Trust & Security
Security Details
For IT teams and security reviewers evaluating KeelCadence Impact Awareness.
What This Tool Does — and Does Not Do
- Reads Salesforce metadata only — never individual record values or PII
- Never writes to your Salesforce org — no records created, updated, or deleted
- No Connected App installation required — uses a session bookmarklet
- No managed package, no AppExchange listing, no code deployed to your org
- No Apex execution on your org
- No Flow execution on your org
- Session token held in server memory for 2 hours, never written to disk
- Stripe processes all payments — we never receive card details
Authentication Method
Impact Awareness uses a JavaScript bookmarklet that extracts the active Salesforce session token from your browser while you are logged in to Salesforce. This token is transmitted over HTTPS to the Impact Awareness server and held in server memory. It is equivalent in scope to any API call you would make as yourself — it does not grant elevated privileges beyond your own user profile.
The token is not logged, not written to disk, and expires from memory after 2 hours regardless of session activity.
API Calls Made
The tool queries the Salesforce Tooling API and Metadata API using standard REST calls. Specifically:
- Flow and FlowDefinition metadata (name, type, status, last modified)
- ApexTrigger metadata (name, object, status, body for reference detection only)
- ValidationRule metadata (name, object, error condition formula)
- CustomField metadata (formula fields, required flags, lookup relationships)
- WorkflowRule metadata (name, object, trigger type)
- ApprovalProcess metadata (name, object, entry criteria)
- DescribeSObject for object and field enumeration
No RecordType, ContentDocument, Attachment, or record-level API calls are made. No SOQL queries against record data are executed.
Network & Hosting
Impact Awareness runs on Replit Reserved VM infrastructure in the United States. All traffic is served over HTTPS with TLS 1.2+. No data is transmitted to third parties except Stripe (payment processing) and Google Analytics 4 (optional, user-consented, with sensitive parameters stripped).
Questions
For IT review questions or security documentation requests, email support@keelcadence.com. We respond within 1 business day.