Facing an ever increasing complexity of compliance? Our global clients operate in diverse regulated industries and conduct commerce across many jurisdictions. They need solutions that govern regulated, proprietary and confidential data throughout their SFDC environment and as that data is exported and preserved outside of Salesforce. We provide solutions to enable you to be compliant without complexity. Be Expert, govern your Salesforce data with CS:Govern.
Solve complex Salesforce data governance for global regulatory compliance, legal mitigation, and proprietary data protection.
Governments, trade organizations, and legal courts all around the world are planning, implementing and enforcing data regulations more vigorously than ever. For Salesforce users this creates a complex and important set of priorities to govern data in order to comply with regulatory standards, internal legal policies, and to protect your company’s most valuable brand and data assets. CapStorm leads the industry in data governance for regulatory compliance, protection of proprietary data and preservation of confidential information throughout the Salesforce environment and data lifecycle.
Choose CapStorm. Be Expert at Salesforce Data Governance.
Salesforce Data masking, obfuscation & encryption
Compliment Salesforce Shield with solutions for multifaceted compliance standards.
Simultaneous standards for Global Compliance
Create, apply, manage and audit high-frequency, multi-dimensional regulatory standards simultaneously for data interactions in Salesforce.
Manage Litigation & Legal Risk
Implement legal standards for data governance for regulated, proprietary and confidential data.
Encrypt, Audit, Archive
& Tamper Evident
Compliance requires more than just control of field level data. Apply compliance rules to metadata, custom objects. and history to ensure full auditable compliance.
Enable your organization with comprehensive data governance and regulatory compliance capabilities using CS:Govern; an expert solution for data encryption, litigation data management, regulatory archives and risk mitigation.
- CS:Govern Overview
- Legal and GRC Capabilities
- Regulatory Archives & Repositories
- Supported Compliance Standards
CS:Govern complements Salesforce Shield with end-to-end user aware classification capabilities for data and metadata treatments using masking, obfuscation and secure encryption for data in-app and at-rest.
Integrate GRC with Legal Risk Mitigation
Governance, risk and compliance (“GRC”) have always been difficult to implement from complex legal parameters, business rules and technical constraints. CS:Govern enables you to manage data governance in the context of users, field data, metadata and history to protect from the legal and governmental penalties. This includes data used in-app, across geographic jurisdictions, integrated across your enterprise data strategy and while that data is at-rest for archives, backups and disaster recovery.
Govern Data in Salesforce and Archives
Salesforce Shield provides a first line of defense for data governance and use by authorized users. CS:Govern goes beyond by enabling the use of multiple simultaneous regulatory templates applied in-app to production, sandbox and scratch orgs. Data transiting in or out of Salesforce can also be governed to preserve chain-of-custody and user-centric compliance via tamper-evident encrypted compliant archives for retention and disaster recovery purposes.
Apply Best Practices for Data Encryption and Obfuscation
Governance requires user controls and intricate data protection. CS:Govern enables business rules to control field level data handling in Salesforce and for data extracts. Create custom field obfuscation in-app and enable field-level encryption during data exports. The result provides Salesforce Administrators, Data Architects and Legal Teams to establish full-fidelity, high-frequency auditable workflows, processes and business rules that govern data in the context of users, databases, and regulatory standards.
Compliment Legal Strategies with high-fidelity auditability
Legal defense of regulatory compliance requires both data and context. CS:Govern gives your legal team the ability to create high-fidelity data archives that include full metadata to establish chain-of-custody, data utilization, field history and context within the regulated standard. This method enables simultaneous archive repositories that mask proprietary data, complies with retention policies and assures the data is tamper-evident.
Manage data governance for regulatory, legal and proprietary data with full auditability.
As a powerful asset for Legal, IT Operations and Salesforce Administrators, CS:Govern enables users to build, apply, and create unlimited compliance rule sets for all regulated, proprietary, and confidential data governance standards.
Data Governance for Salesforce Administration
Addressing data governance in Salesforce begins with Salesforce Shield. However, for most enterprises, governing how users access data fails to address the regulatory standard requirements on where data resides, how it is aggregated for each consumer, and audit trail specifics, all needed to defend or assert compliance within various jurisdictions. CS:Govern enables your business and legal team to define governance, regulatory and compliance (“GRC”) standards that are easily implemented in Salesforce to govern data use, preserve audit-ability and retain data in full compliance with governmental, legal or proprietary standards.
Legal Data Governance for Salesforce Enterprises
Embedding legal strategies into data governance capabilities enables your enterprise to avoid regulatory risk, defend against legal claims, and preserve the integrity of internal proprietary data assets. As Salesforce drives billions of consumer interactions each day, implementing strong data governance practices as part of the daily commerce flow brings legal protections and defenses to the front-line without impeding users, transactions, or data at-rest. CS:Govern allows for a stronger legal stance surrounding global compliance requirements.
Data Encryption, Obfuscation and At-Rest Protection
By implementing multidimensional rule sets and managing data discretely based on legal and jurisdictional definitions, CS:Govern enables the movement of data seamlessly and securely into archives and repositories, preserving full data fidelity and audit ability. CS:Govern compliments industry best practices for data encryption, key management, tamper-evident archives, and infrastructure security policies.
Archive, Case Litigation, and Multi-Jurisdiction Data Governance
If your enterprise data governance approach involves encrypting all data in a secure repository, you have data practices that expose your enterprise to legal risk. CS:Govern improves your data governance posture by using Salesforce as a vehicle to satisfy regulatory technical requirements, while enabling a legal posture that avoids improper disclosures, fines, or penalties. CS:Govern allows you to create highly granular containers of regulated data by compliance standard, legal jurisdiction, and even case-specific litigation repositories to strengthen legal defense and mitigate risk.
Achieve comprehensive data governance throughout the Salesforce data lifecycle: import, export, retain, then retrieve for full compliance.
CS:Govern empowers the management of Salesforce data as it enters Salesforce, is created in Salesforce, and even after leaving Salesforce via tamper-evident regulation-specific repositories. These repositories have the ability to create archives based on region, data type, time and even case-specific, ultimately giving control over your entire GRC footprint.
Apply Multiple Regulatory Standards Simultaneously
Data governance follows the same journey as the consumers, products and supply chains. It moves quickly and changes jurisdictions throughout the complex interactions with consumers as commerce moves globally. CS:Govern provides you with a non-technical solution for creating and applying the precise business rules that control data use, visibility and access regardless of where your data resides, consumers transact and supply chains move. Multifaceted and simultaneous regulatory standard can coexist across the globe and around the clock.
Segment Archives by Regulatory Standards
Consolidate data from two or more Salesforce instances within a single database. Compare metadata from multiple Production Orgs. Use multi-column record matching rules to ensure that no records are duplicated within the new Production instance. Record mapping rules simplify tasks such as transitioning users from one instance to another.
Create Litigation Specific Retention Archives
CapStorm enhances Salesforce Sandbox and Scratch Org capabilities by providing automation to create and populate temporary or persistent development Orgs with both metadata and data. With CapStorm you can automate:
– Creation of Dev Orgs (sandboxes or scratch orgs) based on Prod configurations
– Import metadata into Scratch Orgs, making the structure of the Scratch Org mirror test or production environments.
– Import test data or obfuscated production data into Scratch Orgs, turning the Org into a useful environment for testing or development.
Segment Governance Rules by Data Classification Standards
Finding and replacing specific data within Salesforce may seem simple, but it is a daunting task when you consider all of the locations in which a single item may be located. Consider an email address: a single address may be found within a contact record, multiple case comments, history tables, email messages, chatter threads, converted lead, etc. If you deal with regulated data, CS:Search can help improve data quality and reduce risks during migrations, merges and splits.
CS:Govern enables your enterprise to comply with global, local and internal compliance requirements.
The list of global regulatory standards seems to grow each day. CapStorm serves clients in 48+ countries. Most of the clients have multiple overlapping government and legal standards that influence how their SFDC data should be governed. We support many of these standards and enable you to define custom standards of your own to apply a single or multiple standards simultaneously. It get’s complex. We make you Expert.
Note: the lists below are a partial set of compliance standards CS:Govern supports
USA Industry Specific Regulations
Healthcare – HIPAA
Healthcare – HITRUST
Financial Services & Banking – Sarbanes-Oxley
Financial Services & Banking – FINRA
Financial Services & Banking – PCI
Consumer Goods – GDPR
US State based Standards
California – California Consumer Privacy Act of 2018 (amended 2020), but set to change to the California Privacy Rights Act of 2020 (CPRA), which amends items related to children data and new consumer rights. CPRA will not go into effect until January 1 2023 and will only apply to personal data collected from January 1 2022 on. enforced and enforced by the California Attorney General. Applies to businesses that satisfy one or more of the following:
Annual gross revenue in excess of $25 million.
Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Virginia – Virginia Consumer Data Protection Act (CDPA) signed on March 2 2021 and enforced by the Virginia Attorney General. CDPA applies to businesses that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
Colorado – Colorado Privacy Act passed on June 8 2021 and will be enforced by the Colorado Attorney General. More to come.
Austria – Data Protection Act (DSG) last amended in 2019 alongside the General Data Protection Regulation (GDPR) and is enforced/enforced by the Austrian Data Protection Authority (DSB). Active enforcement – recently fined Austrian postal service €18 million for violating the GDPR.
Belgium – implemented GDPR in 2018 with exceptions on scientific and historical research data. enforced by the Belgian Data Protection Authority (DPA).
Bulgaria – implemented GDPR in 2019 on top of the Protection of Personal Data Act of 2002 and is enforced by the Commission for Personal Data Protection (CPDP).
Croatia – implemented GDPR in 2018 and enforced by the Personal Data Protection Agency (AZOP). Exceptions include the processing of data in relation to life insurance and biometric data in the private sector.
Cyprus – Law of 2018 Providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data (“the Law”) alongside GDPR and is enforced by the Office of the Commissioner for Personal Data Protection (“The Commissioner”).
Denmark – Act on Supplementary Provisions to the Regulation on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (“the Act”) alongside the GDPR. enforced by an independent Danish Data Protection Agency (Datatilsynet).
Finland – The Data Protection Act was replaced by the GDPR in 2019 and is enforced by the Office of the Data Protection Ombudsman (the Ombudsman).
France – Act on Data Processing, Data Files, and Individual Liberties (‘the Act’) which was amended to incorporate the GDPR in June 2018 and enforced by the French Data Protection Authority (CNIL).
Hungary – Act CXII of 2011 on the Right to Informational Self-determination and on the Freedom of Information (“the Act”) and amended in 2018 to implement the GDPR. enforced by the National Authority for Data Protection and Freedom of Information (NAIH).
Ireland – Data Protection Act of 2018 (“the Act”) alongside the GDPR and enforced by the Data Protection Commission (DPC). Provisions surrounding children’s data protection have been included.
Italy – Personal Data Protection Code with provisions to include the GDPR and enforced by the Italian Data Protection Authority (Garante).
Lithuania – Implemented the GDPR in 2018 as a complement to “the Law” and is enforced by the State Data Protection Inspectorate (VDAI).
Netherlands – Implemented the GDPR in 2018 and is enforced by the Dutch Data Protection Authority (AP). Exceptions include data for journalistic, academic, artistic or literary expression.
Norway – Implemented the GDPR in 2018 as a complement to the Law on the Processing of Personal Data and enforced by the Norwegian Data Protection Authority (Datatilsynet).
Poland – Implemented the GDPR in 2018 as a complement to the Act on the Protection of Personal Data (“the Act”) which is enforced by the Polish Data Protection Authority (UODO).
Serbia – Law on Protection of Personal Data (“the Law”) and enforced by The Poverenik.
Spain – Organic Law on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) implemented the GDPR in 2018 and is enforced by the Spanish Data Protection Authority (AEPD).
Sweden – Implemented GDPR in 2018 when the former Data Protection Act of 1998 was repealed. Enforced by The Swedish Authority for Privacy Protection (IMY).
Switzerland – Federal Act on Data Protection (FADP) and enforced by the Federal Data Protection and Information Commissioner (FDPIC) – aligns with the GDPR.
Turkey – Law on Protection of Personal Data (“the Law”) and enforced by the Personal Data Protection Authority (KVKK).
UK – Data Protection Act of 2018 (“the Act”) aligns with the GDPR and is labeled “UK GDPR”. Enforced by The Information Commissioner’s Office (ICO).
New Zealand – the Privacy Act of 2020 and enforced by the Office of the Privacy Commissioner (OPC).
Australia – Privacy Act of 1988 and enforced by The Office of the Australian Information Commissioner.
China – Personal Information Protection Law (PIPL) currently in draft.
India – Personal Data Protection Bill (2019) has been introduced to Indian Parliament and is currently in draft.
Japan – The Act on the Protection of Personal Information (APPI) – last amended in 2018 and enforced by The Personal Information Protection Commission (PPC).
Philippines – The Data Privacy Act of 2012 (“the Act”) and enforced by The National Privacy Commission (NPC).
Singapore – Personal Data Protection Act of 2012 (PDPA) and enforced by the Personal Data Protection Commission (PDPC). Also note the Cybersecurity Act of 2018.
South Korea – Personal Information Protection Act of 2011 (amended in 2020) (PIPA) and enforced by the Personal Information Protection Commission.
Thailand – Personal Data Protection Act of 2019 (PDPA) and enforced by the Personal Data Protection Committee (PDPC). Went into full effect on May 27 2021 (postponed from 2020 because of pandemic).
Canada – The Personal Information Protection and Electronic Documents Act of 2000 (PIPEDA) and enforced by the Office of the Privacy Commissioner of Canada (OPC).
Latin America standards
Brazil – General Personal Data Protection Law (LGPD) was amended in 2019 and is enforced by the Brazilian Data Protection Authority (ANPD).
Colombia – Statutory Law of 2012 which governs provisions for the Protection of Personal Data (“the Data Protection Law”) and is enforced by the Colombian Data Protection Authority (SIC).
Mexico – Federal Law on Protection of Personal Data Held by Private Parties (FLPPDPP) and enforced by the National Institute for Access to Information and Protection of Personal Data (INAI).
Uruguay – Law on the Protection of Personal Data and the Habeas Data Action of 2008 and enforced by The Uruguayan Data Protection Authority (URCDP).