When it comes to safeguarding sensitive data in Salesforce, many organizations take comfort in Salesforce’s Trust Certificates. These certificates confirm that platform-level security controls are in place — but they don’t answer the tougher questions auditors ask, like where customer data resides, when it was deleted, who accessed it — and why.
Configuring Salesforce security features is one thing; proving ongoing compliance to regulators is another. Plus, as data protection regulations like GDPR, CCPA, and HIPAA multiply — and enforcement becomes more aggressive — businesses need more than checkboxes and trust statements. They need a verifiable audit trail that shows, with evidence, how their Salesforce org manages data.
We’ll break down why Salesforce’s platform compliance certificates aren’t enough to satisfy auditors, the kinds of documentation regulators expect to see, and how to move from reactive, last-minute compliance efforts to proactive, automated assurance. You’ll learn about Salesforce Shield, and how Gearset helps transform compliance from a manual, stressful process into a systematic, reliable part of your DevOps pipeline.
Why platform compliance doesn’t equal organizational compliance
Yes, Salesforce can be configured to meet GDPR standards, but your organization must prove that it consistently enforces these standards. This means not just having the platform in a “GDPR-capable” state, but actively generating deletion certificates within 30 days of a Data Subject Request, maintaining accurate consent timestamps for every customer interaction, and showing that EU resident data is housed in EU-based instances.
The absence of a solid audit trail becomes a significant issue when a regulator, customer, or internal stakeholder asks for evidence, like “Show me proof that a customer’s data was deleted from all systems, including backups.” Your Salesforce Trust Certificate only confirms that the platform can facilitate these actions; it doesn’t demonstrate your organization’s implementation of them.
For every regulation — whether it’s GDPR, CCPA, LGPD, or PIPEDA — there are specific artifacts you must generate to prove compliance. These include deletion confirmations with timestamps, consent audit trails, encryption certificates, and regional data storage verification.
Also, global organizations face an additional layer of complexity. You must meet the highest standard among the regulations you’re subject to. For example, even if your primary business operates under CCPA’s 45-day timeline for Data Subject Requests, you’re still bound by GDPR’s 30-day deadline if you handle data from EU residents. This “highest common denominator” requirement adds pressure to ensure compliance across multiple jurisdictions simultaneously.
What is Salesforce Shield?
Salesforce Shield is a suite of native security and compliance features designed to help organizations meet rigorous data protection and audit requirements. As a paid add-on, it extends Salesforce’s native security controls with three key features:
Event Monitoring: Tracks detailed user activity — such as logins, API calls, and report exports — giving you visibility into who accessed what data and when. Logs are retained for 30 days by default, but this can be extended for up to a year, making them essential for compliance audits and incident investigations.
Field Audit Trail: Extends the standard field history tracking limits, allowing you to retain historical data changes for up to 10 years. This ensures you can prove when and how sensitive data was modified — a critical requirement for frameworks like SOX and GDPR.
Platform Encryption: Provides encryption-at-rest for sensitive data, protecting it from unauthorized access even if the database is compromised. Admins can manage encryption keys and apply encryption selectively across fields, ensuring both security and system performance.
Together, these features form the bulk of Salesforce’s enterprise-grade security and compliance model. In the sections that follow, you’ll see how Shield supports each layer of your security framework — from organization-level monitoring to data encryption.
Building your four-layer security model
Achieving Salesforce data compliance requires a layered approach to security and monitoring, including the Shield features mentioned above. At each layer, you’ll need specific tools and documentation to demonstrate compliance with various regulatory frameworks like SOX, GDPR, and HIPAA.
Here’s how to build a four-layer security model that can withstand scrutiny during audits.
1. Organization-level security: Access logs and session monitoring
Your organization’s access logs and session monitoring are crucial for proving compliance with regulations like SOX, which requires comprehensive change management and audit trails.
Salesforce’s Setup Audit Trail only records configuration and metadata changes — such as updates to profiles, permissions, or automation — but it does not capture user access or session activity — for that you’ll need Shield’s Event Monitoring.
2. Object and field-level controls: PII protection maps
At the next layer, object and field-level controls are essential for protecting Personally Identifiable Information (PII). These controls dictate which roles can access sensitive customer data. But, it’s important to note that the native Salesforce reporting capabilities have row limits and complexity constraints, which make it difficult to produce a complete picture of who can access what.
To address this, lots of organizations end up manually documenting field-level permissions and mapping out access based on role assignments. This is important for compliance, but can be labor-intensive and prone to human error, particularly when you need to demonstrate the complete lineage of access rights across multiple profiles and permission sets.
3. Record-level sharing rules: Enforcing least-privilege access
Within a Salesforce org, record-level sharing rules help enforce the principle of least privilege — ensuring that users only have access to the data they need. This segregation of data supports compliance requirements such as GDPR and HIPAA by protecting sensitive records and reducing the risk of unauthorized access within the tenant.
Proving historical access patterns and data changes in Salesforce requires different tools. The Field Audit Trail preserves historical field value changes, providing long-term field-level history retention — but it does not record who viewed or accessed records.
4. Shield Platform Encryption: Encryption-at-rest controls
Salesforce’s Shield Platform Encryption ensures that your data is encrypted at rest, which is vital for meeting privacy regulations such as GDPR and HIPAA. Encryption-at-rest keys form the foundation of Salesforce’s data protection model, helping organizations demonstrate compliance with standards that mandate the safeguarding of stored data.
It’s important to understand that encryption can impact certain Salesforce functions, including report filters, lookup relationships, and workflow rules that rely on encrypted fields.
While encryption adds complexity to day-to-day operations, its compliance and security benefits are undeniable. The key is to configure encryption in a way that maintains business continuity and visibility, while ensuring data remains secure and compliant.
Building your evidence pipeline
Automating the right to be forgotten across your entire data estate
The right to be forgotten — also known as the right to erasure under GDPR — allows individuals to request the deletion of their personal data. But fulfilling this requirement manually is an incredibly time-consuming task. Manual deletion using Data Loader takes hours for each request, as you must identify records across objects, verify relationships, document deletions, and purge backups. Salesforce’s Privacy Center can automate some of this, but it requires object-by-object configuration and doesn’t handle custom objects or PII mapping easily.
Gearset’s backup workflow supports bulk deletion of personal data from historical backups with full audit logging, allowing you to process large requests in repeatable batches and prove what was removed and when — without re-introducing data through restores.
There are a couple more things to consider here:
The Recycle Bin: Salesforce’s Recycle Bin only retains records for 15 days — or 30 days if you have the enabled
Extended Recycle Bin Retention— and when records are deleted, metadata relationships are destroyed. This makes it nearly impossible to reconstruct deleted data after this period. This creates a major issue when trying to comply with long-term data retention requirements. For example, if an audit or legal investigation surfaces after two weeks, your ability to provide a full trail of deleted data is severely limited.Encryption and consent management: Shield Platform Encryption protects data at rest, but it can affect filters, searches, and matching logic used by consent processes. If your consent flows (Consent API, Contact Point records) rely on identifiers like email or phone, plan for deterministic encryption or alternate keys so lookups still work. The key is designing your identifier strategy so security and privacy processes both function.
Gearset’s data retention addresses a different compliance challenge — extending audit log retention far beyond Salesforce’s native 180-day limit. It allows you to maintain comprehensive audit logs throughout the seven-year period typically required for SOX compliance and litigation holds. This makes your long-term audit trail both robust and defensible, without the risk of missing critical data during an audit.
Proving data residency
Data residency is a key aspect of data compliance, especially for organizations operating globally under privacy laws such as GDPR. Salesforce’s Hyperforce enables customers to host their data within specific geographic regions, helping meet data residency and sovereignty requirements.
For orgs not yet migrated to Hyperforce, regional control is more limited — adjusting where data is stored typically requires Salesforce Support intervention, which can delay compliance verification during audits. Ensuring your org is deployed on Hyperforce is the most effective way to demonstrate and maintain data residency compliance at scale.
Gearset simplifies this process by offering regional storage options for backups, allowing you to store your data in your chosen region, with certificates explicitly stating data location. This completes the chain of evidence auditors need to verify your data residency practices, ensuring that you’re fully compliant with international data regulations.
Industry-specific compliance paths
While Salesforce offers a comprehensive platform with a wide range of tools to help meet regulatory requirements, it’s important to understand that industry-specific compliance often demands additional configurations, documentation, and customizations.
Industry regulations place different demands on Salesforce implementations. Here’s how to configure your org to meet each standard.
HIPAA compliance: Salesforce doesn’t automatically comply with HIPAA. To meet healthcare regulations, you must sign a Business Associate Agreement (BAA) with Salesforce and run on Enterprise Edition or higher. Most implementations also use Shield Platform Encryption to secure protected health information (PHI) and to meet HIPAA’s privacy and security requirements. While Health Cloud provides healthcare-specific functionality, it isn’t strictly required for HIPAA compliance. In practice, many orgs supplement Salesforce with third-party auditing and data management tools to meet HIPAA standards.
FERPA compliance: FERPA (Family Educational Rights and Privacy Act) requires specific retention policies and for schools to give parents and eligible students access to records and to manage how long those records are retained. Salesforce doesn’t enforce FERPA compliance by default, so schools typically create custom retention logic for academic records, often leveraging third-party archival solutions to store data securely. Parent access can be configured via custom development, ensuring that FERPA guidelines for record access and retention are met.
Financial services compliance: In financial services, detailed transaction lineage documentation is required. While Salesforce’s Field Audit Trail can capture some changes, extensive custom development is necessary to track transactions and generate the detailed reports auditors require. Salesforce’s built-in tools often need to be supplemented with external systems to ensure that all data is captured and compliant with SOX and other financial regulations.
Managing compliance across multiple orgs
As organizations grow through acquisitions, managing Salesforce compliance across multiple orgs becomes increasingly complex. Each new org often brings different security settings, custom objects, and data classifications, leading to customization debt and creating compliance blind spots. These inconsistencies can make it difficult to ensure all orgs meet regulatory requirements, particularly when handling global compliance:
Regional data residency and federated search: Regional data residency laws, like GDPR, often require org separation (e.g., EU data must reside in an EU org). But, fulfilling a DSR across multiple orgs is challenging without a federated search capability, which typically requires custom development or third-party tools.
Duplicate management: Industry experts highlight duplicates as a major compliance risk. For example, if multiple records for a customer exist, each may have different retention policies, leading to multiple potential compliance failures.
Hidden PII in custom fields: Customization debt can lead to hidden PII in custom fields (e.g., Project_Notes__c), which might bypass Privacy Center scans. This is a hidden compliance risk that could lead to regulatory issues if not addressed.
Operational overhead: Managing compliance across multiple orgs brings added cost due to additional Shield licenses, user licenses, and training.
Gearset’s layered modules solve these challenges by maintaining a core compliance configuration across all orgs, with flexibility for regional variations. You can deploy shared metadata, policies, and compliance settings to every environment in one controlled process — no manual reconfiguration or risk of drift.
This unified approach ensures consistent compliance while letting regional teams adapt to local regulations. And because Gearset automates multi-org deployments and compliance checks, you eliminate the duplication and overhead that typically come with managing separate Salesforce environments.
Building automated compliance processes with Gearset
With Gearset, you can automate compliance processes and integrate them seamlessly into your DevOps pipeline — here’s how:
Testing compliance changes without breaking production
One of the main challenges of compliance is testing new configurations without risking disruptions in production. Gearset solves this with sandbox seeding, allowing you to populate test environments with production-like data while maintaining compliance. By using data masking, you can replace sensitive fields, like phone numbers and email addresses, with realistic but obfuscated data, ensuring no PII is exposed during testing.
Also, Gearset’s comparison tool helps you deploy encryption configuration changes with confidence. It allows you to compare your sandbox and production environments, highlighting exact changes and flagging potential issues before they make it to production, ensuring critical business processes remain unaffected.
Creating continuous compliance validation
The most reliable way to manage compliance is to make it continuous — validating changes throughout the whole DevOps lifecycle and catching any errors before they reach production. Gearset automates these checks in your pipeline, so compliance becomes part of every release, not a separate audit task.
Here’s why Gearset should be your go-to solution for this:
Quality gates in your pipeline: With Gearset, you can create automated quality gates that validate every deployment against your compliance rules, like checking for correct field classifications, required security settings, and data retention policies. These gates run automatically when developers create pull requests (PRs), blocking non-compliant changes from merging into protected branches or deploying to production. By enforcing compliance directly in your release process, Gearset reduces manual oversight and ensures every change meets your organization’s standards.
Change monitoring: Gearset’s change monitoring automatically tracks every metadata change across your Salesforce orgs — whether from deployments, manual edits, or third-party integrations. You’ll receive daily reports and configurable alerts whenever changes occur, so you can spot potential compliance risks early. And if something unexpected happens, Gearset lets you roll back unwanted changes or redeploy approved ones to restore consistency. These monitoring jobs also create a detailed audit trail that supports compliance reviews and regulatory reporting.
Backup: Gearset’s backup solution supports configurable retention periods aligned with your regulatory needs. Whether you need to maintain backups for seven years for SOX compliance or six years for HIPAA, Gearset ensures that your data is securely stored, with full audit logs of any deletions made from backup history. This guarantees that your organization can meet right-to-erasure requirements, an essential part of compliance.
Deployment templates: With templates for security settings, field classifications, and retention policies, Gearset allows you to standardize compliance no matter how many orgs you manage.
The data governance culture shift
Achieving consistent compliance across your Salesforce environment means fostering a data governance culture that prioritizes data quality and compliance at every level of your organization.
Here’s how successful Salesforce implementations embrace a mindset shift that drives compliance from within:
“If it’s not in Salesforce, it doesn’t exist”: This mindset is a core best practice that drives successful Salesforce compliance. This principle is pivotal for ensuring that your organization’s data is properly governed and compliant. If data isn’t stored in Salesforce, it cannot be effectively tracked, deleted, or protected — leaving it open to gaps in governance and compliance.
Assigning data stewards across departments: To create lasting change, it’s important to assign data stewards across departments rather than relying solely on system admins to manage data quality. For example, sales teams should be responsible for the quality of opportunity data, while marketing teams own the integrity of campaign data. Each department is directly responsible for the accuracy and governance of its own data, ensuring that it meets compliance standards from the ground up.
From IT project to business imperative: For compliance to truly succeed, it needs executive buy-in. When leadership understands that compliance is about protecting business value — not just avoiding regulatory fines — it transforms from a “nice-to-have” IT project into a business imperative.
The ROI beyond risk mitigation: While compliance is often seen as a means of risk mitigation, the Return on Investment (ROI) extends far beyond simply avoiding penalties. Clean data enhances Agentforce accuracy, enabling your Salesforce org to deliver smarter insights and reliable agents. With faster DSR responses, you build greater customer trust, proving that your organization takes privacy seriously.
By automating compliance processes, you free up valuable staff time, enabling teams to focus on value-adding work rather than manual audits or data entry. This shift toward automation not only reduces the burden on employees but also improves overall operational efficiency, creating a virtuous cycle that benefits both compliance and business performance.
Gearset: Enterprise compliance, without compromise
Gearset integrates seamlessly with the compliance and security frameworks your organization already relies on — rather than forcing you to adopt separate audit systems or duplicate processes. Gearset’s Role-Based Access Control, granular permissions, and audit-ready logging are built into every part of the platform, from CI/CD pipelines to data backup and recovery.
Unlike other DevOps platforms that add their own gated compliance layer, Gearset works with your existing governance workflows — including branch protection rules, approval gates, and change tracking in tools like GitHub, GitLab, or Bitbucket. Your DevOps and InfoSec teams maintain complete visibility and control, while Gearset reinforces compliance across every environment and release.
The result is continuous enterprise compliance — aligned with your organization’s security standards, verifiable through evidence, and ready for audit at any time.
Build compliance confidence with Gearset
The shift from reactive scrambling to proactive compliance happens when you stop relying on piecemeal configurations and start engineering your evidence pipeline.
Salesforce’s native capabilities provide a strong foundation, but there’s a critical gap between what Salesforce offers out of the box and the evidence regulators, partners, or internal auditors expect if questions are raised. Gearset bridges that gap with purpose-built solutions for long-term change histories, automated DSR fulfillment, compliant sandbox seeding, and unified multi-org governance. These tools mean your team no longer has to manually assemble compliance proof — you always have the documentation ready when it’s needed.
With Gearset, you can ensure that every change is tracked, every piece of evidence is ready, and every action is in line with your regulatory obligations. Instead of waiting for an investigation or compliance request to spark a scramble, you can demonstrate a systematic approach to data protection and governance at any moment.
Not to mention, the next frontier — AI compliance for Agentforce — will require the same evidence-first mindset. Documenting training data sources, maintaining consent for AI processing, and proving data boundaries will be just as crucial as managing compliance for traditional data storage. Organizations that build compliance into their development pipeline today are positioning themselves to easily adapt to tomorrow’s regulations.
Ready for enterprise-grade Salesforce compliance?
Ready to transform your Salesforce compliance from reactive configuration to demonstrable evidence? Start your free 30-day trial to experience how Gearset’s automated compliance validation works in your org.
Or book a demo with our team to discuss your specific compliance challenges and see Gearset in action.
