Your data never leaves Salesforce
Data Cleanser runs natively on the Salesforce platform — all matching, grouping, and merging happen inside your org. No data is ever copied to an external server.
Managed AppExchange package. Passed Salesforce's mandatory security review.
The difference is where your data lives
Most dedup tools install a connected app, take OAuth API access, then copy your CRM data to their cloud to process it and push changes back. Data Cleanser does none of that — the work happens where your data already is.
To be fair: some competitors are also Salesforce-native. Data Cleanser is architected so nothing ever leaves the org — and it inherits your org's permission model with zero added attack surface.
Built so there is nothing to leak
Each of these follows from one architectural choice: keep the data — and the work — inside Salesforce.
Zero data egress
All processing happens in Apex on the Salesforce platform. There are no external HTTP callouts, no Named Credentials, and no Remote Site Settings anywhere in the package — your Account, Contact, and Lead data is never transmitted outside Salesforce.
No callouts · no Remote Site SettingsInherits your Salesforce security model
The app respects org-wide defaults, sharing rules, profiles, permission sets, and field-level security. It runs in user mode and enforces CRUD and field-level security checks — so it can never read or modify a record the logged-in user isn't already allowed to access.
Runs WITH USER_MODENo new attack surface
Because there is no external integration, there are no API tokens, OAuth secrets, or connection credentials that could be stolen or abused. There is no middleware to breach and nothing for an attacker to intercept in transit.
No tokens · no OAuth secretsNo third-party data processor
Your customer data is never shared with, stored by, or processed by another vendor. That removes the need for an additional Data Processing Agreement and eliminates the risk of a third-party breach exposing your CRM data.
No added DPAPassed Salesforce AppExchange Security Review
Data Cleanser is a managed package that completed Salesforce's mandatory, rigorous security review — the same bar Salesforce sets for any app it lists. The package source is compiled and locked, protecting against source-level tampering.
Managed · compiled & lockedYour existing Salesforce compliance carries over
Because data stays in your org, the posture you already rely on from Salesforce keeps applying — compatible with Shield Platform Encryption, Event Monitoring, and Field Audit Trail if your org uses them, plus your data-residency guarantees. Confirm specifics against your edition and certifications.
Compatible with Shield · Event MonitoringHardened against injection
All database queries use parameterized bind variables, so user-supplied values can never be interpreted as query logic. That closes the door on SOQL injection across the package.
Parameterized bind variablesNo external code or assets
The app loads no third-party CDN fonts, scripts, or trackers. Every asset is self-hosted within Salesforce, so there are no external resources that could be tampered with to compromise the page or exfiltrate data.
Self-hosted in SalesforceSafe, auditable merges
Merging is irreversible, so the app is safe by default: it previews the surviving golden record and exactly what is kept versus lost before any merge, requires explicit confirmation for destructive actions, and records every run in history for a full audit trail.
Preview · confirm · full historyLess to review, less to defend
The architecture is not just safer in theory — it removes work from the people who evaluate, procure, and secure the tools you run.
No new vendor to risk-assess and no extra DPA to negotiate, because nothing leaves your org. The review is about an app, not a data pipeline.
Your records stay under the data-residency and certifications your Salesforce org already provides — there is no second location to account for.
No middleware, no integration endpoints, and no standing API tokens to watch or rotate. There is simply no new perimeter to defend.
Because it runs in user mode, the app can only touch records the logged-in user can already access. There is no separate permission system to get wrong.
Questions a security review will ask
Does Data Cleanser make any external API callouts?
No. The package contains no HTTP callouts, no Named Credentials, and no Remote Site Settings. There is nowhere for data to be sent.
What permissions does it run with?
It runs in user mode (WITH USER_MODE) and enforces CRUD and field-level security, so it can never read or write a record the logged-in user cannot already access.
Is our data ever stored or processed outside Salesforce?
No. Matching, grouping, and merging all execute in Apex on the platform. No copy of your records is held anywhere else.
Do we need a separate DPA for Data Cleanser?
Because no data is shared with or processed by a third party, there is no additional data processor to cover. Confirm against your own legal requirements.
Was it independently security-reviewed?
Yes. It is a managed package that passed Salesforce's mandatory AppExchange Security Review, and the source is compiled and locked.
Does it work with Shield, Event Monitoring, or Field Audit Trail?
Yes — because data stays in your org, these are compatible and apply if enabled in your edition. Confirm the specifics for your org.
Put it in front of your security team
Get it on the AppExchange, or book a walkthrough built for reviewers — we will go through the architecture, the permission model, and the security review line by line.