Cloud apps you can trust

Security Overview


FinancialForce applications were designed from the ground up using core information security principles:

  • Confidentiality: Prevent the disclosure of information to unauthorized individuals or systems.
  • Integrity: Maintain and assure the accuracy and consistency of data over its entire lifecycle.
  • Availability: Ensure the information is available when needed.

FinancialForce is committed to achieving and maintaining these principles and the trust of our customers. Integral to this is providing a robust security and privacy program that carefully considers security and data protection across our services, including data submitted by customers to our services (“customer data”). Over 1000 customers in 34 countries trust FinancialForce applications. Our customers are in a wide range of verticals, some with stringent security requirements, including financial services, healthcare, technology, energy and government.

Security at FinancialForce

FinancialForce has a dedicated Security and Trust function that coordinates security policy, program and verification efforts, to ensure that customer and company information assets are protected in accordance with industry best practices. Our Information Security Program includes identifying, evaluating and reporting on security risks, compliance with security and privacy regulations and commitments, threat and vulnerability management, and security incident management and response.

Our Commitment to Security

At FinancialForce, we understand that security, availability and application processing integrity are critical for our customers. FinancialForce is dedicated to providing industry-leading security for our customers’ data assets through our Security and Trust program.

People Everyone at FinancialForce, from the research and development staff to the executive team, is committed to security excellence. FinancialForce has a cross-functional team of experts focused on security, privacy and compliance aspects. All employees receive regular information security awareness training that covers key security threats and risks and employee obligations to protect the security, confidentiality and privacy of customer and company data.
Processes Security of our customer data is the prime concern of all key FinancialForce business processes, including development, support, operations, consulting, and monitoring processes.
Technology We leverage industry-leading and proven secure platforms for our products and services. Each component of our technology infrastructure undergoes intensive scrutiny by multiple teams of security professionals.
Customers We consider our customers, partners, developers and internal users that interact with our systems to be within our security scope. Our security program is designed both to provide them a high degree of security assurance and to protect ourselves from threats they might present.

Salesforce ISV Partner

Built on the Salesforce Platform

To support our security principles, FinancialForce applications were developed on, an industry-leading and mature platform for cloud applications provided by Salesforce. FinancialForce applications listed on AppExchange go through a qualitative and quantitative security review process with Salesforce to ensure applications meet a set of security standards and best practices. By leveraging an industry-leading cloud platform for business applications, FinancialForce applications and our customers’ data benefit from a variety of security features and controls in such areas as user management, access control, disaster recovery, backups, physical and network security. As a result, FinancialForce applications satisfy our customers’ most stringent data security requirements, and comply with major security, privacy and data protection laws and standards globally.

Certifications and Attestations Applications

SSAE 16 SOC 1 Type II Report

As part of our commitment to trust and security, FinancialForce has invested in a Service Organization Control 1 (SOC 1) Type II report prepared by the global accounting firm Ernst & Young LLP. The report is prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. The purpose of the report is to provide our customers assurance that the FinancialForce Description of Services is fairly presented in all material respects, that controls put in place by FinancialForce are suitably designed to meet their control objectives, and that those controls were tested and operated effectively during the audit period. Ernst & Young LLP created an Independent Service Auditors’ Report after testing and evaluating FinancialForce applications against the following objectives:

  • Control Environment
  • Risk Assessment
  • Monitoring
  • Information and Communication
  • IT General Controls
  • Change Management
  • Development and Testing
  • Information Security Aspects
  • Incident Management
  • Sub-Service Organizations
  • Disaster Recovery and Business Continuity

The SOC 1 report provides FinancialForce customers with the additional assurance that our applications are developed and delivered in accordance with transparent standards to ensure high-quality and secure products are deployed to our customers’ environments.

Salesforce Certifications

FinancialForce applications are developed and run natively on the platform, we benefit from the security controls designed and implemented by Salesforce. Salesforce undergoes comprehensive privacy and security assessments by, and has achieved certifications from, multiple auditors and certifying bodies. These include the following security- and privacy-related audits and certifications:

Geographical Recognition
  • EU / EEA Binding Corporate Rules for Processors
  • EU / EEA and Switzerland Safe Harbor self-certification through the U.S. Department of Commerce
  • TRUSTe Certified Privacy Seal
Global Audit Compliance
  • ISO 27001
  • SSAE 16/ISAE 3402 SOC-1
  • SOC 2
  • SOC 3
  • FedRAMP
  • TÜV Rheinland Certified Cloud Service

A current list of security and privacy assessments and certifications of the Salesforce platform can be found at

Security Controls

Product Security

Product Security Measures

FinancialForce’s software development lifecycle incorporates a range of security measures, including:

  • Code reviews designed to ensure adherence to FinancialForce development standards.
  • Software security testing and code scanning to identify and address security vulnerabilities.
  • Release reviews and approvals designed to ensure product releases comply with internal process requirements.
  • Vulnerability testing and remediation for infrastructure and tools supporting our source code management platform.
  • Development and changes to production application systems are authorized, tested, approved and documented.

Salesforce AppExchange Security Review

FinancialForce applications are submitted to Salesforce as part of the AppExchange Security Review process. Salesforce provides the AppExchange Security Review program to assess the security posture of ISV applications published on the AppExchange against industry best practices for security.

Application Controls

FinancialForce provides rigorous application controls that ensure your financial transactions have been correctly validated and reviewed prior to posting, have comprehensive audit trails and cannot subsequently be modified via “back door” manipulation of object data.

These application controls include:

  • Comprehensive audit trails for transactions, master data modifications and security setup changes.
  • Multi-level approval processes for transactions and master file data changes
  • Segregation of duties
  • Highly granular control of company, object, record and field level access by role

Disaster Recovery

Because FinancialForce applications are 100%, all data processed by FinancialForce applications resides on the Salesforce cloud platform owned, operated and managed by Salesforce.

Change Management

FinancialForce follows fully documented change management procedures for all aspects of its software lifecycle, including application development, release management, service management and enhancement.

Incident Management

FinancialForce follows fully documented change management procedures for all aspects of its software lifecycle, including application development, release management, service management and enhancement.

Data Encryption

FinancialForce relies on Salesforce platform capabilities for encryption of data in transit. Salesforce uses industry-accepted encryption products to protect customer data and communications during transmissions between a customer's network and the FinancialForce applications, including 128-bit TLS Certificates and 2048-bit RSA public keys at a minimum. Additionally, customer data is encrypted during transmission between data centers for replication purposes.

Additional Security Resources

Security Whitepaper

Download the Security Whitepaper

Security Contacts

If you believe you have discovered a vulnerability in FinancialForce applications or have a security related question please contact

If you have questions or complaints regarding’s Privacy Statement or associated practices, please contact us at