Introduction to the InCountry Data Residency for Salesforce app
Salesforce is the leading customer relationship management (CRM) platform for businesses of any size and specialization. All your marketing, sales, commerce, service, and IT teams can collaborate and communicate with your customers in one place and in different ways.
Regulated data processing in Salesforce
Salesforce hosting data centers are located in 6 countries. This is not sufficient for the world-wide companies and corporations that manage regulated data of customers. InCountry expands the list to over 90 countries where you can store regulated data and be sure that you do not violate any local laws or regulations.
With InCountry Data Residency for Salesforce, you can have a single Salesforce instance to store regulated data in over 90 different countries. You do not need to have a dedicated Salesforce instance for each country or region to comply with all sorts of regulations you have to adhere to.
By default, Salesforce does not restrict the visibility of regulated data in the Salesforce instance for agents that work from other countries and are not allowed to view this data. The InCountry Data Residency for Salesforce app addresses this problem and provides configuration that can restrict the visibility of regulated data to agents working in the origin country only.
InCountry Data Residency for Salesforce allows customers to separate the streams of regulated and non-regulated data and store each one in different places. This way you store the non-regulated data in Salesforce, and regulated data in the InCountry platform in the specific country.
All the regulated data stored in the InCountry platform is encrypted on the fly with the customer-owned key, so the data is kept secure and safe.
For the next steps with the InCountry Data Residency for Salesforce app, see the following sections:
- Package Installation
- Initial App Setup
- Configuring Data Regulation Policies
- Configuring the PROTECTED fields
- Regulated Field Protection
- Package Uninstallation
- Managing Serverless Functions
The InCountry Data Residency for Salesforce package is installed as a common package by following the standard procedure.
To get the link to the installation package of the InCountry Data Residency for Salesforce package, please contact our support team at firstname.lastname@example.org.
You must have permissions of a System Administrator to install the packages onto your Salesforce instance.
Log in to the Salesforce instance as a System Administrator.
From Setup, click Company Settings and select My Domain.
Specify the domain and check its availability. Rename the domain if it is already occupied. Apply changes and wait for system response.
Installing the package
The InCountry Data Residency for Salesforce package is distributed as a standard package which you can install onto your Salesforce instance.
It is highly recommended to install the package for administrators only (select the Admins Only option). You can further use permission sets to regulate access to the InCountry Data Residency package for individual Salesforce users.
Please avoid selecting the Install for All Users option as in this case all Salesforce users will get access to the InCountry Data Residency package and you will not be able to regulate access to the package for individual users.
Copy the installation URL of the package.
Log in to the Salesforce instance where you want to install the package.
In the address line of the browser, paste the link with the Salesforce instance URL and the package installation path. For example:
On the opened page, enter the installation key which InCountry provided to you.
Select users who the package is installed for. Please see the note above for details.
Check the box to indicate that you acknowledge the risks by installing the Salesforce package which is not authorized.
Upgrading the package
Upgrade of the package is performed in the same way as installation of the package. For upgrade of the InCountry Data Residency for Salesforce package to beta releases, please contact the InCountry team in advance.
Initial Package Setup
Once you have installed the InCountry Data Residency for Salesforce package, you need to complete its initial setup, so it can make data requests to the REST API.
Upon successful installation, the InCountry Data Residency for Salesforce package creates two user accounts for its operation, as follows:
InCountry Admin - can administer the InCountry Salesforce package and set up data regulation policies for Salesforce objects.
InCountry User - can work within the InCountry interface and manage Salesforce objects.
You need to assign regular Salesforce users to each InCountry-specific user account depending on their roles within your organization. Each user account can be associated with multiple users. Users who are not assigned to the InCountry Admin or InCountry User account will not be able to load the InCountry interface in Salesforce.
From Setup, click Users and then select Permission sets.
On the list with users, locate the user named as InCountry User or InCountry Admin.
Click this user.
On the opened page, click Manage Assignments.
Within the opened permission set you can view users who attribute to InCountry User or InCountry Admin. They will be able to work within the InCountry Data Residency for Salesforce package according to the granted permission level.
Here you can manage users, as follows:
- Adding users to the permission set
- Removing users from the permission set
Adding users to the permission set
Within the opened InCountry User permission set, click Add Assignments.
On the All Users page, select users that you want to assign to the InCountry User permission set.
Removing users from the permission set
Within the opened InCountry User or InCountry Admin permission set, select users that you want to remove the assignment from.
Click Remove Assignments.
InCountry REST Endpoint management
The InCountry Data Residency for Salesforce package pre-defines the REST endpoints for data communication between Salesforce and the InCountry platform. You can manage these REST endpoints if needed and change them for some custom ones.
From Setup, click Custom Code, then select Custom Metadata Types.
On the Custom Metadata Types page, locate the
InCountryRestApiEndpointobject and click Manage Records.
On the opened InCountryRestApiEndpoint page, locate the country whose REST API endpoint you want to modify.
For the required country, click Edit.
On the opened page, you can modify the following:
- Label - enter the label of the country in the ISO format (upper case).
- InCountryRestApiEndpoint Name - enter the label of the country in the ISO format (upper case).
- Country - select the country from the prompted variants.
- Endpoint - specify another InCountry REST API endpoint in the target country. Contact the InCountry team to get the actual endpoint address.
- Default - check the box to use the current InCountry REST API endpoint as default for all data requests.
- Token - enter the token name as '
- CertificateNameServerless - enter the name of the certificate for serverless functions. You need to enter the name of the certificate which was issued for serverless functions without the *.JKS file extension, so that only the certificate name remains. The pattern for this looks like '
- CertificateNameApi - enter the certificate name for performing requests from the backend. This is applicable to the replication model. The name of such certificate is individual for each customer.
- CertificateNameRest - enter the certificate name for performing REST API requests from the frontend. Such requests are performed through the dedicated
/sfendpoint of InCountry REST API and authorization of such requests is executed with a JWT token. This is applicable to the redaction model. The name of such certificate is individual for each customer.
- CertificateNameBatch - name of the certificate for batch data operations. You need to enter the name of the certificate which was issued for batch operations without the *.JKS file extension, so that only the certificate name remains. The pattern for this looks like '
When complete, click Save.
Please avoid modifying these parameters if not needed.
To create a new InCountry REST endpoint:
Initiate the management of records within the
Above the table with REST endpoints, locate the New button and click it.
On the opened page, fill out details for the REST endpoint as described above for management of REST endpoints. To get the actual address of REST endpoint, please contact the InCountry team.
When complete, click Save.
Management of InCountry Endpoints
The InCountry Data Residency for Salesforce package allows you to define endpoints used by the package for data distribution and localization.
On the menu, select Settings.
On the Settings page, locate the InCountry Endpoints section.
Click the down arrow icon to expand the list of endpoints within it.
You can manage endpoints, as follows:
Create new endpoints
Edit the existing endpoints
Delete the no longer needed endpoints
Creating a new endpoint
Expand the section with endpoints.
Click Create New Endpoint.
In the Create New Endpoint form, fill out the following information:
Label - enter the label of the country in the ISO format (upper case).
Endpoint - specify the InCountry REST API endpoint in the target country. Contact the InCountry team to get the actual endpoint address.
Country - select the country from the list of country codes.
Certificate Name Serverless - select the certificate for performing serverless functions.
Certificate Name Api - select the certificate for performing requests from the backend. This is applicable to the replication model.
Certificate Name Rest - select the certificate for performing REST API requests from the frontend. Such requests are performed through the dedicated
/sfendpoint of InCountry REST API and authorization of such requests is executed with a JWT token. This is applicable to the redaction model.
Certificate Name Batch - select the certificate for performing batch data operations.
When complete, click Create.
Editing the endpoint
The editing of the existing endpoint can lead to changes in the data distribution workflow or even break the application operation. Please consider this while making edits in endpoints.
On the list with endpoints, locate the endpoint you want to edit.
Click the down arrow icon.
From the action menu, select Edit.
Make the required updates in the endpoint configuration.
When complete, click Save.
Deleting the endpoint
The removal of the existing endpoint can lead to changes in the data distribution workflow or even break the application operation. Please consider this while removing endpoints.
On the list with endpoints, locate the endpoint you want to delete.
Click the down arrow icon.
From the action menu, select Delete.
Confirm the removal of the endpoint.
Management of InCountry flags
The InCountry Data Residency for Salesforce package introduces a set of custom metadata types, so called flags. These flags regulate the activation of specific features within the package.
On the menu, select Settings.
On the Settings page, locate the InCountry Flags section.
Click the down arrow icon to expand the list of flags within it.
The list of InCountry flags includes the following:
CountryISOFromUserProfile- this flag regulates the fetching of the country location from the user profile, otherwise it is determined automatically from the IP address.
EnableRangeKeyFilter- this flag regulates the usage of the range key filter for searching for numeric values within the specified range.
PIIFieldsAutoConfiguration- this flag regulates the automatic configuration of the PII fields for Salesforce objects based on the common patterns.
USE_NAMED_CREDENTIAL- this flag regulates the usage of OAuth authorization instead of certificates on the Salesforce organization.
RECYCLE_BIN_ENABLED- this flag regulates the automatic removal of records upon their reaching the removal date.
Related List Sync- this flag regulates the checkup of a synchronization status for a Salesforce object and its related components by the
pollercomponent. If disabled, the
pollercomponent checks the synchronization status for the Salesforce object only.
FilesTrigger- this flag regulates the synchronization of files between the InCountry platform and Salesforce Lightning.
FilesTriggerClassic- this flag regulates the synchronization of files between the InCountry platform and Salesforce Classic.
EscapeCSVFiles- this flag regulates the escaping of special characters when you export the list of records for some Salesforce object.
PII_FIELDS_VALIDATION- this flag regulates the validation of PII fields when defining the data regulation model for Salesforce objects. This option verifies the existence of a field, user permissions to create a configuration for this field, and the applied hash function.
PII_POLICIES_TRIGGER_ENABLED- this flag regulates the validation of configured data regulation policies for Salesforce objects. This option verifies that only one policy is configured per Salesforce and per object type and there are no conflicting configuration duplicates.
To add a new flag:
In the Enter flag label box, enter the label of the flag.
To activate the flag after creation, move the toggle right.
Click the plus icon.
The flag is added to the list.
To enable or disable the flag:
On the list with flags, locate the flag which you want to enable or disable.
To disable the flag, move the toggle left.
To enable the flag, move the toggle right.
Registering remote sites
The package communicates data with the InCountry platform through the REST API. This requires the registration of remote sites in Salesforce, so the package can seamlessly communicate protected data between Salesforce and InCountry Platform.
Once you have received the address of the REST API from the InCountry support team, you can proceed with setup.
From Setup, click Security, then select Remote Site Settings.
On the list with remote sites, click New Remote Site.
On the Remote Site Edit page, specify the following information:
Remote Site Name - enter a meaningful name of the remote site. So you can understand what country it relates to.
Remote Site URL - enter the URL address of InCountry REST API. Besides REST API you may also enter the address of InCountry Border.
Active - check the box to make the remote site active.
When complete, click Save.
Repeat the same procedure for other InCountry endpoints if you manage protected data for multiple countries.
Loading the InCountry Data Residency for Salesforce package
Once you have configured the InCountry Data Residency for Salesforce package and re-created the Salesforce views, you can load the app for working within it.
In the left part of the menu, locate the icon showing available apps and click it.
In the App Launcher form, select InCountry. The name may differ depending on your setup.
The InCountry Data Residency for Salesforce package will load the recreated views for managing Salesforce objects and their data.For custom objects, you will have to recreate the views with the components from the InCountry Data Residency for Salesforce package.
Removing User Assignments
Log in to Salesforce as a system administrator.
From Setup, click User Permissions and then select Permission Sets.
On the list, locate the InCountry User and InCountry Admin sets and click them to open.
Select all users and click Remove Assignment.
Uninstalling the InCountry Data Residency for Salesforce package
From Setup, click Apps, then click Packaging and select Installed Packages.
On the Installed Packages page, locate the InCountry Data Residency for Salesforce package.
On the confirmation page, select the Do not save a copy of this package's data after uninstall option.
Select the Yes, I want to uninstall this package and permanently delete all associated components box.
You may encounter the situation when the package cannot be uninstalled at once due to the modifications in the organization after the package installation including the following:
new layouts in App Builder
new pages in App Builder
In this case, you will see the list of modified items. To continue with the package uninstallation, you will have to roll back these modifications and only then uninstall the package from your Salesforce instance.