How we protect the Salesforce data you connect to SalesWin: where it lives, who can reach it, how it's encrypted, and how to tell us if something looks wrong.
SalesWin runs on Amazon Web Services. The application is hosted in AWS US-East today, with EU customer data being migrated to AWS Ireland (eu-west-1). Customer data is logically isolated per tenant via PostgreSQL row-level security; no two customers can see each other's records.
SalesWin uses Clerk for authentication. Customer accounts are scoped to a single tenant; staff access to production is restricted to named operators, gated by MFA, and logged. We do not access customer Salesforce data except where required to investigate a support ticket the customer has raised.
The full sub-processor list lives in our Data Processing Agreement. In short: AWS (hosting), Stripe (billing), Clerk (auth), and the CRM you connect (Salesforce or HubSpot).
If you believe you've found a security issue, please email security@saleswin.io. We aim to acknowledge reports within two business days. Machine-readable contact details are at /.well-known/security.txt.
Please give us a reasonable window to investigate and fix before any public disclosure. We won't pursue legal action against researchers who act in good faith and stay within the scope of this policy.
Security questions: security@saleswin.io. Data protection / GDPR: legal@saleswin.io.