Deplo

Security Questionnaire (Self-Assessment)

Standard answers for customer security reviews (CAIQ-style). Every answer below is drawn from the shipped product and public documentation; nothing is aspirational.

Last verified: July 2026. Questions or a signed DPA: security@getdeplo.com.

Company & product

QuestionAnswer
Who operates the service?Solo developer (Deplo). Launched July 2026.
What does the product do?Chrome extension for Salesforce admins (free direct-mode tools + paid AI features) and a companion web app.
Where is it hosted?Render (API), Vercel (web), Supabase (Postgres). All US regions.

Architecture & data flow

QuestionAnswer
Does the extension access our Salesforce org?Only from the user’s own browser, on the user’s own Salesforce session, with the user’s own permissions. The session ID is read per request, never persisted, never sent to Deplo.
Does Deplo hold Salesforce credentials?The extension: never. The web app (optional): OAuth tokens encrypted at rest with AES-256-GCM and key-rotation support.
What reaches Deplo’s servers?Only paid-AI-feature payloads: the specific metadata a user acts on (a formula, a flow, an access diff). Free tools make zero calls to Deplo. Documented per feature at getdeplo.com/security.
Is data sent to an LLM?Yes, for AI features only: Anthropic’s Claude via their commercial API. Contractually no training on inputs/outputs; ~30-day retention for abuse monitoring, then deletion. Anthropic publishes SOC 2 Type II and ISO 27001 at trust.anthropic.com.
Can the AI change our org?No. The AI produces text only. Writes are a separate, human-confirmed mode running in the user’s browser under the user’s permissions, restricted to an allowlist of request shapes, sandbox-first with production opt-in, with pre-write snapshots and one-click restore.

Data protection

QuestionAnswer
Encryption in transitTLS on all endpoints.
Encryption at restCredentials/tokens: AES-256-GCM (versioned keys, documented rotation procedure). AI conversations (Investigate): encrypted at rest. AI response cache: encrypted with request-derived keys; not browsable or bulk-decryptable by the operator.
RetentionAI cache 1–7 days. Investigate conversations: 90-day inactivity auto-delete, instant user deletion. Prompts never stored.
Data portabilitySelf-serve full workspace export (JSON), decrypted and secret-scrubbed.
Data deletionHard deletes, no soft-delete grace period on user-initiated deletion; account deletion removes workspace data within 30 days.

Access control & application security

QuestionAnswer
AuthenticationEmail/password (bcrypt) with TOTP two-factor authentication available; hashed server-side refresh tokens.
AuthorizationWorkspace-scoped tenancy on every query; role-based (admin/editor/viewer) checks on write endpoints.
Rate limitingGlobal and per-route API rate limits.
Prompt-injection controlsAll org-derived content is delimiter-wrapped as untrusted data in every AI prompt.
Extension supply chainManifest V3, no remote code, no eval; all JavaScript ships in the reviewed store package, unminified and auditable. Host permissions restricted to Salesforce domains + getdeplo.com.
Secrets managementEnvironment-level secrets (Render), never in the repository.

Monitoring, incidents, disclosure

QuestionAnswer
Error monitoringServer-side error tracking (Sentry). Extension crash reporting is opt-in, off by default, and scrubbed of identifiers before sending.
Incident responseDocumented at getdeplo.com/legal/security: acknowledge within 24h, triage within 72h; customer breach notification within 72h per the DPA.
Vulnerability disclosuresecurity@getdeplo.com; reporters credited on request.

Compliance status (honest)

QuestionAnswer
SOC 2 / ISO 27001Not yet. Single-operator company at launch scale. Roadmap: this questionnaire, published → independent penetration test → SOC 2 as revenue justifies.
DPAAvailable on request (public template at getdeplo.com/legal/dpa; lawyer-reviewed before execution).
Subprocessor listPublic at getdeplo.com/legal/security; 30 days’ notice for additions receiving customer data.
GDPRData-subject rights supported via self-serve export/deletion; SCCs incorporated in the DPA for EEA/UK transfers.
© 2026 Deplo. All rights reserved.