ISV Security Addendum
Last Updated: March 1, 2026
This ISV Security Addendum documents the security architecture, controls, and practices implemented by PurposeForce for the Rewind Reels for Salesforce managed package and associated backend service. This document is intended for Salesforce AppExchange security review and customer security assessments.
1. Architecture Overview
1.1 Component Summary
Rewind Reels consists of two primary components:
- Salesforce Managed Package (2GP): Installed in the customer's Salesforce org. Contains LWC components, Apex classes, custom objects, permission sets, and platform events. All Apex code runs within the customer's org context.
- External Backend Service: A Next.js application hosted on Vercel that orchestrates video generation. Receives authenticated API requests from the managed package, generates AI narration and theme data via the Anthropic Claude API, and stores the resulting JSON back to the Salesforce record. Videos are rendered client-side as animated HTML presentations — no server-side video encoding required.
1.2 Data Flow
Salesforce Org → [Apex Queueable: query CRM data, POST to backend]
↓
Rewind Backend (Vercel) → [Validate API key + HMAC token]
↓
Anthropic Claude API → [Generate narration script + theme from CRM data]
↓
Rewind Backend → [Store narration JSON + theme on Rewind_Video__c via SF REST API]
↓
Public Player (browser) → [Fetch JSON, render animated HTML presentation client-side]
↓
Rewind Backend (Vercel) → [Validate API key + HMAC token]
↓
Anthropic Claude API → [Generate narration script + theme from CRM data]
↓
Rewind Backend → [Store narration JSON + theme on Rewind_Video__c via SF REST API]
↓
Public Player (browser) → [Fetch JSON, render animated HTML presentation client-side]
2. Authentication and Authorization
2.1 API Key Authentication
- Each Salesforce org receives a unique API key stored on the
Rewind_License__crecord - API key is transmitted via the
x-rewind-api-keyHTTP header - Backend validates the API key against the registered org before processing any request
2.2 HMAC Token Verification
- Render requests include an HMAC token generated from the Salesforce Org ID
- The backend
verifyToken()method validates that the org ID in the token matches the requesting org - Prevents cross-org request forgery
2.3 Callback Authentication
- REST callback from backend to Salesforce uses JWT Bearer flow (primary) with password authentication as fallback
- Shared authentication module (
salesforce-auth.ts) manages credential lifecycle
2.4 Permission Sets
| Permission Set | Access Level | Capabilities |
|---|---|---|
| Rewind_Admin | Full | Configure settings, generate videos, manage license, view analytics |
| Rewind_User | Standard | Generate videos, view own videos, share videos |
| Rewind_Viewer | Read-only | View and share videos only |
3. Encryption
3.1 In Transit
- All communication between Salesforce and the backend uses HTTPS with TLS 1.2 or higher
- All communication between the backend and third-party services (AWS, Anthropic, Stripe) uses TLS 1.2+
- HSTS headers enforced on all endpoints
3.2 At Rest
- Video data (narration JSON + theme) is stored within Salesforce's encrypted infrastructure
- Legacy video files (pre-March 2026) on AWS S3 are encrypted using AES-256 (server-side encryption)
- Salesforce data at rest is protected by Salesforce's platform encryption (Shield Platform Encryption where enabled by the customer)
4. CRUD/FLS Enforcement
4.1 Security.stripInaccessible
All Apex code that reads or writes sObject data uses Security.stripInaccessible() to enforce field-level security. This is the AppExchange-recommended approach over WITH SECURITY_ENFORCED in SOQL queries, as it allows graceful handling of inaccessible fields without throwing exceptions.
4.2 Exception: Callback Controller
The RewindCallbackController class uses without sharing to process REST callbacks from the backend service. This is required because:
- The callback is authenticated via API key, not a user session
- The controller must update video records regardless of the running user's sharing rules
- All input data is validated and sanitized before DML operations
Security.stripInaccessibleis NOT applied to theincrementRenderCountmethod becauseRenders_Used_This_Month__cis intentionally not editable by users — it is managed programmatically
5. Code Security
5.1 SOQL Injection Prevention
- Dynamic SOQL field names are validated against
Schema.DescribeFieldResultusingfieldDesc.getName()for canonical API names - Date fields in
buildWhereClause()are validated against Schema before use in dynamic queries - No user-supplied strings are concatenated directly into SOQL queries
5.2 Cross-Site Scripting (XSS) Prevention
- LWC components use framework-native rendering which auto-escapes output
- No use of
lwc:dom="manual"orinnerHTMLin any component
5.3 Error Handling
- All
AuraHandledExceptioncatch blocks use static error messages - No
e.getMessage()concatenation in user-facing error responses - Internal error details are logged but not exposed to the client
5.4 Apex Variable Naming
- The variable name
jsonhas been renamed tojsonStrto avoid case-insensitive collision with theJSONsystem class
6. Sharing Model
| Class | Sharing Mode | Justification |
|---|---|---|
| RewindCallbackController | without sharing | REST callback from backend — no user context; authenticated via API key |
| All other Apex classes | with sharing (default) | Enforces org sharing rules for all user-initiated operations |
7. Rate Limiting and Abuse Prevention
- Backend API enforces 30 requests per minute per API key
- Tier-based monthly rendering quotas (Free: 3, Starter: 15, Professional: 75, Enterprise: 9,999)
- Render count is incremented only on successful API call completion (in the Queueable, not the Controller) to prevent count inflation on failures
- Stale generation detection: jobs older than 5 minutes are automatically marked as failed
8. Data Handling
8.1 Data Minimization
- Only fields explicitly configured in the customer's Rewind Config are queried
- Salesforce data is processed in real time and is not stored on Rewind servers
- AI narration prompts contain summarized CRM data, not raw database exports
8.2 Data Retention
- CRM data: not retained (real-time processing only)
- Generated videos: stored as JSON in Salesforce (no external file storage)
- Video metadata: stored in customer's Salesforce org (under customer control)
8.3 Data Isolation
- Each Salesforce org has a unique API key and license record
- HMAC token verification ensures requests cannot target a different org's data
- No shared data storage between customer orgs
9. Third-Party Dependencies
| Service | Purpose | Security Posture |
|---|---|---|
| AWS (legacy S3 only) | Video rendering and storage | SOC 2 Type II, ISO 27001, FedRAMP |
| Anthropic (Claude) | AI narration generation | SOC 2 Type II; data not used for training |
| Stripe | Payment processing | PCI DSS Level 1, SOC 2 Type II |
| Vercel | Backend hosting | SOC 2 Type II, ISO 27001 |
10. Vulnerability Management
- Dependencies are monitored for known vulnerabilities and updated regularly
- Salesforce AppExchange security review conducted prior to listing and on major updates
- Code follows Salesforce ISV security best practices including the Checkmarx/PMD scanning requirements
- No use of deprecated APIs or insecure patterns (e.g.,
if:true/if:falsereplaced withlwc:if/lwc:else)
11. Incident Response
11.1 Detection
- Monitoring of API error rates and unusual usage patterns
- Vercel and AWS CloudWatch alerting for service anomalies
- Platform Event monitoring for render failures within Salesforce
11.2 Response Process
- Identification: Confirm the nature and scope of the incident
- Containment: Revoke affected API keys, disable affected endpoints if necessary
- Notification: Notify affected customers within 72 hours of confirmed breach
- Remediation: Deploy fixes, rotate credentials, update security controls
- Post-Incident: Conduct root cause analysis and update procedures
11.3 Contact
To report a security vulnerability or incident, contact us immediately:
Email: hello@purposeforce.org
Subject line: SECURITY — [Brief Description]
12. Compliance
- GDPR: See our Data Processing Agreement for full GDPR compliance details
- CCPA: See our Privacy Policy for California Consumer Privacy Act compliance
- Salesforce AppExchange: Managed package adheres to all AppExchange security review requirements
- SOC 2: Infrastructure providers (AWS, Vercel, Stripe) maintain SOC 2 Type II certifications
13. Contact
For security-related questions or to request additional security documentation, contact us:
PurposeForce
Email: hello@purposeforce.org
Web: purposeforce.org