Skip to main content

Realfire Security

Security of a software product is one of its main and important features. With Realfire, we have thought about security from get-go. This page documents the approach and practice.

Overview

Following diagram highlights the various integrations ponints as user interacts with Realfire.

Product Location

Realfire runs locally in your machine so access to Realfire is first controlled by the security of your machine like the password you set or where it is available.

Credentials

The credentials (username/password or oauth tokens) are stored locally in your machine and NEVER transmitted outside except to authenticate with Salesforce directly.

With Master Password (explained below), it is impossible for somebody to get to know the plaintext contents of your credentials, even if they gain unlawful access to your machine.

Master Password

We do persist the credentials locally to provide the convenience of one-click login to your org and data. But before we persist the credentials, they are encrypted using Master Password.

Master Password is a password that you set when you install Realfire for the first time. This Master password is not persisted locally or transmitted out of your machine. You are prompted to enter this password each time you start Realfire. If you forget Master Password, you cannot retrieve any of the saved credentials.

Explore ~/.realfire to understand what/how we store, especially ~/.realfire/{conn}/connection.json file. Its contents look like below where the password is encrypted using Master Password.

{
...
"orgType" : "production",
"orgTypeString" : "Base Edition",
"password" : "09CA27A65435EE7BA6F770DA6CEE05E389D7C1FFE834F6215CBDD27788C616709E98C692C176FCD04870D372CC2D6988",
...
}

Transport

Relaifre uses secure transport (https) each time it establishes remote connections. It connects to only two servers, Salesforce Servers and Realfire License Servers.

Data Security

Data that you fetch from Salesforce or provide to Realfire to import into Salesforce is stored locally and never shared outside. So data security is controlled by your machine security like its location and machine login credentials.

Employees use MFA

Datasert (maker of Realfire) employees use Multi-factor Authentication (MFA) to login to all company applications and production servers. This reduces the risk of impersonation hacking.

Cloud Providers

Datasert uses industry-standard Cloud Providers (Heroku and AWS) to build its infrastructure and follow the recommended practice of security.

Credit Cards

The credit cards you provide to purchase a license is managed through Payment Provider Stripe and they are never transmitted to Datasert Servers. Even if we login to Stripe, Datasert Employees will see only Card Type and last 4 digits.

Other Questions

Can Datasert Employees read my credentials?

No, we cannot. We do not have access to either plaintext or encrypted text of your credentials, unless you copy/paste and send it in an email, which we do NOT recommend.

If Datasert Licenser Servers are hacked what happens?

In the event of a product server breach, the maximum impact they will have is, use your license keys. They cannot get access to your Salesforce connections because we do not store them on the server.