Menu
Home Features Pricing Resources FAQ Docs Contact Book demo
← Documentation
Security review

Security review for DocRoute.

Written for IT security and compliance teams evaluating the package. Share this document internally; we keep it current and version-tagged at the bottom.

Summary

DocRoute is a Salesforce 2GP managed package for document generation and routing. It runs entirely inside the customer's Salesforce org. Document templates, generated PDFs, and audit metadata never leave the tenant in the base configuration. Outbound traffic is limited to optional e-signature dispatch (DocuSign or Adobe Sign), which the customer enables per template and which uses the customer's own contractual relationship with the e-signature provider. There is no DocRoute cloud service, no shared backend, and no telemetry.

Architecture

  • Compute: Apex batch and queueable jobs inside your Salesforce org.
  • UI: Lightning Web Components (LWC) and standard Lightning pages.
  • Storage: Custom objects for templates, selection rules, generation jobs, and brand themes. Generated PDFs are saved to Salesforce Files attached to the originating record.
  • PDF renderer: Enterprise-grade renderer ships with the package. Customers on Growth+ can swap in their own via a documented Apex adapter interface.
  • Outbound: DocuSign and Adobe Sign API calls (only when e-signature dispatch is enabled). Inbound webhook callbacks from those providers are received at a dedicated Apex REST endpoint.

Authentication & authorization

  • The package ships with a recommended permission set (DocRoute_Admin) granting access to DocRoute objects and the standard objects you template against.
  • End-users do not log in to DocRoute — they interact via standard Salesforce auth and existing object-level sharing rules.
  • E-signature provider credentials are stored in protected custom metadata. The signing process happens on DocuSign or Adobe's infrastructure; DocRoute never proxies signatures or stores credentials in cleartext.
  • Inbound webhook callbacks are verified per-provider — HMAC-SHA256 over the request body for DocuSign Connect; signed token + IP allowlist for Adobe Sign. Webhook events without a valid signature are rejected with HTTP 401.

Data handling

  • DocRoute reads only the fields and related records you reference in your templates. Field-level security and sharing rules apply normally.
  • Generated PDFs are saved to Salesforce Files. Customers control retention via standard Salesforce data archive policies.
  • When e-signature dispatch is enabled, the PDF payload + recipient list are sent to your chosen provider. The exact field-set in the recipient list is defined by your template configuration.

For deeper detail on what's stored where, see Data handling & residency.

Encryption

  • At rest: Inherits Salesforce platform encryption. Customers using Salesforce Shield receive Shield-level encryption automatically.
  • In transit: All outbound callouts (DocuSign, Adobe Sign) are HTTPS with strict cert validation. Inbound webhooks must be HTTPS.
  • Credentials: Provider API keys and signing secrets are stored in protected custom metadata, not accessible via standard read permissions.

Third-party dependencies

The base package has no required third-party runtime dependencies. Optional integrations:

  • DocuSign — REST API + Connect webhooks. Customer's contract with DocuSign governs that relationship.
  • Adobe Sign (Acrobat Sign) — REST API + signed webhook callbacks. Customer's contract with Adobe.
  • Custom PDF renderer adapter (Growth+) — customer-supplied endpoint, customer-controlled.

Threat model

  • Unauthorized document generation. Salesforce sharing rules and field-level security apply to every record DocRoute reads. The Generate Document action respects standard Salesforce permissions.
  • Template tampering. Templates are versioned. Publishing a template requires the DocRoute_Admin permission set; activity is logged.
  • Replay of e-signature webhooks. Each provider's signature scheme is verified; replay attempts targeting closed envelopes are rejected.
  • Sensitive data in generated PDFs. The customer controls which fields the template renders. Field-level security is honored at render time — a user can't render a field they couldn't otherwise see.
  • Loss of audit trail. The generation log is append-only by configuration (no delete permission on the audit object for DocRoute_Admin); records cannot be modified after creation.

Compliance

  • DocRoute is delivered as a Salesforce managed package and inherits the customer's existing compliance posture (SOC 2, ISO 27001, HIPAA, etc.) since document data does not leave the org in the base configuration.
  • The append-only generation log supports SOX-style change-control review.
  • For GDPR contexts: DocRoute does not act as a data processor for the documents it generates — all data remains in the customer's Salesforce instance (the data controller's own system). E-signature dispatch introduces DocuSign or Adobe as additional processors under your existing data processing agreements with them.

Incident response

  • Disable e-signature dispatch. One Setup toggle halts every outbound provider call mid-cycle. Useful during a security incident review.
  • Template rollback. Every template version is preserved; reverting to a known-good version is one click.
  • Disclosure. Security issues should be reported to /contact with topic "Security review". We acknowledge within 1 business day.

Open source & licensing

DocRoute is proprietary commercial software distributed under a per-org subscription. No open-source components ship with the package. The customer's subscription agreement governs use, distribution, and warranty.

Document version: 2026-05-23. For questions, contact us.