO 27018, HIPAA, FedRAMP, PCI DSS — and others. For the full and current list, visit trust.salesforce.com/compliance.

Since No Duplicates adds no external infrastructure, your compliance posture with Salesforce applies unchanged to the app. There is no additional vendor to audit.

Encryption

In transit: All data in transit is encrypted via TLS — this is enforced by the Salesforce platform for all communications.

At rest: Salesforce encrypts data at rest by default across all orgs. No Duplicates does not bypass or alter this encryption.

Salesforce Shield (Platform Encryption): No Duplicates supports Salesforce Shield with Deterministic Encryption. Encrypted fields work with Exact and Ignore Case matching types. Probabilistic Encryption is not supported because it does not allow server-side filtering or comparison — this is a Salesforce platform limitation, not an app limitation.

Access Control

No Duplicates respects the standard Salesforce security model:

  • Permission sets: Two levels — Admin (full access) and Read Only User (view-only)
  • Profiles and Roles: The app respects your existing Salesforce profile and role hierarchy
  • Field-Level Security (FLS): Users can only see and process fields their profile allows
  • Organization-Wide Defaults (OWD): Sharing rules are respected
  • No backdoor access: The vendor has zero access to your org data

For troubleshooting, you can temporarily grant login access via Salesforce's standard Grant Login Access feature. This access is time-limited and revocable at any time.

Audit Trail

No Duplicates provides built-in tracking of all merge operations:

  • Merged Duplicates reports — every merge is recorded with before and after field values, so you can see exactly what changed and which record was kept as master
  • Field History Tracking — if you have Field History Tracking enabled on your objects, changes to the master record's fields during merge are tracked through Salesforce's standard mechanism

GDPR & Data Privacy

No Duplicates does not introduce additional data processing outside of Salesforce:

  • No external sub-processors — the app has no external dependencies or third-party services
  • No data leaves your org — all processing happens inside Salesforce
  • Data subject rights — access, rectification, and erasure requests are handled through standard Salesforce mechanisms
  • Data Processing Agreement — your existing DPA with Salesforce covers all data processed by No Duplicates, since the app runs entirely on the Salesforce platform

For our website privacy policy, see Privacy Policy.

Business Continuity

No Duplicates relies entirely on the Salesforce platform for availability and disaster recovery:

  • Salesforce uptime: 99.9%+ availability (trust.salesforce.com)
  • Backup and recovery: Handled by Salesforce's enterprise-grade infrastructure
  • App updates: Managed package updates are delivered through AppExchange and do not require downtime

AppExchange Security Review

No Duplicates has passed the Salesforce AppExchange Security Review — a mandatory review that includes:

  • Automated code scanning for vulnerabilities (SOQL injection, XSS, CRUD/FLS violations)
  • Manual security assessment by Salesforce security team
  • Compliance with Salesforce security best practices
  • Ongoing review requirements for major updates

Questions?

If you have security questions not covered here, or need to share a security questionnaire, contact us at no-duplicates.com/contact.

Last updated: February 2026