Flosum DevOps Security Statement

Overview

Flosum DevOps is a comprehensive Salesforce-based Application Lifecycle Management solution designed specifically for the Salesforce.com platform. DevOps manages development processes from requirements planning through to deployment into production. As a native Salesforce.com application, DevOps promotes governance, compliance, and rapid innovation in the successful delivery of software.

This document provides a brief overview of Flosum DevOps' security approach. It is intended for security architects and experts evaluating critical application lifecycle management (ALM) solutions in their Salesforce environments.

Relationship Between Salesforce and Flosum DevOps

Flosum DevOps has an OEM relationship with Salesforce. For every customer, Flosum procures a brand-new organization (instance) with the relevant Salesforce licenses to run the DevOps application, which is a Salesforce-native managed package.

All customers who procure Flosum DevOps already have access to Salesforce. All security, data center, infrastructure, business continuity, disaster recovery, and availability policies applicable to your existing Salesforce organization(s) apply to the Flosum DevOps organization, which is a Salesforce Enterprise Edition org—hereafter referred to as the Flosum DevOps Governance Organization.

This Flosum DevOps Governance Organization is similar to your existing production organization, which you have directly procured from Salesforce to run your business applications, such as Sales Cloud, Service Cloud, or your custom application.

The Flosum DevOps Governance Organization is also completely hosted by Salesforce and can only be accessed from your corporate network. Once it is handed over to your administrators, Flosum will no longer have access to or be able to modify it.

Physical security: The security treatment provided to your Flosum DevOps Governance Organization is the same as that of the Salesforce org architecture.

Architecture

Flosum DevOps is only used by Salesforce customers. Customers who do not use Salesforce cannot use Flosum.

Flosum is completely built on Salesforce’s Force.com platform. DevOps does not have any other servers or data center footprint. Flosum, the company, does not maintain any servers. Salesforce completely hosts the Flosum DevOps (Managed Package) application. Customers control who has access to specific pieces of data within the application. Flosum employees and personnel are unable to access the application or its data.

Security Review

Most customers spend significant time reviewing the security of the Salesforce platform as part of their technical due diligence. All the work a customer does to assess the security of the Salesforce platform also applies to Flosum DevOps as a native application. This is because DevOps is wholly built on the Salesforce platform and operates within the customer’s Salesforce environment.

Hardening the Platform Further

Flosum recommends leveraging Salesforce's comprehensive security best practices to further enhance the platform's security, including the Flosum DevOps application.

User Provisioning

Since the customer completely controls the Flosum DevOps Governance Organization (a Salesforce production-level organization), and Flosum personnel do not have access, the customer is responsible for provisioning new users within the application. The customer has complete control over user access management. As such, Salesforce's policies dictate password policy management and can be overridden by your single sign-on infrastructure.

Integration with Single Sign-On

Most customers use a corporate single sign-on solution that stores passwords for all applications and provides a single front-end interface for logging in to all applications at once. Customers can choose to integrate with their corporate single sign-on solution just as they have for the production Salesforce instance.

Compliance

Flosum is compliant with all certifications and compliances attested by the Salesforce platform, including ISO 27001/27018, SSAE 16/ISAE 3402 SOC-1, SOC 2, SOC 3, PCI-DSS, TRUSTe Certified Privacy Seal, CSA STAR, and more.

Trust, Availability, and Business Continuity Plans

Flosum DevOps is completely built on the Salesforce platform; the same Service Level Agreements (SLAs) for availability, business continuity, and disaster recovery that apply to your Salesforce production organization also apply to the Flosum DevOps Governance Organization.

Change Management and Upgrade Process

Flosum releases software upgrades several times a year. Some releases are minor, while others are major. Almost every release has new features and enhancements, and supports the latest Metadata API.

Here is how it works:

Flosum will provide digital communications to inform customers about upcoming upgrades. Customers are expected to prepare for each upgrade, just as they would for any Salesforce seasonal release. Please request that the DevOps-managed package be upgraded to a Salesforce Sandbox organization for testing.

With every upgrade, the new features and enhancements will be shared through our Success Portal and digital communications. The DevOps Managed Package upgrades occur two weeks after Salesforce completes rolling out its seasonal release to all customers. The primary reason is to ensure that all Salesforce and Flosum DevOps production and sandbox organizations are on the latest release before the DevOps Managed Package and Metadata API release.

Flosum also carefully avoids scheduling an upgrade that would interfere with the customer’s internal deployment schedules. As a result, upgrades are only carried out with the customer's complete and informed consent. Flosum recommends not requesting upgrades two weeks before or after internal deployments.

Data Management

The data in the customer’s application is fully hosted within Salesforce's infrastructure. This is the same infrastructure that the Salesforce production organization uses to host the customer’s Salesforce business application.

Incident Management

Flosum provides a dedicated support portal to manage customer incidents. Customers can create their login and account and submit incidents through the portal.

Logging and Monitoring

Any logging or monitoring policies or practices used with a customer’s Salesforce production organization are also applicable to and used with the Flosum DevOps Governance organization.

System Development Life Cycle

Flosum utilizes a comprehensive software development lifecycle to facilitate ongoing application development, enhancement, and improvement.

Flosum utilizes Jira to capture all requirements from the Flosum product team. Flosum utilizes Salesforce Service Cloud to capture incidents and new customer feature requests. Flosum is internally used for its application lifecycle management. Flosum has a robust team of quality assurance engineers to ensure the application is well tested.