Skip to main content
Novigem logoNovigem
Legal · Security

Your data · protected by design.

Novigem is Salesforce-native. Your data stays in your org, governed by your own profiles, permission sets, and sharing rules.

Last updated: April 9, 2025SecurityCookie PolicyPrivacy Policy

Salesforce-native

All product data lives in your Salesforce org. Novigem respects your profiles, permission sets, and sharing rules · no external data stores.

Encryption everywhere

TLS 1.2+ for data in transit; AES-256 at rest via the Salesforce platform. Secrets are stored securely and never hard-coded.

Least privilege access

All access is role-based. Novigem components enforce object-level and field-level security through CRUD/FLS checks.

Security ownership

Novigem is a single-founder company. The founder is directly responsible for security across all stages of development · design, implementation, and testing. Security considerations are part of every code change, not a separate phase.

Security policy

Novigem maintains a security policy that governs how customer assets are protected. Because the solution is Salesforce-native, customers retain full control over their data through standard Salesforce security mechanisms (profiles, permission sets, field-level security, sharing rules, and session policies).

Services and artifacts

The Novigem solution includes:

  • Managed Package: Salesforce-native managed package (Apex, LWC, custom objects, flows)
  • Marketing Website: novigem.com · hosted on Vercel
  • Marketing Website APIs: Endpoints for waitlist signup, contact forms, and ROI report generation
  • Marketing Transactional Email: Confirmation emails via Resend

Third-party libraries

We maintain an internal inventory of all third-party libraries and their versions. Dependencies are monitored for known vulnerabilities. A full dependency manifest is available on request.

Architecture and data flow

Novigem is a 100% Salesforce-native managed package. The following describes how data flows through the solution:

Authentication

Users authenticate through Salesforce's native login. Novigem does not store or manage user credentials. Session management is handled entirely by the Salesforce platform.

Authorization

Access is governed by Salesforce profiles, permission sets, and sharing rules. All Apex controllers enforce CRUD and FLS checks before accessing data.

Data residency

All gamification data (points, badges, leaderboards) is created, processed, and stored within the customer's Salesforce org. No customer data leaves the org.

Detailed architecture diagrams are available on request. Contact us for access.

Development practices

Security is integrated into the development process through the following practices:

Security scanning

All managed package code is analyzed using Salesforce Code Analyzer and security linting tools before every release.

AppExchange security review

The managed package undergoes Salesforce's AppExchange security review, which includes automated scanning and manual assessment.

Version control & CI

All code changes go through version control with CI checks. Changes are tested in scratch orgs and staging environments before release.

Dependency monitoring

Third-party dependencies are tracked and monitored for known vulnerabilities using automated tooling.

Secure coding

All Apex code enforces CRUD/FLS, uses parameterized queries, and follows Salesforce security best practices to prevent injection and unauthorized access.

Incident response

Security issues are treated as highest priority. Customers are notified of any issue that may affect their data. Report issues to security@novigem.com.

Sensitive data

Novigem processes the following categories of data:

  • Personal data: Salesforce user names and identifiers used for gamification profiles and leaderboards
  • Usage data: Gamification activity records · points, badges, and challenge completions
  • Website form data: Name, email, company, and message content submitted through the marketing website

Novigem does not process payment data, health data, or government identifiers.

Data storage locations

  • Salesforce: All product data resides in the customer's own Salesforce org, in the region they selected
  • Vercel: Website hosting (AWS-backed, US and EU regions)
  • Supabase: Website database for waitlist and contact form submissions (AWS-backed, EU region)
  • Resend: Transactional email delivery (AWS SES-backed, US region)

Third-party data sharing

Novigem shares data with the following third parties to deliver the service:

  • Salesforce: Core platform · product data stays in the customer's own org
  • Vercel: Website hosting
  • Supabase: Website form submissions
  • Resend: Transactional email
  • Google Analytics: Website analytics (anonymized, with user consent)

We do not sell or share data for advertising purposes.

Documents

  • Data Processing Addendum (request access)
  • Third-Party Library Inventory
  • Architecture Diagrams

All documents are available on request. Reach us at security@novigem.com.

Security contact

To report a security vulnerability or for any security-related inquiry:

Customer responsibilities

To help secure the solution end to end, we recommend:

  • • Enable multi-factor authentication for all Salesforce users
  • • Review and restrict permission set assignments regularly
  • • Monitor login history and setup audit trail
  • • Keep your Salesforce org on the latest release

Have a security question?

We're happy to provide details or answer a security questionnaire.

Contact the team