Data Security Practices

This document explains how the Geopointe application handles our customer’s data in order to deliver the functionality we offer.

Common Principles

Common principles that Geopointe adheres to are…

  • Geopointe runs natively in your Salesforce system, not on Geopointe servers.
  • Geopointe adheres to Salesforce’s data security model. A Geopointe user is only able to map data they have been given access to through the Salesforce Sharing Model. If a user cannot see a record in Salesforce, they cannot map it in Geopointe.
  • Geopointe adheres to Salesforce’s field-level security model. A Geopointe user is unable to see fields they would not otherwise see in the application.
  • All mappable data and geocode data is stored in, and stays in, your Salesforce system. With the exception of any items documented below, data does not leave a Geopointe customer’s Salesforce system. Explicit Administrator action is always required before data leaves

External Services

In order for Geopointe to fully operate, it must communicate with external services. Those services are listed below. All external URLs that Geopointe communicates with are also setup as Remote Site Settings which you can find at Setup | Security | Remote Site Settings in Salesforce.

All communication with external services is always performed over an https connection using the latest TLS protocol, currently 1.2.

Endpoint URL
Description Arrowpointe’s Salesforce system Geopointe API endpoint Google web services endpoint for many APIs Google Maps website Google Maps web services endpoint for APIs MixPanel API endpoint SpatialKey API endpoint built for in partnership with Geopointe

The Geopointe Master Services Agreement further discusses our legal relationship with these 3rd parties as needed.

Geopointe customer’s Salesforce systems communicate with Arrowpointe’s Salesforce system for a few reasons.

  • The Geopointe Setup page has an Organization Settings section where our customers can input contact information and other preferences. This information is sent to Arrowpointe’s system for support purposes.
  • Select customer settings and Map Object configurations are sent back for the purposes of helping us understand how the application is being used. This helps especially for support purposes, but also helps us understand how the application features are being used.
  • Upon completion of each Geocoding job, metrics for the job are sent to Arrowpointe. These include #of records processed, # of records, geocoded, # successes, # failures, failure reasons. We use this information to track geocoding usage and also to proactively follow up with customers having issues. Detailed information about the actual records being geocoding are not communicated back to us.

As Geopointe has matured, it has required us to build our own APIs to provide services to our customers. This URL must be available on your company network. We have submitted this URL to the major players in the corporate firewall space, but it could not hurt to whitelist this URL on your firewall if you have a whitelist policy. We use as this endpoint. We currently use this endpoint for two purposes:

  • The Map Markers for the map are generated by our servers to allow us to provide a rich library of options. This communication takes place from the client browser.
  • Geopointe provides a library of boundary data that is usable from within the map and in our automated assignment features. In both cases, communications are made to our API to retrieve the detailed boundary data. When these boundaries are saved in customer systems, only a reference to our library is saved, not the actual boundaries themselves.
  • Demographics data is delivered through this endpoint. A Geopointe system makes a request to this endpoint and the API responds in the form of map tile images that overlay the Google Map in the browser.
  • For customers using our old Static Map API, we provide these images through this endpoint.
  • Geopointe's geocoding operations occur through this endpoint. We then geocode your data with Google.

Most customers have questions about the data sent out for a geocode. Geopointe contains a batch process that communicates with this endpoint to obtain geocodes (latitude and longitude) for address data. No information that identifies the Geopointe customer is sent and the custom data that is communicated is limited to the address and the record ID from which it came.

A typical request looks like below.

        street: '123 Main St',
        city: 'Philadelphia',
        postalCode: '19107',
        stateProvince: 'PA',
        country: 'US'
        recordId: '0011400001eJBQM'

Google offers a number of APIs and most of them are hosted under this domain. Geopointe uses this domain to communicate to those APIs offered by Google.

Google offers a number of Mapping APIs and most of them are hosted under this domain. Geopointe uses this domain to communicate to those Mapping APIs offered by Google.

A service called MixPanel ( is used for tracking application feature usage. This is primarily done to understand how users are interacting with the user interface, what features are being used and how often. This provides us input into our roadmap and user experience design.

Disabled by default. This feature requires a special license from Geopointe before it is enabled. Admins must then also assign these Licenses to specific users before any data leaves

After Geopointe Analytics is licensed by the Geopointe customer, it provides a mechanism for pushing data to a 3rd party geo-analytics service, SpatialKey ( This transmission is done via the Salesforce servers at the request of a licensed Salesforce user. This transmission is performed over an https connection using oAuth 2.0 for authentication. Prior to utilizing this feature, the Geopointe customer is made aware that their data will leave Salesforce.

When Geopointe Analytics is enabled an equivalent org record is created on the SpatialKey servers that includes the Salesforce Org name and Id. A secret oAuth 2.0 refresh token is returned to the Geopointe application. This token is stored in a Protected Custom Setting and is not accessible to any users or apps other than the Geopointe application. 

Data is exported with an Apex Batch Job invoked by a specific user. This Batch job runs with the users permissions (Apex code keyword `with sharing`) and will only send data to Spatial Key the given user has access to. We also validate all Field Level Security access. At the start of the batch job the process will also use the Spatial Key secret refresh token using oAuth 2.0 to generate a temporary access token to be used during the duration of the data sync. This will ensure the data being sent from the Salesforce org can only be sent to the matching Spatial Key org.

Once data is sent to Spatial Key a user can launch the Spatial Key application. During this process the Spatial Key access token is used to generate a temporary short lived user access token using oAuth 2.0 to ensure only users of the Salesforce org can access the equivalent SpatialKey org. Once inside the Spatial Key application a user can only see data they have synced, matching their record visibility.

Thematic Layers

Disabled by default. This feature requires Geopointe to send data outside of Salesforce so it is disabled by default. An Admin must opt-in and enable this feature before any data is sent outside of 

Thematic Layers allow you to aggregate, group, and color your Salesforce data by geographic regions. This is a very computational intense operation that cannot be performed on the platform due to technical limitations. It requires us to send some of your data outside of to Geopointe servers. The data sent to Geopointe servers is as follows:
  • Latitude and Longitude coordinates of records used in the thematic layer.
  • Numeric field value used for the thematic map.
For example, a thematic map that aggregates the Account field Number of Employees by Postal Codes would only send the following data to Geopointe servers for each account returned in the Thematic Map Data Set filters.
  "lat": "40.720103",
  "lng": "-73.987872",
  "m": 56
The data exported from Salesforce is configured by the Geopointe Data Set that drives the Thematic Layer. Only records returned by these Data Sets will be exported to Geopointe Servers. In addition to filters defined on the Data Set, only data the user has access to will be sent as controlled by the Salesforce Sharing Model.

The data sent above is ephemeral in nature and is destroyed after the building of a Thematic Layer is complete.

All final Thematic Layer aggregation data stored in an encrypted at rest database on AWS servers using an AES-256 key. Data is stored in a multi-tenant database.

KML File Hosting

Geopointe provides the ability to add KML files to the map. When creating a new KML Layer, the user is prompted to upload the KML file. This file will be upload to and hosted on Geopointe servers. This file is encrypted with a randomly generated customer provided AES-256 encryption key that is stored in a Protected Custom Setting. Geopointe has no way to access or view the content of the uploaded file. Only your company can access the file with the provided key, which is an automatic process when using the Geopointe application.