CanonBridge

Security Overview

Last updated: January 9, 2026

Product: CanonBridge

Company: CanonBridge

At CanonBridge, security is a foundational principle of our product design. CanonBridge is built to operate entirely within your infrastructure — giving your team full control over data, access, monitoring, and compliance.

This page outlines the key security characteristics of CanonBridge and the responsibilities of both your organization and ours.

1. Self-Hosted, Customer-Controlled Deployment

CanonBridge is deployed inside your cloud environment (e.g., Azure, AWS, or GCP) and runs fully under your governance. This means:

We never store, transmit, or access your Salesforce data

All data flows from Salesforce → CanonBridge → your internal applications within your network boundary.

No traffic flows through our servers

Canonical data transformations, event processing, metadata syncs, and logs remain entirely inside your systems.

You choose the hosting model

Typical deployments include:

  • Azure Function App
  • AWS ECS or EKS
  • GCP Cloud Run

You have full control over:

  • Identity & access management
  • Network policies
  • Storage encryption
  • Monitoring and logging
  • Backup and retention policies

2. No Customer Credentials Are Stored by Us

Your Salesforce credentials, access tokens, secrets, and environment variables are:

Never transmitted to CanonBridge
Never stored on our servers
Never accessible by us in any form

Your team configures these securely in your environment using:

  • Azure Key Vault
  • AWS Secrets Manager
  • GCP Secret Manager

CanonBridge reads credentials at runtime inside your environment only.

3. Data Security Inside Your Environment

Because CanonBridge is self-hosted, all data-processing is governed by your internal policies.

Encryption

  • All traffic to Salesforce uses TLS 1.2+
  • Internal service communication follows your cloud provider's encryption posture
  • Cache and database layers remain within your private network

Network Isolation

  • CanonBridge supports VNet/VPC integration
  • Can run behind private endpoints
  • No public inbound access available unless you configure it

Logging & Observability

You control:

  • Log retention
  • Log destinations (e.g., CloudWatch, Application Insights)
  • Access to logs via your IAM
  • SIEM integrations (Splunk, Sentinel, Datadog)

4. Least Privilege Salesforce Access

CanonBridge is designed around minimal Salesforce permissions. You choose what to grant.

Typical recommended permissions:

  • Read access to metadata (for schema diffing)
  • CRUD access only to required SObjects
  • Optional permission sets for event ingestion (CDC, Platform Events)

No elevated or administrative privileges are required.

5. No Data Collection by Us

We do not collect or receive:

  • Salesforce data
  • Metadata
  • Logs
  • Usage analytics (unless opt-in)
  • API events
  • Diagnostic traces
  • Customer credentials

The only information we ever receive is:

  • Contact information you voluntarily provide for support
  • Optional diagnostic error messages you choose to share

6. Software Supply Chain & Code Security

To ensure the integrity of CanonBridge releases:

Signed, versioned build artifacts

All releases are published with version tagging so customers can verify authenticity.

No remote dependencies at runtime

CanonBridge does not call out to any CanonBridge endpoints after deployment.

Industry-standard development practices
  • Source control protection
  • Code reviews
  • Dependency scanning
  • Static analysis
  • Secure build pipelines
  • Vulnerability patching lifecycle

7. Customer Responsibilities

Because you host CanonBridge, you maintain control over:

Your infrastructure security:

  • Access controls
  • Network restrictions
  • Storage policies
  • OS/container security
  • Backup/restore procedures
  • Monitoring

Your Salesforce permissions:

  • API user configuration
  • Access scopes
  • IP restrictions / OAuth policies

Your runtime environment:

  • Updating versions
  • Applying patches
  • Securing secrets

This model gives you the maximum level of control and minimizes third-party exposure.

8. Our Responsibilities

We provide:

Secure, tested software releases
Vulnerability disclosures & patch guidance
Implementation guidance and best practices
Technical support (if included in your plan)
Architectural recommendations for secure deployment

We do not access or manage your environment unless you explicitly grant temporary access (e.g., during consulting engagements).

9. Compliance Support

While CanonBridge itself is not a SaaS and does not process or store customer data, the architecture supports your compliance obligations (e.g., SOC 2, ISO 27001, GDPR, HIPAA) by ensuring:

  • All data remains inside your infrastructure
  • No personally identifiable information (PII) leaves your environment
  • No external data processors (including us) receive your data

Many organizations use CanonBridge in regulated industries using their existing controls.

10. Contact & Security Reporting

If you have security questions or would like details on secure deployment architecture:

CanonBridge
Email: security@canonbridge.com
Website: https://canonbridge.com/

To report a potential vulnerability, please contact us directly. We appreciate responsible disclosure.

Back to Home