Spant
DocsProff ConnectAPI Usage
API Usage

Security & Data Protection

Security measures and data protection policies for the Proff Connect API.

Proff Connect is built with a "Privacy by Design" approach. The following principles ensure that your data remains secure and that the integration is compliant with strict privacy regulations.

1. Authentication (BYOT - Bring Your Own Token)

  • Each customer supplies their own API token from Proff.
  • Tokens are stored using Salesforce Protected Custom Settings, making them invisible to users and admins.
  • Tokens are masked during validation and cannot be exported from the system.

2. Data Privacy & No Exfiltration

  • Proff Connect only sends minimal lookup values to the Proff API, such as organization numbers, search terms, and country filters.
  • No Salesforce record data, personal information (PII), or internal metadata is ever transmitted externally.

3. Read-Only & User-Driven Architecture

  • All external communication is GET-only. The application never writes, modifies, or "pushes" data to external services.
  • Standard actions (Search, Sync, Enrich) are always initiated by an explicit user interaction (e.g., clicking Search or Refresh). Two optional advanced features — Mass Update (batch synchronisation across many accounts) and Real-Time Changes (event-driven monitoring) — may run background batch jobs or scheduled processes when explicitly enabled and configured by an administrator.

4. Secure Communication

  • All communication with Proff's API uses encrypted HTTPS (TLS 1.2 or higher).
  • Unique Correlation IDs are used for all requests to ensure secure diagnostics without exposing data.

5. Logging & Transparency

  • Technical logs (endpoint names, status codes, and duration) are stored 100% within your Salesforce org.
  • The application never logs API tokens, authorization headers, or response bodies for successful calls.
  • Customers maintain full control over their own log retention policies.

6. GDPR & Compliance

  • The solution retrieves only publicly available business information.
  • Users choose exactly which data points to store in their Salesforce objects (Account, Lead, Contact).
  • No external system or third party has access to your Salesforce data, ensuring full compliance with GDPR and internal security frameworks (CRUD/FLS/Sharing).

Was this article helpful?