Security First
Security at Replica
We built Replica with security as a foundation, not an afterthought. Our synthetic-first approach means your production data stays exactly where it belongs—in production.
The Synthetic Advantage
Unlike traditional test data tools that copy and mask production data, Replica generates entirely synthetic data from scratch. We never read, copy, or access your production Salesforce data.
No production data access
No PII exposure risk
No masking failures
Security Practices
Authentication & Access
- OAuth 2.0 for Salesforce connections—we never store your Salesforce password
- Multi-factor authentication (MFA) with TOTP support
- Role-based access control (RBAC)
- Secure session management with automatic expiry
Data Protection
- All data encrypted in transit (TLS 1.3)
- Database encryption at rest (AES-256)
- API keys stored using secure hashing
- Salesforce OAuth tokens encrypted and scoped to sandbox/scratch orgs
Infrastructure Security
- Hosted on Vercel (SOC 2 Type II certified)
- Automatic security updates and patching
- DDoS protection and WAF included
- Edge network with global CDN
Application Security
- Parameterized queries preventing SQL injection
- Input validation and sanitization
- CSRF protection on all forms
- Secure HTTP headers (CSP, HSTS, X-Frame-Options)
Salesforce Integration Security
What We Access
- Your org's metadata (object/field definitions)
- Picklist values and record types
- Org limits and storage capacity
- Write access to insert generated records
What We Never Access
- Your existing records or data
- Production org connections
- Files, attachments, or documents
- Your Salesforce password (OAuth only)
Compliance
Registered
CSA STAR Level 1
Self-Assessment
View registry entry
Planned
SOC 2 Type I
2025
Future
SOC 2 Type II
Following Type I
Security Questions?
Have questions about our security practices or need additional documentation for your security review? We're happy to help.
security@datakarma.ai