A comprehensive overview of the security controls, data protection practices, and compliance posture of the RAGSI.AI platform — covering both the Salesforce managed package and the API Gateway.
RAGSI.AI is an AI-powered metadata intelligence platform purpose-built for Salesforce teams. Security is foundational to every layer of the platform — from the Salesforce managed package (RAGSI-AI-APP) to the cloud API middleware (Ragsi-API-Gateway).
This white paper provides a transparent, in-depth examination of the security controls, encryption standards, access policies, and compliance measures that protect customer data across the RAGSI.AI platform. It is intended for enterprise security teams, compliance officers, Salesforce administrators, and developers evaluating the platform for production use.
Multi-layered security controls at the application, network, data, and infrastructure levels — no single point of failure.
Every request is authenticated, authorized, rate-limited, and validated. No implicit trust between any components.
RAGSI.AI accesses only Salesforce metadata (schema, configuration) — never your business data, records, or PII.
All credentials and tokens are encrypted at rest using AES-256 authenticated encryption — the gold standard for data protection.
The RAGSI.AI platform consists of two primary components that work together to deliver AI-powered Salesforce metadata intelligence.
A Salesforce second-generation managed package distributed via AppExchange. Provides Lightning Web Components for AI chat, metadata exploration, impact analysis, dependency graphs, and change monitoring — all running natively within your Salesforce org.
A cloud-hosted API middleware that serves as the secure bridge between Salesforce and AI providers. Handles RAG-based vector search, metadata embedding, usage metering, BYOK key management, and multi-tenant org isolation.
When a Salesforce user asks RAGSI a question, the request flows from the Lightning Web Component through secure Apex controllers, out to the API Gateway via an authenticated callout, and then to the appropriate AI provider. The gateway enriches the request with RAG context from vector-indexed metadata before forwarding it. At every hop, the request is authenticated, validated, rate-limited, and audited.
The platform implements a defense-in-depth model with security enforced at every tier of the stack.
┌───────────────────────────────────────────────────────────────────────────────┐
│ SALESFORCE ORG (Customer Tenant) │
│ │
│ ┌─────────────┐ ┌──────────────────┐ ┌────────────────────────────┐ │
│ │ Lightning │───▸│ Apex Controllers │───▸│ Service Layer │ │
│ │ Web │ │ (with sharing) │ │ ┌──────────────────────┐ │ │
│ │ Components │ │ │ │ │ CRUD/FLS Enforcement │ │ │
│ │ │ │ Safe error │ │ │ DML Security │ │ │
│ │ │ │ handling │ │ │ Input Sanitization │ │ │
│ └─────────────┘ └──────────────────┘ │ │ Security Utilities │ │ │
│ │ └──────────────────────┘ │ │
│ ┌──────────────────────────────┐ │ │ │
│ │ Permission Sets │ │ Named Credential Callout │ │
│ │ User Role │ Admin Role │ │ (JWT Bearer Token) │ │
│ └──────────────────────────────┘ └────────────┬───────────────┘ │
│ ┌──────────────────────────────┐ │ │
│ │ Protected Credential Store │ │ │
│ │ (Encrypted Tokens) │ │ │
│ └──────────────────────────────┘ │ │
└────────────────────────────────────────────────────────────┼───────────────────┘
│ HTTPS / TLS 1.2+
▼
┌───────────────────────────────────────────────────────────────────────────────┐
│ RAGSI API GATEWAY (Cloud-Hosted) │
│ │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Security Middleware Pipeline │ │
│ │ │ │
│ │ Headers ──▸ CORS ──▸ CSRF ──▸ Auth ──▸ Rate Limit ──▸ Input Validate │ │
│ │ (CSP, (Origin (Content (JWT (Tier-based (Centralized │ │
│ │ HSTS, allow- -Type verify, per-org length/type/ │ │
│ │ X-Frame) list) check) org ID) isolation) format checks) │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌───────────────────┐ ┌──────────────────┐ ┌──────────────────────────┐ │
│ │ Encryption Vault │ │ Usage Tracking │ │ Audit Logger │ │
│ │ AES-256 │ │ Token Metering │ │ PII Masking │ │
│ │ BYOK Key Store │ │ Request Quotas │ │ Correlation IDs │ │
│ └───────────────────┘ └──────────────────┘ └──────────────────────────┘ │
│ │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Encrypted Database │ Session Cache │ Error Sanitization │ │
│ │ (SSL, org-isolated │ (Ephemeral) │ (No internal details │ │
│ │ queries) │ │ exposed to clients) │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
└───────────────────────────────────────────────────────────┬───────────────────┘
│ HTTPS
▼
┌───────────────────────────────────────────────────────────────────────────────┐
│ AI PROVIDERS (Configurable) │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ Multiple providers supported with automatic failover routing │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
└───────────────────────────────────────────────────────────────────────────────┘
RAGSI-AI-APP undergoes the rigorous Salesforce AppExchange Security Review and implements all required and recommended platform security controls.
Every database query in the codebase enforces the current user's object-level and field-level permissions. This ensures the platform always respects each user's configured access rights. CRUD and FLS enforcement is applied consistently across all custom objects used by the platform.
All data manipulation operations automatically strip fields that the current user cannot access before any insert, update, or delete. This prevents accidental privilege escalation through data write operations and ensures field-level security is respected for both reads and writes.
User-supplied input is never concatenated into database queries. The platform uses parameterized query patterns as the primary defense, supplemented by centralized input sanitization utilities for edge cases. All query parameters go through a dedicated security utility layer before execution.
All server-side logic enforces the running user's record-level sharing rules. Chat conversations and messages are user-owned and private by default, ensuring users can only see their own AI interactions unless sharing rules explicitly allow otherwise.
External communication to the API Gateway uses Salesforce Named Credentials, which provide centralized endpoint management, automatic token injection, and audit trail capabilities. No endpoints or credentials are hardcoded in application source code.
Credential Isolation: Sensitive tokens (gateway authentication keys, optional BYOK API keys) are stored in a Protected Custom Setting accessible only to the package's own server-side code — not to subscriber administrators, other packages, or direct API queries.
Access is controlled through two purpose-built permission sets, following the principle of least privilege:
| Permission Set | Scope | Access Level |
|---|---|---|
| Standard User | Regular Salesforce users | Read metadata components; create and edit chat messages, conversations, user stories, and link suggestions. Limited to user-facing features only. |
| Administrator | Org administrators | Full access to all package objects; configuration, batch processing, scheduling, and administrative features. Includes elevated data access for management operations. |
All errors surfaced to the Lightning UI use safe, user-friendly messages. Stack traces, internal class names, and system details are never exposed to the client. Server-side logging captures full error context at appropriate severity levels for debugging by authorized administrators.
A post-install handler initializes secure default settings when the package is installed, while an uninstall handler automatically clears all stored credentials upon package removal — preventing orphaned secrets from remaining in the org.
The Ragsi-API-Gateway implements a comprehensive security middleware pipeline where every request passes through multiple validation layers before reaching business logic.
Requests traverse a strict sequential pipeline: security headers → CORS validation → CSRF protection → JWT authentication → tier-based rate limiting → input validation → business logic. Failure at any stage immediately terminates the request with an appropriate error response.
The gateway sets comprehensive HTTP security headers on every response to protect against common web attack vectors:
| Protection | Purpose |
|---|---|
| Content Security Policy | Restricts content loading to prevent cross-site scripting (XSS) attacks |
| Strict Transport Security | Enforces HTTPS with preload list eligibility to prevent downgrade attacks |
| Content-Type Options | Prevents MIME-type sniffing attacks |
| Frame Protection | Prevents clickjacking by blocking iframe embedding |
| Server Fingerprint Removal | Hides server technology information to reduce attack surface |
| Cache Control | Prevents caching of sensitive responses on shared infrastructure |
The gateway strictly validates request origins against a whitelist of authorized Salesforce domains. Only requests originating from verified Salesforce environments are accepted. Server-to-server calls from Named Credential callouts are permitted through a separate authentication path. Custom origins can be configured for Experience Cloud or custom domain deployments.
All state-changing requests require a specific content type that browsers cannot send cross-origin without a CORS preflight check. Combined with the strict CORS policy, this provides robust CSRF protection without requiring client-side tokens.
Rate limiting operates at two levels: per-org request rate limits (per minute) and monthly quotas for both AI tokens and total request counts. Each subscription tier has defined limits that are enforced server-side and cannot be modified by the client. The registration endpoint has additional dual rate limiting to prevent brute-force provisioning attempts.
A centralized input validation layer enforces strict constraints on all request payloads, including maximum message lengths, metadata payload size caps, response token ceilings, and whitelist validation for AI provider and model identifiers. Salesforce Org IDs are validated for proper format. All validation failures are logged with contextual information for security auditing.
A dedicated error handler maps internal error patterns to safe, generic messages. Database details, file paths, stack traces, environment configuration, and query statements are never exposed to clients — preventing information disclosure that could aid potential attackers.
RAGSI.AI is architected around the principle of minimal data access. The platform accesses only Salesforce metadata — never your business records, customer data, or PII.
Object definitions, field schemas, flows, code structures, validation rules, relationships, and org configuration. This is structural information about how your org is built — not business data.
Account records, contact data, opportunity amounts, custom object records, files, attachments, emails, passwords, tokens, or any personally identifiable information stored in your Salesforce org.
All stored credentials use AES-256 authenticated encryption — the same standard used by government and financial institutions. Each encrypted value includes a unique initialization vector and an authentication tag for tamper detection, stored in a versioned format to support future key rotation. The encryption key is mandatory in production environments and validated at server startup.
All communication between components uses TLS 1.2 or higher. HSTS headers with a one-year duration and preload directive ensure HTTPS is enforced even in bookmark or redirect scenarios. Database connections require SSL with optional certificate verification for enterprise deployments.
Enterprise customers can supply their own AI provider API keys, which are encrypted server-side using the same AES-256 scheme and stored in a dedicated encrypted vault. Keys are never returned in plaintext after storage — only a partial hint is provided for identification. All key operations (store, rotate, delete) are logged with IP address tracking for complete auditability. BYOK keys are decrypted only at the moment of use and are never cached in memory beyond the request lifecycle.
Within the Salesforce org, all sensitive credentials are stored in a Protected Custom Setting, which provides the highest level of isolation available on the platform. These settings are invisible in Setup UI, inaccessible via external queries, and readable only by the managed package's own server-side logic.
The API Gateway enforces strict multi-tenant isolation. Every database query is scoped to the requesting org's identifier, ensuring one subscriber's metadata can never be accessed by another. Vector similarity searches for RAG retrieval are likewise scoped to the requesting org's embeddings only.
RAGSI-AI-APP authenticates with Salesforce using the OAuth 2.0 authorization flow. The integration requests read-only metadata access — the minimum scope required for operation. No write access to business data is requested or granted.
Communication between the Salesforce managed package and the API Gateway is secured with JWT (JSON Web Token) bearer authentication. Each JWT contains claims for the subscriber's Org ID, which is validated against the registered subscriber database. The JWT signing secret is mandatory in all environments — there is no weak development fallback. Expired tokens return a distinct error code to enable transparent client-side refresh.
The Salesforce-to-Gateway callout uses Named Credentials, which provide centralized endpoint and authentication management without hardcoded URLs or credentials in application source code. Named Credentials also provide an administrative audit trail and are manageable by Salesforce administrators through standard Setup UI.
Within the Salesforce org, access is controlled through permission sets (Standard User and Administrator) that map to distinct feature sets. Within the API Gateway, subscriber tiers govern rate limits, token quotas, and feature availability. All tier enforcement happens server-side and cannot be modified by the client.
All data in transit is protected by TLS 1.2 or higher between every component: browser to Salesforce, Salesforce to Gateway, Gateway to database, and Gateway to AI providers.
HTTP Strict Transport Security is enforced for one year with subdomain inclusion and preload eligibility, preventing downgrade attacks and SSL stripping.
Database connections require SSL with optional certificate verification for enterprise deployments. Connection pooling is configured with secure timeouts to prevent resource exhaustion.
Request body sizes are strictly limited to mitigate denial-of-service attacks via oversized payloads. Requests exceeding defined limits receive an immediate rejection response.
Every authenticated API request is recorded in a dedicated audit log with the following information: org identifier, action type, endpoint, HTTP method, user identifier, masked IP address, status code, request summary, correlation ID, and timestamp. Audit logging is non-blocking to ensure it never impacts request latency.
Structured JSON logging with automatic PII masking is applied recursively to all log entries. IP addresses are partially redacted, API keys and tokens are truncated, email addresses are masked, and organization names are abbreviated. This ensures compliance with privacy regulations even in operational logging.
Every request receives a unique correlation ID that is propagated through all middleware, service calls, and database operations. This enables end-to-end request tracing across the entire system for debugging and security investigations.
The managed package includes a built-in security audit tool that performs automated compliance checks across CRUD/FLS enforcement, sharing model validation, callout security, platform events, and code quality standards. It produces a graded security posture report that administrators can review.
All BYOK key management operations (creation, rotation, deletion) are logged with IP address, action type, provider, and timestamp for forensic traceability.
| Standard | Status | Scope |
|---|---|---|
| SOC 2 Type II | Certified | Full platform — security, availability, and confidentiality trust service criteria |
| ISO 27001 | Certified | Information security management system across development and operations |
| HIPAA | Compliant | Technical safeguards for organizations handling protected health information |
| GDPR | Ready | Data minimization, purpose limitation, encryption, and data subject rights |
| Salesforce AppExchange Security Review | Passed | Complete ISV security review covering all required and recommended security controls |
| Salesforce Partner Program | Active | Official Salesforce ISV partner with AppExchange listing |
Regular Assessments: RAGSI.AI undergoes periodic security audits and penetration testing. The Salesforce managed package is reviewed against the AppExchange Security Review checklist with every major version release.
The platform follows a secure-by-default development philosophy. All server-side logic enforces sharing rules by default. All database queries include security enforcement. All data writes strip inaccessible fields. All external callouts use Named Credentials. All stored credentials are encrypted. These are not opt-in features — they are mandatory patterns enforced through code review and automated testing.
The API Gateway validates all critical security configuration at startup. Missing or invalid authentication secrets, encryption keys, or security parameters cause the server to fail immediately rather than running in a degraded or insecure state. This prevents misconfiguration from silently creating security vulnerabilities.
All security enhancements are tracked with unique identifiers annotated directly in the source code. This creates a traceable, auditable history of security improvements covering encryption, injection prevention, information disclosure, authentication, transport security, key management, rate limiting, input validation, and privacy controls.
The Salesforce managed package maintains comprehensive Apex code coverage with dedicated test classes for all service and controller logic. All external callout tests use HTTP mocks. Security utility classes have dedicated test coverage to ensure enforcement logic works correctly under all conditions.
The platform's comprehensive audit logging, correlation tracking, and structured error handling enable rapid detection of anomalous behavior. Rate limiting violations, authentication failures, and input validation rejections are logged with full context for security team review.
The platform is designed for graceful degradation — if non-critical systems encounter errors, the core service remains available. AI provider routing supports automatic failover from the primary provider to alternatives, ensuring service continuity even during provider outages.
If a subscriber removes the RAGSI-AI-APP package, the uninstall handler automatically clears all stored credentials, ensuring no orphaned secrets remain in the org after removal.
For security inquiries, vulnerability reports, or compliance documentation requests, contact the RAGSI.AI security team at [email protected].