Security guide · Data scope

A CRM mirror should carry only the data the application can justify reading.

Security starts before the connection is configured. Define the product use case, limit the source identity, choose fields deliberately, and put the worker in the network boundary that matches the destination database.

PrincipleLeast privilege at the Salesforce object/field level and in the destination database
ScopeExplicit selected objects and fields—not a default full-org replication
EvidenceOperational logs, mapping history, and reconciliation results that explain what happened

Start with the reason a local row is needed.

Data minimization becomes practical when each field has a product reason. An account identifier and entitlement status may be necessary for a customer portal; a full Contact record might not be. Write down the application behavior, objects, fields, and retention expectation before setting up any source access.

This exercise also creates a cleaner mapping and simpler incident response. If a field is not needed for the application workflow, do not make it part of the mirror simply because it is available in Salesforce.

Use dedicated, least-privilege identities.

Run the sync with a dedicated Salesforce integration user rather than a personal administrator account. Grant only the selected object and field permissions, and validate the mapping under that identity. Do the same in the destination database: the worker should have access only to the mirror schema and the statements it needs to apply the sync.

01

Source: dedicated Salesforce integration user with the minimum selected-object and field permissions.

02

Destination: dedicated database user restricted to the mirror schema or tables.

03

Secrets: store credentials in the existing secret manager; rotate them through a tested runbook.

04

Review: revisit object/field scope when the application use case changes.

Put the worker where the destination is allowed to be.

For a cloud database with approved access, a managed connector may be the simplest path. For a private VPC, private subnet, or on-premises destination, run the worker inside the customer network. The worker can initiate outbound connections while the database remains off the public internet.

Private deployment is an architectural choice, not a security slogan.

Document the actual egress destinations, database path, encryption requirements, and runtime owner. A worker in a private network still needs observability, patching, and a recovery plan.

Make the data path explainable.

Keep a useful activity record: connection configuration changes, mapped objects, source access failures, worker health, replay position, failed records, and reconciliation outcomes. This is not merely an audit feature—it gives the application and platform teams a way to answer why a local row is missing, stale, or different.

Do not place field values or work-email addresses into product analytics events. Track the operational shape of the sync—lag, counts, error categories, and consented conversion events—without turning analytics into another replica of CRM data.

Security checklist

01

Write the use case: tie every mapped object and field to an application behavior.

02

Limit identities: dedicated source and destination users with minimum privileges.

03

Protect transport and storage: use the encryption and secret-management controls your environment already requires.

04

Keep the destination private when needed: use a customer-network worker and outbound connectivity.

05

Retain evidence: mapping change history, sync health, failed-record context, and reconciliation outcomes.

Need to scope a private CRM mirror?

We can work from your application use case and network diagram to define the smallest safe first mapping.

Discuss the boundary