Security

VanguardOps is built by an architect who’s audited 70+ enterprise Salesforce orgs. The security model isn’t a marketing afterthought — it’s the entire reason the product exists in the form it does.

This page explains, in plain language, what VanguardOps accesses in your Salesforce org, what it never accesses, and exactly what happens when a fix is executed.


What we access

VanguardOps reads Salesforce metadata only via OAuth-scoped API access:

These are the same metadata APIs used by Salesforce Setup, the Salesforce CLI, and every legitimate org-management tool in the ecosystem. VanguardOps does not extend, intercept, or modify these APIs — it consumes them.

What we never access

VanguardOps has no access to and never queries:

This isn’t a policy restriction we promise to honor — it’s enforced by the OAuth scopes VanguardOps requests. The connected app cannot read customer data even if asked. The architecture is the safeguard.


Authentication and token storage

VanguardOps uses OAuth 2.0 with PKCE (Proof Key for Code Exchange). When you connect your org:

  1. You authenticate directly with Salesforce. VanguardOps never sees your Salesforce password.
  2. Salesforce issues a refresh token scoped to metadata APIs only.
  3. The refresh token is encrypted at rest before being stored in our database, with the encryption key held separately from the database and managed via secrets management.
  4. Access tokens are short-lived and refreshed only when you initiate a scan.

You can revoke VanguardOps access at any time from your Salesforce Setup → Connected Apps OAuth Usage page. Revocation is immediate and irreversible — VanguardOps cannot re-establish access without you completing a new OAuth flow.

On-demand scans, no persistent agents

Scans are on-demand only. VanguardOps does not run continuous monitoring, scheduled scans, background polling, or persistent agents against your org. Every scan is initiated by a logged-in user, runs against the metadata APIs with your scoped OAuth token, and releases the connection when it completes. Between scans, your access token sits idle.

A typical scan runs in minutes end-to-end. The metadata layer touched during a scan is read-only.


How remediation is kept safe

Finding problems is read-only. Fixing them is where the safety mechanism matters, so here it is, stated exactly:

Engineering safety memo available on request.


Where your data lives

VanguardOps never moves your customer data. Customer records, contacts, opportunities, and all record-level data remain in your Salesforce org at all times. The metadata-only architecture means there is nothing to move. Scan results are stored encrypted at rest in our database, and audit logs of remediation actions are retained.

Vulnerability reporting

If you discover a security vulnerability in VanguardOps, please report it to security@vanguardops.ai. We commit to acknowledging reports within 24 hours and providing a remediation timeline within 5 business days.

Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to address them.

Compliance

SOC 2 attestation is in progress. Specific compliance questions (SOC 2, HIPAA, FINRA, ISO 27001, GDPR data processing agreements): chris@vanguardops.ai.

Questions

Architects asking pointed security questions get fast direct answers. Email chris@vanguardops.ai. If a question deserves a public answer, we add it here.

Last updated: July 9, 2026.