Security Questionnaire (Self-Assessment)
Standard answers for customer security reviews (CAIQ-style). Every answer below is drawn from the shipped product and public documentation; nothing is aspirational.
Last verified: July 2026. Questions or a signed DPA: security@getdeplo.com.
Company & product
| Question | Answer |
|---|---|
| Who operates the service? | Solo developer (Deplo). Launched July 2026. |
| What does the product do? | Chrome extension for Salesforce admins (free direct-mode tools + paid AI features) and a companion web app. |
| Where is it hosted? | Render (API), Vercel (web), Supabase (Postgres). All US regions. |
Architecture & data flow
| Question | Answer |
|---|---|
| Does the extension access our Salesforce org? | Only from the user’s own browser, on the user’s own Salesforce session, with the user’s own permissions. The session ID is read per request, never persisted, never sent to Deplo. |
| Does Deplo hold Salesforce credentials? | The extension: never. The web app (optional): OAuth tokens encrypted at rest with AES-256-GCM and key-rotation support. |
| What reaches Deplo’s servers? | Only paid-AI-feature payloads: the specific metadata a user acts on (a formula, a flow, an access diff). Free tools make zero calls to Deplo. Documented per feature at getdeplo.com/security. |
| Is data sent to an LLM? | Yes, for AI features only: Anthropic’s Claude via their commercial API. Contractually no training on inputs/outputs; ~30-day retention for abuse monitoring, then deletion. Anthropic publishes SOC 2 Type II and ISO 27001 at trust.anthropic.com. |
| Can the AI change our org? | No. The AI produces text only. Writes are a separate, human-confirmed mode running in the user’s browser under the user’s permissions, restricted to an allowlist of request shapes, sandbox-first with production opt-in, with pre-write snapshots and one-click restore. |
Data protection
| Question | Answer |
|---|---|
| Encryption in transit | TLS on all endpoints. |
| Encryption at rest | Credentials/tokens: AES-256-GCM (versioned keys, documented rotation procedure). AI conversations (Investigate): encrypted at rest. AI response cache: encrypted with request-derived keys; not browsable or bulk-decryptable by the operator. |
| Retention | AI cache 1–7 days. Investigate conversations: 90-day inactivity auto-delete, instant user deletion. Prompts never stored. |
| Data portability | Self-serve full workspace export (JSON), decrypted and secret-scrubbed. |
| Data deletion | Hard deletes, no soft-delete grace period on user-initiated deletion; account deletion removes workspace data within 30 days. |
Access control & application security
| Question | Answer |
|---|---|
| Authentication | Email/password (bcrypt) with TOTP two-factor authentication available; hashed server-side refresh tokens. |
| Authorization | Workspace-scoped tenancy on every query; role-based (admin/editor/viewer) checks on write endpoints. |
| Rate limiting | Global and per-route API rate limits. |
| Prompt-injection controls | All org-derived content is delimiter-wrapped as untrusted data in every AI prompt. |
| Extension supply chain | Manifest V3, no remote code, no eval; all JavaScript ships in the reviewed store package, unminified and auditable. Host permissions restricted to Salesforce domains + getdeplo.com. |
| Secrets management | Environment-level secrets (Render), never in the repository. |
Monitoring, incidents, disclosure
| Question | Answer |
|---|---|
| Error monitoring | Server-side error tracking (Sentry). Extension crash reporting is opt-in, off by default, and scrubbed of identifiers before sending. |
| Incident response | Documented at getdeplo.com/legal/security: acknowledge within 24h, triage within 72h; customer breach notification within 72h per the DPA. |
| Vulnerability disclosure | security@getdeplo.com; reporters credited on request. |
Compliance status (honest)
| Question | Answer |
|---|---|
| SOC 2 / ISO 27001 | Not yet. Single-operator company at launch scale. Roadmap: this questionnaire, published → independent penetration test → SOC 2 as revenue justifies. |
| DPA | Available on request (public template at getdeplo.com/legal/dpa; lawyer-reviewed before execution). |
| Subprocessor list | Public at getdeplo.com/legal/security; 30 days’ notice for additions receiving customer data. |
| GDPR | Data-subject rights supported via self-serve export/deletion; SCCs incorporated in the DPA for EEA/UK transfers. |