Back to Home
Inforge Logo

Frequently Asked Questions

Find answers to common questions about the Salesforce Readiness Scanner

The application uses Salesforce's standard OAuth authentication, where users log into their Salesforce org and grant the scanner permission to read data. The scanner uses an external Connected App that is registered and managed by the scanner application administrators (not within your Salesforce org), so it will appear in "Connected Apps OAuth Usage" where you can see and revoke authorized apps, but not in "Manage Connected Apps" or App Manager. The Connected App configuration (client ID, client secret, and callback URL) is stored as environment variables on the scanner's servers. Once you connect, the system securely stores encrypted access tokens in the database using AES encryption and automatically refreshes them when needed so you don't have to log in repeatedly. If a token becomes invalid (e.g., password changed, token revoked), the system detects this and prompts you to reconnect. The implementation follows security best practices with PKCE (Proof Key for Code Exchange), CSRF protection via unique state tokens, and automatic token lifecycle management including token revocation when you disconnect your org from the scanner.

Yes, there is some risk for large organizations. The scanner currently has no throttling or call-counting mechanism. Each scan module makes dozens to hundreds of API calls depending on org size. If the API limit is close to being hit, the scanner could cause service disruption. However, the scanner won't be the main contributor to hitting the API limits.

The scanner has read-only access to your Salesforce org's configuration, settings, and some actual data for analysis purposes. It reads user information including email addresses, full names, usernames, last login dates, and permissions for security and user activity analysis. It accesses contact information from standard objects like Contacts and Accounts (emails, phone numbers, country/state values) to detect duplicates and validate data quality, plus some field values to identify data patterns. This data is processed in-memory for statistical analysis and then discarded, with only counts and sample record IDs stored so you can fix issues. The scanner also reads configuration and metadata including report/dashboard names and owners, permission sets, profiles, sharing rules, automation names (Apex, Flows, validation rules, not their source code), integration endpoint URLs, custom object schemas, and usage statistics like API limits, storage consumption, and license allocation. However, it does NOT read descriptive business data like account/contact/opportunity names, descriptions, or addresses, opportunity amounts or deal details, case contents, the actual values in custom object records (only counts and statistics), source code content, passwords/API credentials/tokens, or detailed audit logs. The scanner uses standard Salesforce API permissions and is purely read-only, it never modifies your data.