VanguardOps is built by an architect who’s audited 70+ enterprise Salesforce orgs. The security model isn’t a marketing afterthought — it’s the entire reason the product exists in the form it does.
This page explains, in plain language, what VanguardOps accesses in your Salesforce org, what it never accesses, and exactly what happens when a fix is executed.
VanguardOps reads Salesforce metadata only via OAuth-scoped API access:
These are the same metadata APIs used by Salesforce Setup, the Salesforce CLI, and every legitimate org-management tool in the ecosystem. VanguardOps does not extend, intercept, or modify these APIs — it consumes them.
VanguardOps has no access to and never queries:
This isn’t a policy restriction we promise to honor — it’s enforced by the OAuth scopes VanguardOps requests. The connected app cannot read customer data even if asked. The architecture is the safeguard.
VanguardOps uses OAuth 2.0 with PKCE (Proof Key for Code Exchange). When you connect your org:
You can revoke VanguardOps access at any time from your Salesforce Setup → Connected Apps OAuth Usage page. Revocation is immediate and irreversible — VanguardOps cannot re-establish access without you completing a new OAuth flow.
Scans are on-demand only. VanguardOps does not run continuous monitoring, scheduled scans, background polling, or persistent agents against your org. Every scan is initiated by a logged-in user, runs against the metadata APIs with your scoped OAuth token, and releases the connection when it completes. Between scans, your access token sits idle.
A typical scan runs in minutes end-to-end. The metadata layer touched during a scan is read-only.
Finding problems is read-only. Fixing them is where the safety mechanism matters, so here it is, stated exactly:
Engineering safety memo available on request.
VanguardOps never moves your customer data. Customer records, contacts, opportunities, and all record-level data remain in your Salesforce org at all times. The metadata-only architecture means there is nothing to move. Scan results are stored encrypted at rest in our database, and audit logs of remediation actions are retained.
If you discover a security vulnerability in VanguardOps, please report it to security@vanguardops.ai. We commit to acknowledging reports within 24 hours and providing a remediation timeline within 5 business days.
Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to address them.
SOC 2 attestation is in progress. Specific compliance questions (SOC 2, HIPAA, FINRA, ISO 27001, GDPR data processing agreements): chris@vanguardops.ai.
Architects asking pointed security questions get fast direct answers. Email chris@vanguardops.ai. If a question deserves a public answer, we add it here.
Last updated: July 9, 2026.