Security & Trust
Last Updated: February 11, 2026
At QuikForms, LLC, security is foundational to how we design, build, and deliver our product. This page describes the security architecture, controls, and practices that protect your data when you use QuikForms.
If you have questions about any of the topics covered here, please contact us at [email protected].
Architecture Overview
Your Data Stays in Your Org
All form submission data is stored in your Salesforce org -- not on QuikForms infrastructure.
QuikForms does not operate external servers, databases, or data lakes for customer data. When a form is submitted, the data is written directly to Salesforce objects within your org. File uploads are stored as Salesforce ContentDocument records in your org. Analytics rollups, exception logs, and configuration data all live in your org.
This architecture means:
- You maintain full control over your data at all times.
- Your existing Salesforce security controls (profiles, permission sets, sharing rules, field-level security, encryption) apply automatically.
- Data residency is determined by your Salesforce instance -- not by us.
- You can delete any QuikForms data at any time using standard Salesforce tools.
- QuikForms does not have standing access to data in your org.
How It Works
End-User's Browser
|
v
Salesforce Experience Cloud Site (your org)
|
v
QuikForms REST API (Apex, running in your org)
|-- Validates input
|-- Verifies CAPTCHA (Cloudflare Turnstile)
|-- Checks rate limits
|-- Enforces FLS/CRUD
|-- Creates records in YOUR Salesforce objects
|
v
Your Salesforce Data (Cases, Leads, Contacts, Custom Objects)The only external service call made during a form submission is the Cloudflare Turnstile CAPTCHA verification, which validates that the submission comes from a human. This call transmits only the CAPTCHA token -- not your form data.
Managed Package Protection
As a Salesforce managed package (namespace: quikforms), the source code is compiled and obfuscated by Salesforce. Customers cannot view or modify the package internals, which protects the integrity of security controls. Package updates are distributed securely through the Salesforce AppExchange.
Bot Protection & Abuse Prevention
Cloudflare Turnstile CAPTCHA
QuikForms uses Cloudflare Turnstile for human verification -- a privacy-preserving alternative to traditional CAPTCHAs.
- Server-side verification: Tokens are validated server-side via Named Credential callout to Cloudflare.
- Configurable per form: Theme, size, and interaction mode are configurable. CAPTCHA can be disabled per-form.
- No form data transmitted: Only the verification token is sent to Cloudflare.
Honeypot Fields
A hidden form field invisible to human users but detected by bots. Enabled by default. Bot submissions are silently rejected with a fake success response.
Rate Limiting
Configurable per-IP rate limiting using Salesforce Platform Cache. Fail-open design preserves availability if Platform Cache is unavailable. Rate limit events are logged.
Input Validation
| Validation Type | Description |
|---|---|
| Required fields | Server-side enforcement regardless of client-side validation state. |
| Regex pattern validation | Custom regex patterns applied server-side to validate field values. |
| Email format validation | Dedicated email validation with optional email confirmation field. |
| Field type validation | Values validated against expected Salesforce field types. |
| Forbidden objects list | Hardcoded blocklist prevents writes to sensitive system objects (User, Profile, PermissionSet, etc.). |
Data Protection & Privacy
IP Address Hashing
IP addresses are processed using SHA-256 with a daily rotating salt. The raw IP address is not stored by default. Because the date acts as a daily rotating salt, the same IP produces a different hash each day and cannot be reverse-engineered. Administrators can optionally enable raw IP logging via Log_User_Browser_Info__c.
Sensitive Data Filtering in Logs
The exception logging system automatically redacts sensitive data patterns including: password, apikey, token, secret, ssn, social_security, cardnumber, cvv, creditcard, and more.
Field-Level Security & CRUD Enforcement
- SOQL queries use
WITH SECURITY_ENFORCEDto prevent data leakage. - Object and field createability checks are enforced before record insertion.
- Guest User context inherits limited permissions.
Access Control
Origin & Referrer Verification
Configurable allowlist of valid referrer domains (comma-separated list). Submissions from unrecognized origins are rejected with a 403 response. Unauthorized origin attempts are logged for security monitoring.
Guest User Permissions
| Object | Create | Read | Edit | Delete |
|---|---|---|---|---|
| Form configuration objects | -- | Yes | -- | -- |
| Target submission objects | Yes | -- | -- | -- |
| Exception log objects | -- | -- | -- | -- |
Monitoring & Logging
Exception Logging
Centralized exception logging captures errors from Apex (APEX-), Lightning Web Components (LWC-), and REST API (API-) with structured error codes, severity levels, stack traces, transaction IDs, and governor limits snapshots.
Configurable Log Levels
| Level | What Gets Logged |
|---|---|
| Debug | Everything |
| Info | Critical, High, Medium, Info |
| Warning | Critical, High, Medium |
| Error | Critical, High |
| Critical | Critical only |
| None | Logging disabled |
Platform Events
Real-time events for monitoring and automation:
QuikForms_Submission_Complete__e-- After every successful submission.QuikForms_Validation_Failed__e-- When server-side validation fails.
Data Retention
| Data Type | Default Retention | Configuration Setting | Cleanup |
|---|---|---|---|
| Analytics rollup records | 365 days | Analytics_Retention_Days__c | Automatic |
| Exception logs | 7 days | Exception_Log_Retention_Days__c | Automatic |
| Survey tokens | 30 days | Valid_Survey_Days__c | Token expiration |
| Form submission records | Indefinite | N/A (standard Salesforce data) | Customer-managed |
Salesforce Platform Security
Certifications (Inherited from Salesforce)
- SOC 1 / SOC 2 Type II -- Annual audits covering security, availability, processing integrity, confidentiality, and privacy.
- ISO 27001 / ISO 27017 / ISO 27018 -- Information security management, cloud security, and PII protection.
- FedRAMP -- Government Cloud is FedRAMP authorized.
- PCI DSS -- Salesforce Shield supports PCI compliance.
Visit trust.salesforce.com for the current list.
Platform Security Controls
| Control | Description |
|---|---|
| Encryption at rest | AES-256 encryption. Salesforce Shield supports customer-managed keys. |
| Encryption in transit | TLS 1.2+ for all data in transit. |
| Authentication | Multi-factor authentication, SSO, and session management. |
| Audit trail | Setup Audit Trail records all administrative changes. |
| Event monitoring | Salesforce Shield Event Monitoring for detailed activity logs. |
AppExchange Security Review
QuikForms has passed the Salesforce AppExchange Security Review, which includes automated static code analysis (PMD, Checkmarx), manual code review, CRUD/FLS enforcement verification, secure coding practice validation, and review of external callout patterns.
OWASP Top 10 Coverage
| # | OWASP Risk | QuikForms Controls |
|---|---|---|
| A01 | Broken Access Control | CRUD/FLS checks; forbidden objects list; origin verification; preview token auth; guest user least-privilege. |
| A02 | Cryptographic Failures | SHA-256 IP hashing with rotating salt; TLS 1.2+; AES-256 at rest; Named Credentials for secrets. |
| A03 | Injection | Parameterized SOQL (bind variables); WITH SECURITY_ENFORCED; server-side input validation; platform output encoding. |
| A04 | Insecure Design | Defense-in-depth (honeypot + CAPTCHA + rate limiting + validation); silent honeypot rejection; sensitive data filtering. |
| A05 | Security Misconfiguration | Secure defaults (honeypot, CAPTCHA, hashing enabled); hardcoded forbidden objects list. |
| A06 | Vulnerable Components | Managed package updates via AppExchange; no third-party JS libraries; Cloudflare Turnstile from CDN. |
| A07 | Auth Failures | Salesforce authentication for admin; Turnstile for public forms; cryptographic preview tokens; survey token expiration. |
| A08 | Integrity Failures | Managed package code obfuscated by Salesforce; signed package updates; server-side field mappings. |
| A09 | Logging Failures | Centralized logging with structured error codes; configurable severity; platform events; origin logging; rate limit logging. |
| A10 | SSRF | Only external callout is to Cloudflare Turnstile via fixed Named Credential endpoint. User input cannot influence destination. |
Compliance
GDPR Readiness
- Data minimization: IP addresses hashed by default. Raw IPs only stored when explicitly enabled.
- Right to erasure: All data resides in your Salesforce org and can be deleted with standard tools.
- Data portability: Submission data in standard Salesforce objects, exportable via Data Loader or APIs.
- Configurable retention: Analytics and log retention periods are configurable.
- Data Processing Agreement: Available. See our DPA.
- Processor role: QuikForms acts as Data Processor. You are the Data Controller.
CCPA / CPRA Readiness
- No sale of personal information: QuikForms does not sell, share, or use data for advertising or profiling.
- Data access and deletion: All data is in your Salesforce org -- direct control over access, correction, and deletion.
- Sensitive personal information: Automatic sensitive data filtering in logs.
SOC 2
QuikForms inherits SOC 2 compliance from the Salesforce platform. All data is stored within Salesforce's SOC 2 Type II audited infrastructure.
Responsible Disclosure
If you believe you have found a security vulnerability in QuikForms, please send vulnerability reports to [email protected] and include:
- A description of the vulnerability and its potential impact
- Detailed steps to reproduce the issue
- Any proof-of-concept code or screenshots
- Your contact information (optional)
We will acknowledge receipt within two (2) business days, investigate and assess severity, work to resolve confirmed vulnerabilities promptly, and with your permission, acknowledge your contribution. We will not take legal action against individuals who discover and report vulnerabilities in good faith.
Frequently Asked Questions
Does QuikForms store my form data on your servers?
No. All form submission data is stored in your Salesforce org.
What external services does QuikForms connect to?
Only Cloudflare Turnstile for CAPTCHA verification. Your form data is never sent externally.
Can QuikForms employees access my data?
No. QuikForms does not have standing access to data in your Salesforce org.
Is QuikForms HIPAA compliant?
QuikForms runs on Salesforce, which offers HIPAA-compliant configurations. Contact us to discuss your specific requirements.
Can I disable analytics tracking?
Yes. Analytics can be disabled entirely via the Analytics_Enabled__c setting.
Does QuikForms support Salesforce Shield encryption?
Yes. Shield Platform Encryption can be applied to QuikForms data fields.
Contact
Email: [email protected]
Website: www.sfquikforms.com
This document describes the security controls implemented in the QuikForms managed package as of February 11, 2026. Security is an ongoing effort, and we continuously evaluate and improve our controls.