Introduction to the InCountry Data Residency for Salesforce app
Salesforce is the leading customer relationship management (CRM) platform for businesses of any size and specialization. All your marketing, sales, commerce, service, and IT teams can collaborate and communicate with your customers in one place and in different ways.
Regulated data processing in Salesforce
Salesforce hosting data centers are located in 6 countries. This is not sufficient for the world-wide companies and corporations that manage regulated data of customers. InCountry expands the list to over 90 countries where you can store regulated data and be sure that you do not violate any local laws or regulations.
With InCountry Data Residency for Salesforce, you can have a single Salesforce instance to store regulated data in over 90 different countries. You do not need to have a dedicated Salesforce instance for each country or region to comply with all sorts of regulations you have to adhere to.
By default, Salesforce does not restrict the visibility of regulated data in the Salesforce instance for agents that work from other countries and are not allowed to view this data. The InCountry Data Residency for Salesforce app addresses this problem and provides configuration that can restrict the visibility of regulated data to agents working in the origin country only.
InCountry Data Residency for Salesforce allows customers to separate the streams of regulated and non-regulated data and store each one in different places. This way you store the non-regulated data in Salesforce, and regulated data in the InCountry platform in the specific country.
All the regulated data stored in the InCountry platform is encrypted on the fly with the customer-owned key, so the data is kept secure and safe.
For the next steps with the InCountry Data Residency for Salesforce app, see the following sections:
- Package Installation
- Initial App Setup
- Configuring Data Regulation Policies
- Configuring the PROTECTED fields
- Regulated Field Protection
- Package Uninstallation
- Viewing Serverless Functions
The InCountry Data Residency for Salesforce package is installed as a common package by following the standard procedure.
To get the link to the installation package of the InCountry Data Residency for Salesforce package, please contact our support team at email@example.com.
You must have permissions of a System Administrator to install the packages onto your Salesforce instance.
Log in to the Salesforce instance as a System Administrator.
From Setup, click Company Settings and select My Domain.
Specify the domain and check its availability. Rename the domain if it is already occupied. Apply changes and wait for system response.
Installing the package
The InCountry Data Residency for Salesforce package is distributed as a standard package which you can install onto your Salesforce instance.
Copy the installation URL of the package.
Log in to the Salesforce instance which you want to install the package in.
In the address line of the browser, paste the link with the Salesforce instance URL and the package installation path. For example:
On the opened page, enter the installation key which InCountry provided to you.
Select users who the package is installed for.
Check the box to prove that you acknowledge the risks by installing the Salesforce package which is not authorized.
Upgrading the package
Upgrade of the package is performed in the same way as installation of the package. For upgrade of the InCountry Data Residency for Salesforce package to beta releases, please contact the InCountry team in advance.
Initial Package Setup
Once you have installed the InCountry Data Residency for Salesforce package, you need to complete its initial setup, so it can make data requests to REST SDK.
Upon successful installation, the InCountry Data Residency for Salesforce package creates two user accounts for work, as follows:
InCountry Admin - can administer the InCountry Salesforce package and set up data regulation policies for Salesforce objects.
InCountry User - can work within the InCountry interface and manage Salesforce objects.
You need to assign regular Salesforce users to each the InCountry-specific user account depending on their roles within your organization. Each user account can be associated with multiple users. Users who are not assigned to the InCountry Admin or InCountry User account will not be able to load the InCountry interface in Salesforce.
From Setup, click Users and then select Permission sets.
On the list with users, locate the user named as InCountry User or InCountry Admin.
Click this user.
On the opened page, click Manage Assignments.
Within the opened permission set you can view users who attribute to InCountry User or InCountry Admin. They will be able to work within the InCountry Data Residency for Salesforce package according to the granted permission level.
Here you can manage users, as follows:
- Adding users to the permission set
- Removing users from the permission set
Adding users to the permission set
Within the opened InCountry User permission set, click Add Assignments.
On the All Users page, select users that you want to assign to the InCountry User permission set.
Removing users from the permission set
Within the opened InCountry User or InCountry Admin permission set, select users that you want to remove the assignment from.
Click Remove Assignments.
InCountry REST Endpoint management
The InCountry Data Residency for Salesforce package pre-defines the REST endpoints for data communication between Salesforce and the InCountry Platform. You can manage these REST endpoints if needed and change them for some custom ones.
From Setup, click Custom Code, then select Custom Metadata Types.
On the Custom Metadata Types page, locate the
InCountryRestApiEndpointobject and click Manage Records.
On the opened InCountryRestApiEndpoint page, locate the country which REST API endpoint you want to modify.
For the required country, click Edit.
On the opened page, you can modify the following:
- Label - enter the label of the country in the ISO format (upper case).
- InCountryRestApiEndpoint Name - enter the label of the country in the ISO format (upper case).
- Country - select the country from the prompted variants.
- Endpoint - specify another InCountry REST API endpoint in the target country. Contact the InCountry team to get the actual endpoint address.
- Default - check the box to use the current InCountry REST API endpoint as default for all data requests.
- Token - enter the token name as '
- CertificateNameServerless - enter the name of the certificate for serverless functions. You need to enter the name of the certificate which was issued for serverless functions without the *.JKS file extension, so that only the certificate name remains. The pattern for this looks like '
- CertificateNameApi - enter the certificate name for performing requests from the backend. This is applicable to the replication model. The name of such certificate is individual for each customer.
- CertificateNameRest - enter the certificate name for performing REST API requests from the frontend. Such requests are performed through the dedicated
/sfendpoint of InCountry REST API and authorization of such requests is executed with a JWT token. This is applicable to the redaction model. The name of such certificate is individual for each customer.
- CertificateNameBatch - name of the certificate for batch data operations. You need to enter the name of the certificate which was issued for batch operations without the *.JKS file extension, so that only the certificate name remains. The pattern for this looks like '
When complete, click Save.
Please avoid modifying these parameters if not needed.
To create a new InCountry REST endpoint:
Initiate the management of records within the
Above the table with REST endpoints, locate the New button and click it.
On the opened page, fill out details for the REST endpoint as described above for management of REST endpoints. To get the actual address of REST endpoint, please contact the InCountry team.
When complete, click Save.
Management of InCountry flags
The InCountry Data Residency for Salesforce package introduces a set of custom metadata types, so called flags. These flags regulate the activation of specific features within the package.
- From Setup, click Custom Code, then select Custom Metadata Types.
- On the Custom Metadata Types page, locate the
InCountry Flagobject and click Manage Records. The list with flags opens, as follows:
The list of InCountry flags includes the following:
- CountryISOFromUserProfile - this flag regulates the fetching of the country location from the user profile, otherwise it is determined automatically from the IP address.
- EnableRangeKeyFilter - this flag regulates the usage of the range key filter for searching for numeric values within the specified range.
- PIIFieldsAutoConfiguration - this flag regulates the automatic configuration of the PII fields for Salesforce objects based on the common patterns.
To enable or disable the flag:
- On the list with flags, locate the flag which you want to enable or disable.
- Click the flag name.
- On the opened page, click Edit.
- Select or clear the IsEnabled box.
- Click Save.
Registering remote sites
The package communicates data with the InCountry Platform through REST API. This requires the registration of remote sites in Salesforce, so the package can seamlessly communicate protected data between Salesforce and InCountry Platform.
Once you have received the address of REST API from the InCountry support team, you can proceed to setup.
From Setup, click Security, then select Remote Site Settings.
On the list with remote sites, click New Remote Site.
On the Remote Site Edit page, specify the following information:
Remote Site Name - enter a meaningful name of the remote site. So you can understand what country it relates to.
Remote Site URL - enter the URL address of InCountry REST API. Besides REST API you may also enter the address of InCountry Border.
Active - check the box to make the remote site as active.
When complete, click Save.
Repeat the same procedure for other InCountry endpoints if you manage protected data for multiple countries.
Loading the InCountry Data Residency for Salesforce package
Once you have configured the InCountry Data Residency for Salesforce package and re-created the Salesforce views, you can load the app for working within it.
In the left part of the menu, locate the icon showing available apps and click it.
In the App Launcher form, select InCountry. The name may differ depending on your setup.
The InCountry Data Residency for Salesforce package will load the recreated views for managing Salesforce objects and their data.For custom objects, you will have to recreate the views with the components from the InCountry Data Residency for Salesforce package.
Removing User Assignments
Log in to Salesforce as a system administrator.
From Setup, click User Permissions and then select Permission Sets.
On the list, locate the InCountry User and InCountry Admin sets and click them to open.
Select all users and click Remove Assignment.
Uninstalling the InCountry Data Residency for Salesforce package
From Setup, click Apps, then click Packaging and select Installed Packages.
On the Installed Packages page, locate the InCountry Data Residency for Salesforce package.
On the confirmation page, select the Do not save a copy of this package's data after uninstall option.
Select the Yes, I want to uninstall this package and permanently delete all associated components box.
You may encounter the situation when the package cannot be uninstalled at once due to the modifications in the organization after the package installation including the following:
new layouts in App Builder
new pages in App Builder
In this case, you will see the list of modified items. In order to continue with the package uninstallation, you will have to roll back these modifications and only then uninstall the package from your Salesforce instance.