Menu
Home Features Pricing Resources FAQ Docs Contact Book demo
← Documentation
Security review

Security review for License Reclaim.

Written for IT security and compliance teams evaluating the package. Share this document internally; we keep it current and version-tagged at the bottom.

Summary

License Reclaim is a Salesforce 2GP managed package. It runs entirely inside the customer's Salesforce org. No user data, login history, or audit records leave the tenant. Outbound traffic is limited to (1) the optional Slack/Teams notification webhook and (2) the optional ITSM ticket-creation API — both are explicitly enabled per-policy by the customer. There is no License Reclaim cloud service, no shared backend, and no telemetry.

Architecture

  • Compute: Apex batch and queueable jobs inside your Salesforce org.
  • UI: Lightning Web Components (LWC) and standard Lightning pages.
  • Storage: Standard Salesforce objects plus License Reclaim custom objects (LR_Policy__c, LR_ReclaimCase__c, LR_DeactivationLog__c, LR_SavingsEvent__c, and config metadata).
  • Inbound webhook endpoint: One public Apex REST resource (LR_ItsmWebhookResource) used only when ITSM connectivity is enabled. All requests require a valid HMAC signature.
  • Outbound: ITSM ticket creation (REST), Slack/Teams notifications (webhook). Both optional, both opt-in per policy.

Authentication & authorization

  • The package ships with a recommended permission set (LR_Admin) limiting access to LR objects and the User/LoginHistory fields it reads.
  • End-users do not log in to License Reclaim — they interact via standard Salesforce auth.
  • Manager approval links embedded in emails are signed with a per-org SHA-256 HMAC. The signing key is stored in LR_Config__mdt protected custom metadata (not accessible via standard permission sets). Each link is single-use, time-bounded (default 72 hours), and the decision page records IP, user-agent, and an optional justification.
  • ITSM webhook callbacks are verified per-provider: ServiceNow/Freshservice via HMAC-SHA256 over the request body using a shared secret; Serval via signed JWT in the Authorization header; JSM Automation via IP allowlist + token. The webhook resource rejects unsigned or invalid requests with HTTP 401.

Data handling

  • License Reclaim reads: User, LoginHistory, UserLicense, PermissionSetLicense, OpportunityTeamMember, CaseTeamMember, Group, GroupMember, CronTrigger.
  • License Reclaim writes (User object): IsActive (freeze/deactivate), UserPermissionsLicensesGranted (license-downgrade flow).
  • All other writes are to LR custom objects (case records, audit log, savings events).
  • No personal data is sent to external services in the base configuration. When ITSM is enabled, the ticket payload includes the inactive user's display name, email, and last-login date — controlled by the customer's field-mapping configuration.

For deeper detail on what's stored where, see Data handling & residency.

Encryption

  • At rest: Inherits Salesforce platform encryption. Customers using Salesforce Shield receive Shield-level encryption automatically.
  • In transit: All outbound callouts (ITSM, Slack/Teams) are HTTPS. Inbound webhooks must be HTTPS.
  • HMAC secrets: Stored in protected custom metadata, not accessible via standard read permissions.

Third-party dependencies

The base package has no third-party runtime dependencies. Optional integrations:

  • Slack/Teams — outbound webhook only, no installed app, no OAuth.
  • ITSM connectors — outbound REST + inbound webhook per provider. No middleware. The customer supplies their own ITSM credentials.

Threat model

The categories we considered and how we address them:

  • Unauthorized user deactivation. Hard block on System Administrator profile; 10-check safety gate; manager approval required; reversible freeze period before permanent deactivation; global kill switch.
  • Spoofed approval clicks. Each link is signed and single-use; the signature includes user ID, decision token, and expiry timestamp.
  • Replay of ITSM webhooks. Each provider's signature scheme is verified; webhook events that don't match a known open case are rejected.
  • Privilege escalation via LR objects. The LR_Admin permission set grants the minimum required object access. Standard Salesforce sharing rules apply to all LR records.
  • Loss of audit trail. LR_DeactivationLog__c is append-only by configuration (no delete permission for LR_Admin); records cannot be modified after creation.

Compliance

  • License Reclaim is delivered as a Salesforce managed package and inherits the customer's existing compliance posture (SOC 2, ISO 27001, HIPAA, etc.) since data never leaves the org.
  • The append-only audit log supports SOX-style change-control review.
  • For GDPR contexts: License Reclaim does not act as a data processor — all user data remains in the customer's Salesforce instance (the data controller's own system).

Incident response

  • Kill switch. One Setup toggle halts every freeze, deactivation, and outbound notification mid-cycle. In-flight Apex jobs check this flag before any User-object DML.
  • Rollback. Every deactivation is logged with original user state; a one-click reactivation restores the user and reverses the savings event.
  • Disclosure. Security issues should be reported to /contact with topic "Security review". We acknowledge within 1 business day.

Open source & licensing

License Reclaim is proprietary commercial software distributed under a per-org subscription. No open-source components ship with the package. The customer's subscription agreement governs use, distribution, and warranty.

Document version: 2025-01-26. For questions, contact us.