Realfire Security
Security of a software product is one of its main and important features. With Realfire, we have thought about security from get-go. This page documents the approach and practice.
Overview
Following diagram highlights the various integrations ponints as user interacts with Realfire.
Product Location
Realfire runs locally in your machine so access to Realfire is first controlled by the security of your machine like the password you set or where it is available.
Credentials
The credentials (username/password or oauth tokens) are stored locally in your machine and NEVER transmitted outside except to authenticate with Salesforce directly.
With Master Password (explained below), it is impossible for somebody to get to know the plaintext contents of your credentials, even if they gain unlawful access to your machine.
Master Password
We do persist the credentials locally to provide the convenience of one-click login to your org and data. But before we persist the credentials, they are encrypted using Master Password.
Master Password is a password that you set when you install Realfire for the first time. This Master password is not persisted locally or transmitted out of your machine. You are prompted to enter this password each time you start Realfire. If you forget Master Password, you cannot retrieve any of the saved credentials.
Explore ~/.realfire
to understand what/how we store, especially ~/.realfire/{conn}/connection.json
file. Its contents look like below where the password is encrypted using Master Password.
{
...
"orgType" : "production",
"orgTypeString" : "Base Edition",
"password" : "09CA27A65435EE7BA6F770DA6CEE05E389D7C1FFE834F6215CBDD27788C616709E98C692C176FCD04870D372CC2D6988",
...
}
Transport
Relaifre uses secure transport (https) each time it establishes remote connections. It connects to only two servers, Salesforce Servers and Realfire License Servers.
Data Security
Data that you fetch from Salesforce or provide to Realfire to import into Salesforce is stored locally and never shared outside. So data security is controlled by your machine security like its location and machine login credentials.
Employees use MFA
Datasert (maker of Realfire) employees use Multi-factor Authentication (MFA) to login to all company applications and production servers. This reduces the risk of impersonation hacking.
Cloud Providers
Datasert uses industry-standard Cloud Providers (Heroku and AWS) to build its infrastructure and follow the recommended practice of security.
Credit Cards
The credit cards you provide to purchase a license is managed through Payment Provider Stripe and they are never transmitted to Datasert Servers. Even if we login to Stripe, Datasert Employees will see only Card Type and last 4 digits.
Other Questions
Can Datasert Employees read my credentials?
No, we cannot. We do not have access to either plaintext or encrypted text of your credentials, unless you copy/paste and send it in an email, which we do NOT recommend.
If Datasert Licenser Servers are hacked what happens?
In the event of a product server breach, the maximum impact they will have is, use your license keys. They cannot get access to your Salesforce connections because we do not store them on the server.