Security
No persistent Salesforce access
Your Salesforce session expires in approximately 2 hours — the standard Salesforce timeout. After that, KeelCadence has no ability to access your org. There are no refresh tokens, no OAuth tokens, and no scheduled or background access of any kind.
Session ID is never stored in our database
Your Salesforce Session ID (the Bearer token used for API calls) lives only in a signed, server-side session cookie in your browser. It is never written to our database, never logged, and never transmitted to any third party. The session cookie is a signed, tamper-evident application session cookie.
No Connected App, no OAuth tokens, no refresh tokens
This tool does not use Salesforce OAuth. There is no Connected App installed in your org, no client ID or client secret, and no refresh token that could enable future access. The only credential in use is your existing browser session.
Metadata only — no record data
KeelCadence is not a Salesforce data export tool. It reviews metadata, configuration, permission structures, and aggregate counts where needed for diagnostic scoring. It does not export customer records, files, attachments, emails, Chatter content, or transactional data. All API calls read metadata: permission records, profiles, permission sets, and field definitions. The tool never queries Accounts, Contacts, Opportunities, or any other business record object.
The report maps access configuration, profiles, permission sets, object permissions, and field-level security — not the underlying field values users may have access to.
Does KeelCadence export Salesforce records or files?
No. KeelCadence does not export customer records, files, attachments, emails, Chatter content, or transactional data. The reports are based on Salesforce metadata, configuration, permission structures, and aggregate counts where needed for diagnostic scoring.
Audit report retention
Generated Excel reports are stored on our server for 90 days, then permanently deleted. Reports are accessible only via a direct link that includes the run ID — they are not indexed or browseable.
Right to erasure
To delete your audit data immediately, email privacy@keelcadence.com. We will confirm deletion within 48 hours.
Reporting a vulnerability
If you discover a security issue, please email security@keelcadence.com. We aim to respond within 48 hours and to issue a fix within 7 days for critical issues. Please do not disclose vulnerabilities publicly before we have had a chance to respond.