Security

All sensitive data is encrypted at rest using AES-256 encryption. Your credentials and secrets are never stored in plain text. This includes:

• Salesforce authentication credentials (OAuth tokens, certificates, private keys)
• Version control access tokens and webhook secrets
• Notification service credentials (Slack, Teams, JIRA, Confluence, webhooks)
• Deployment logs and error data
• RunBook automation scripts

All data transmitted to and from DXDeploy is protected using TLS (HTTPS). This covers all application traffic, API communications with third-party services, and webhook deliveries.

• Strong passwords — We enforce password complexity requirements including minimum length, mixed case, numbers, and symbols.
• Two-factor authentication — All users can enable 2FA for an additional layer of account security.
• Session management — Users can view and revoke active sessions. Sessions are automatically terminated after a period of inactivity.
• Role-based access control — Permissions are managed through a role-based system ensuring users only access what they need.
• Email verification — Email addresses are verified before accounts can access the platform.

All resources are strictly isolated between teams. Your VCS connections, Salesforce environments, deployments, and configurations are never accessible to other organizations. Each team operates in a fully isolated environment.

Your source code is only accessed temporarily during deployments. Each deployment runs in its own isolated workspace. After the deployment completes — whether it succeeds or fails — the workspace and all source files are automatically deleted. We do not store, index, or analyse your source code.

Incoming webhooks are verified using cryptographic signature validation. Payloads with invalid or missing signatures are rejected. All webhook secrets are encrypted at rest, and all input data is sanitized to prevent injection attacks.

We support OAuth 2.0 and JWT (certificate-based) authentication with Salesforce. With OAuth, we never see or store your Salesforce password. We request only the minimum API scopes necessary for deployments. You can revoke access at any time from DXDeploy or directly from Salesforce.

• EU-hosted — All data is stored and processed within the European Union.
• Separated architecture — Application, database, and background processing components are isolated from each other.
• Continuous monitoring — System health, performance, and security events are continuously monitored.
• Automated updates — Security patches are applied promptly to keep all systems up to date.

If you discover a security vulnerability, please report it responsibly to security@dxdeploy.com. We aim to acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.