Security

How we protect customer data.

This page describes the security practices Glumes IT follows when delivering Salesforce, CRM and analytics services. It is maintained by Glumes IT to answer common security and privacy questions from customers and partners.

Our commitment

Security is part of delivery, not an afterthought.

We help customers configure Salesforce securely, handle sensitive CRM data responsibly, and maintain environments that meet their own security and governance requirements. Detailed security documentation and responses to vendor questionnaires are available under a signed NDA or Data Processing Agreement.

Least-privilege access

Every user, integration and consultant receives only the permissions needed for their role. We review profiles, permission sets, field-level security and public groups before go-live and on every release.

Authentication & MFA

We enforce multi-factor authentication on all customer environments and our internal systems. OAuth and SAML SSO are configured wherever the customer's identity provider supports it.

Secure environments

Development, testing and production are separated by sandbox strategy. No live customer data is used in dev or QA sandboxes unless explicitly required, masked and approved.

Monitoring & audit

We enable Salesforce audit logs, field history, login history and event monitoring where available. Access reviews and configuration backups are performed on a scheduled cadence.

Secure delivery lifecycle

Code is versioned, peer-reviewed and deployed through documented release management. Critical customisations are tested in sandbox before promotion, with rollback plans prepared.

Incident response

Suspected data exposure, unauthorised access or configuration drift is escalated immediately. We notify the customer contact within 24 hours, contain the issue and document remediation.

Data handling

Customer data stays in customer-controlled Salesforce environments.

We do not operate our own data store for customer CRM data. Client data remains in the customer's Salesforce org and approved connected systems. Where we need access for implementation or support, it is granted through named, role-based accounts with the minimum permissions required and reviewed regularly.

We classify data we handle as confidential, do not use it for training AI models or commercial purposes, and return or delete project materials at the end of an engagement unless the customer requests otherwise.

No customer CRM data stored on local developer machines unless encrypted and approved.
Named admin accounts only — no shared credentials or anonymous access.
Regular access reviews and immediate de-provisioning when a project ends.
Encrypted communication channels and approved collaboration tools.
Privacy & compliance

Privacy, contracts and shared responsibility.

NDAs & DPAs

We sign confidentiality agreements and data processing addenda before accessing sensitive customer environments. We can accommodate standard customer security questionnaires and procurement reviews.

Salesforce trust model

Salesforce is responsible for the security of the cloud platform. Glumes IT is responsible for secure configuration, user access, data flows and customisations we build within the customer's org.

Certifications

Our consultants hold current Salesforce certifications and follow Salesforce's security, architecture and AI trust guidelines. Detailed compliance attestations are available on request under NDA.

Contact

Report a security concern or request a security review.

Security contact
General enquiries
Go to Contact page

For sensitive issues, please contact us by email. We will acknowledge receipt and respond with next steps within one business day.

Need a security questionnaire answered?

We provide security documentation, architecture diagrams and compliance responses to support enterprise procurement and Salesforce partner verification.

Request security docs