Geopointe

Data Security Practices

This document explains how the Geopointe application handles our customer’s data in order to deliver the functionality we offer.

Common Principles

Common principles that Geopointe adheres to are…

  • Geopointe runs natively in your Salesforce system, not on Geopointe servers.
  • Geopointe adheres to Salesforce’s data security model. A Geopointe user is only able to map data they have been given access to through the Salesforce Sharing Model. If a user cannot see a record in Salesforce, they cannot map it in Geopointe.
  • Geopointe adheres to Salesforce’s field-level security model. A Geopointe user is unable to see fields they would not otherwise see in the application.
  • All mappable data and geocode data is stored in, and stays in, your Salesforce system. With the exception of any items documented below, data does not leave a Geopointe customer’s Salesforce system. Explicit Administrator action is always required before data leaves Salesforce.com.

External Services

In order for Geopointe to fully operate, it must communicate with external services. Those services are listed below. All external URLs that Geopointe communicates with are also setup as Remote Site Settings which you can find at Setup | Security | Remote Site Settings in Salesforce.

All communication with external services is always performed over an https connection using the latest TLS protocol, currently 1.2.

Endpoint URL
Description
https://arrowpointe.secure.force.com Arrowpointe’s Salesforce system
https://api.geopointe.io Geopointe API endpoint
https://www.googleapis.com Google web services endpoint for many APIs
https://maps.google.com Google Maps website
https://maps.googleapis.com Google Maps web services endpoint for APIs
https://api.mixpanel.com MixPanel API endpoint
https://salesforce.spatialkey.com SpatialKey API endpoint built for in partnership with Geopointe

The Geopointe Master Services Agreement further discusses our legal relationship with these 3rd parties as needed.

arrowpointe.secure.force.com

Geopointe customer’s Salesforce systems communicate with Arrowpointe’s Salesforce system for a few reasons.

  • The Geopointe Setup page has an Organization Settings section where our customers can input contact information and other preferences. This information is sent to Arrowpointe’s system for support purposes.
  • Select customer settings and Map Object configurations are sent back for the purposes of helping us understand how the application is being used. This helps especially for support purposes, but also helps us understand how the application features are being used.
  • Upon completion of each Geocoding job, metrics for the job are sent to Arrowpointe. These include #of records processed, # of records, geocoded, # successes, # failures, failure reasons. We use this information to track geocoding usage and also to proactively follow up with customers having issues. Detailed information about the actual records being geocoding are not communicated back to us.


api.geopointe.io

As Geopointe has matured, it has required us to build our own APIs to provide services to our customers. This URL must be available on your company network. We have submitted this URL to the major players in the corporate firewall space, but it could not hurt to whitelist this URL on your firewall if you have a whitelist policy. We use https://api.geopointe.io as this endpoint. We currently use this endpoint for two purposes:

  • The Map Markers for the map are generated by our servers to allow us to provide a rich library of options. This communication takes place from the client browser.
  • Geopointe provides a library of boundary data that is usable from within the map and in our automated assignment features. In both cases, communications are made to our API to retrieve the detailed boundary data. When these boundaries are saved in customer systems, only a reference to our library is saved, not the actual boundaries themselves.
  • Demographics data is delivered through this endpoint. A Geopointe system makes a request to this endpoint and the API responds in the form of map tile images that overlay the Google Map in the browser.
  • For customers using our old Static Map API, we provide these images through this endpoint.
  • Geopointe's geocoding operations occur through this endpoint. We then geocode your data with Google.

Most customers have questions about the data sent out for a geocode. Geopointe contains a batch process that communicates with this endpoint to obtain geocodes (latitude and longitude) for address data. No information that identifies the Geopointe customer is sent and the custom data that is communicated is limited to the address and the record ID from which it came.

A typical request looks like below.

[{  
    address:{
        street: '123 Main St',
        city: 'Philadelphia',
        postalCode: '19107',
        stateProvince: 'PA',
        country: 'US'
    },
    properties:{
        recordId: '0011400001eJBQM'
    }
}]

Geopointe communicates this information in batches of 200 records at a time unless our customers has configured a different limit. 


www.googleapis.com

Google offers a number of APIs and most of them are hosted under this domain. Geopointe uses this domain to communicate to those APIs offered by Google.


maps.googleapis.com

Google offers a number of Mapping APIs and most of them are hosted under this domain. Geopointe uses this domain to communicate to those Mapping APIs offered by Google.


www.mapquestapi.com

This endpoint has been deprecated from use in Geopointe.


api.mixpanel.com

A service called MixPanel (mixpanel.com) is used for tracking application feature usage. This is primarily done to understand how users are interacting with the user interface, what features are being used and how often. This provides us input into our roadmap and user experience design.


salesforce.spatialkey.com

Disabled by default. This feature requires a special license from Geopointe before it is enabled. Admins must then also assign these Licenses to specific users before any data leaves Salesforce.com.

After Geopointe Analytics is licensed by the Geopointe customer, it provides a mechanism for pushing data to a 3rd party geo-analytics service, SpatialKey (www.spatialkey.com). This transmission is done via the Salesforce servers at the request of a licensed Salesforce user. This transmission is performed over an https connection using oAuth 2.0 for authentication. Prior to utilizing this feature, the Geopointe customer is made aware that their data will leave Salesforce.

When Geopointe Analytics is enabled an equivalent org record is created on the SpatialKey servers that includes the Salesforce Org name and Id. A secret oAuth 2.0 refresh token is returned to the Geopointe application. This token is stored in a Protected Custom Setting and is not accessible to any users or apps other than the Geopointe application. 

Data is exported with an Apex Batch Job invoked by a specific user. This Batch job runs with the users permissions (Apex code keyword `with sharing`) and will only send data to Spatial Key the given user has access to. We also validate all Field Level Security access. At the start of the batch job the process will also use the Spatial Key secret refresh token using oAuth 2.0 to generate a temporary access token to be used during the duration of the data sync. This will ensure the data being sent from the Salesforce org can only be sent to the matching Spatial Key org.

Once data is sent to Spatial Key a user can launch the Spatial Key application. During this process the Spatial Key access token is used to generate a temporary short lived user access token using oAuth 2.0 to ensure only users of the Salesforce org can access the equivalent SpatialKey org. Once inside the Spatial Key application a user can only see data they have synced, matching their Salesforce.com record visibility.


KML Hosting

Geopointe provides the ability to add KML files to the map. When creating a new KML Layer, the user is prompted to upload the KML file. This file will be upload to and hosted on Geopointe servers. This file is encrypted with a randomly generated customer provided AES-256 encryption key that is stored in a Protected Custom Setting. Geopointe has no way to access or view the content of the uploaded file. Only your company can access the file with the provided key, which is an automatic process when using the Geopointe application.


Thematic Layers

Disabled by default. This feature requires Geopointe to send data outside of Salesforce so it is disabled by default. An Admin must opt-in and enable this feature before any data is sent outside of Salesforce.com. 

Thematic Layers allow you to aggregate, group, and color your Salesforce data by geographic regions. This is a very computational intense operation that cannot be performed on the Salesforce.com platform due to technical limitations. It requires us to send some of your data outside of Salesforce.com to Geopointe servers. The data sent to Geopointe servers is as follows:
  • Organization Id
  • Record Id
  • Latitude and Longitude coordinates of records used in the thematic layer.
  • Numeric field values used for the thematic map.
  • Obfuscated numeric field labels.
For example, if a Data Set is syncing Account data that has two numeric fields of Revenue ($45,666) and Number of Employees (4), it would look like the following when stored in Geopointe servers.
{
"orgId": "00Qa00000161PKa"
"recordId": "00Qa00000161PKa"
"876573454": 45666
"127489962": 4
}
The data exported from Salesforce is configured by the Geopointe Data Set that drives the Thematic map. Only records returned by these Data Sets will be exported to Geopointe Servers. Field names for aggregated data are store with a key value of a one-way hash generated on the Salesforce.com side unique to properties of that Salesforce Org. This provides some level of obfuscation as to what exactly the values of "45666" and "4" represent. All data is stored in an encrypted at rest database on AWS servers using an AES-256 key. Data is stored in a multi-tenant database.

The data export can be schedule with an Apex Batch job, manually invoked on the Map page, or can be automatically invoked if a User tries to add a Thematic Layer to the map and the data for that Thematic Layer has not yet been synced or is out of date (older than 24 hours) on the Geopointe external servers. All of these approaches execute an Apex Batch job that will query the data as defined by the Data Set on the Thematic Map, and then will send the data to Geopointe servers over an authenticated https connection. The external Geopointe Servers use Bearer Authentication with a secret token to ensure the request is originating from a trusted source, in this case the Geopointe application on Salesforce.com.