Certinia Product Security

Powered by the Salesforce platform

Because Certinia applications are 100% Salesforce-native, all data processed by Certinia applications resides on the Salesforce cloud platform. Certinia applications therefore benefit from the shared security responsibilities model whereby Salesforce is in charge of protecting the hardware, networks and infrastructure, and we secure our applications which sit on top of the Salesforce platform.

Visit the Salesforce Security page for more information.

Product Security Measures

Certinia’s software development lifecycle incorporates a range of security measures, including:

• Penetration testing (internal and external)
• Code reviews designed to ensure adherence to Certinia development standards.
• Manual software security testing.
• Code scanning to identify and address security vulnerabilities, leveraging commercial, open source and custom tooling.
• Release reviews and approvals designed to ensure product releases comply with internal process requirements.
• Vulnerability testing and remediation, system hardening and monitoring of internal infrastructure supporting our source code management platform.
• Development and changes to production-ready applications are authorized, tested, approved and documented.

Salesforce AppExchange Security Review

Certinia applications are submitted to Salesforce as part of the AppExchange Security Review process. Salesforce provides the AppExchange Security Review program to assess the security posture of ISV applications published on the AppExchange against industry best practices for security.

During ISV Security Reviews, for OWASP top ten vulnerabilities and Salesforce-specific weaknesses and vulnerabilities are tested by means of automated tools and manual code inspection.

Application Controls

Certinia Financial Management applications include rigorous controls designed to ensure we keep our customer’s data secure.

These application controls include:

• Comprehensive audit trails for transactions, master data modifications and security setup changes.
• Multi-level approval processes for transactions and master file data changes.
• Segregation of duties.
• Granular control of company, object, record and field level access by role. With major products, role-based access controls are delivered out of the box and are fully customizable.
• Financial transactions are validated prior to posting and are not subsequently modified without a clear audit trail.

Additional Product Security Resources

Trust and Compliance Documentation