Hi Trailblazers,
I have a question regarding security best practices for a managed package that we are preparing for Salesforce Security Review and AppExchange listing.
We have developed a managed package that performs an external API callout from an Apex class. As part of the integration logic, the Apex class sends record data from the following standard objects to an external endpoint:
- Lead
- Account
- Contact
- User
- Individual
The data is transmitted in the request payload to an external system for processing.
My questions are:
- From a Salesforce Security Review perspective, is sending standard object data (including User and Individual records) to an external API considered a security concern by default?
- What are the key compliance or security expectations Salesforce evaluates in such scenarios?
- Are there specific controls or patterns recommended to ensure this passes Security Review (e.g., explicit user consent, encryption standards, field-level filtering, etc.)?
- Are there any red flags specifically related to transmitting User or Individual object data externally?
- Is there limitations or concerns in sending all fields in the standard objects ?
We are planning to submit the package for Security Review soon and want to proactively address any potential concerns before submission.
Appreciate any guidance or insights from those who have gone through a similar review process.
Thanks in advance!
