Appearance
GDPR Controls
This page lists SBS controls tagged for this regulation or framework. The mappings are indicative only and help readers identify controls that directly support demonstrating compliance.
These entries are an index into the benchmark. The canonical control content remains on the benchmark pages.
- Total tagged controls: 32
- Benchmark sections represented: 9
Controls By Benchmark Section
Access Controls
5 control(s) in this benchmark section.
SBS-ACS-003: Documented Justification for Approve Uninstalled Connected Apps Permission
Critical Source pageControl Statement: The Approve Uninstalled Connected Apps permission must only be assigned to highly trusted users with documented justification and must not be granted to end-users.
Why tagged: Third-party access to personal data must be restricted and demonstrably governed.
SBS-ACS-004: Documented Justification for All Super Admin–Equivalent Users
High Source pageControl Statement: All users with simultaneous View All Data, Modify All Data, and Manage Users permissions must be documented in a system of record with clear business or technical justification.
Why tagged: Requires accountability for who can access and process personal data without restriction.
SBS-ACS-006: Documented Justification for Use Any API Client Permission
Critical Source pageControl Statement: The Use Any API Client permission, which bypasses default behavior in orgs with "API Access Control" enabled, must only be assigned to highly trusted users with documented justification and must not be granted to end-users.
Why tagged: Third-party and API access to personal data must be restricted and justified.
SBS-ACS-010: Enforce Periodic Access Review and Recertification
Moderate Source pageControl Statement: All user access and configuration influencing permissions and sharing must be formally reviewed and recertified at least annually by designated busines stakeholders, with documented approval and remediation of unauthorized or excessive access.
Why tagged: Requires ability to demonstrate appropriate measures; periodic access recertification is expected.
SBS-ACS-011: Enforce Governance of Access and Authorization Changes
High Source pageControl Statement: All changes to Salesforce user access and authorization must be governed through a documented process that requires approval, records business justification, and produces an auditable record of the change.
Why tagged: Changes affecting access to personal data must be governed and auditable for accountability.
Authentication
3 control(s) in this benchmark section.
SBS-AUTH-001: Enable Organization-Wide SSO Enforcement Setting
Critical Source pageControl Statement: Salesforce production orgs must enable the org-level setting that disables Salesforce credential logins for all users.
Why tagged: Appropriate technical measures for access to personal data; centralized authentication supports accountability.
SBS-AUTH-002: Govern and Document All Users Permitted to Bypass Single Sign-On
Moderate Source pageControl Statement: All users who do not have the "Is Single Sign-On Enabled" permission must be explicitly authorized, documented in a system of record, and limited to approved administrative or break-glass use cases.
Why tagged: Accountability for who had access and why; documented exceptions support appropriate measures.
SBS-AUTH-004: Enforce Strong Multi-Factor Authentication for External Users with Substantial Access to Sensitive Data
Critical Source pageControl Statement: All Salesforce interactive authentication flows for external human users with substantial access to sensitive data must enforce multi-factor authentication that includes at least one strong authentication factor.
Why tagged: Appropriate technical measures for personal data; strong authentication for sensitive access is expected.
Code Security
2 control(s) in this benchmark section.
SBS-CODE-003: Implement Persistent Apex Application Logging
High Source pageControl Statement: Organizations must implement an Apex-based logging framework that writes application log events to durable Salesforce storage and must not rely on transient Salesforce debug logs for operational or security investigations.
Why tagged: Ability to demonstrate appropriate measures and investigate incidents involving personal data.
SBS-CODE-004: Prevent Sensitive Data in Application Logs
Critical Source pageControl Statement: Custom application logging frameworks and Salesforce system logging mechanisms must not capture, store, or transmit credentials, authentication tokens, personally identifiable information (PII), regulated data, or other sensitive values in log messages or structured log fields.
Why tagged: Personal data must not be captured or stored inappropriately; log sanitization is a technical measure.
Customer Portals
4 control(s) in this benchmark section.
SBS-CPORTAL-001: Prevent Insecure Direct Object Reference (IDOR) in Portal Apex
Critical Source pageControl Statement: All Apex methods exposed to Experience Cloud or customer portal users must enforce server-side authorization for every record accessed or modified. User-supplied parameters (including record IDs, filters, field names, or relationship references) must not be trusted as the basis for access control and must be validated against the running user's sharing, CRUD, and FLS permissions before use.
Why tagged: Appropriate technical measures to prevent unauthorized access to personal data.
SBS-CPORTAL-002: Restrict Guest User Record Access
Critical Source pageControl Statement: Unauthenticated guest users in customer portals must be restricted to authentication and registration flows only, with no direct access to business objects or custom Apex methods that query organizational data.
Why tagged: Appropriate measures to prevent unauthorized access to personal data; guest access must be restricted.
SBS-CPORTAL-004: Prevent Parameter-Based Record Access in Portal-Exposed Flows
Critical Source pageControl Statement: Autolaunched Flows exposed to customer portal users must not accept user-supplied input variables that directly determine which records are accessed.
Why tagged: Appropriate technical measures to prevent unauthorized access to personal data through flows.
SBS-CPORTAL-005: Conduct Penetration Testing for Portal Security
High Source pageControl Statement: Organizations with Experience Cloud sites must conduct penetration testing of portal security controls before initial go-live and subsequently after major releases or on a defined cadence.
Why tagged: Article 32 requires regularly testing and evaluating the effectiveness of technical and organizational measures protecting personal data.
Data Security
4 control(s) in this benchmark section.
SBS-DATA-001: Implement Mechanisms to Detect Regulated Data in Long Text Area Fields
High Source pageControl Statement: The organization must implement a mechanism that continuously or periodically analyzes the contents of all Long Text Area fields to identify the presence of regulated or personal data.
Why tagged: Appropriate technical and organizational measures for personal data include knowing where regulated data is stored and being able to scope exposure.
SBS-DATA-002: Maintain an Inventory of Long Text Area Fields Containing Regulated Data
Moderate Source pageControl Statement: The organization must maintain an up-to-date inventory of all Long Text Area fields that are known or detected to contain regulated or personal data.
Why tagged: Accountability and privacy-response obligations require an inventory of where personal data is stored.
SBS-DATA-003: Maintain Tested Backup and Recovery for Salesforce Data and Metadata
High Source pageControl Statement: Salesforce production orgs must maintain a documented backup and recovery capability for Salesforce data and metadata, and must test restoration on a defined schedule.
Why tagged: Article 32 expects the ability to restore availability and access to personal data in a timely manner after an incident.
SBS-DATA-004: Require Field History Tracking for Sensitive Fields
High Source pageControl Statement: The organization must maintain a documented list of sensitive fields and ensure Field History Tracking is enabled for each listed field on all in-scope objects.
Why tagged: Accountability for changes to personal data and sensitive attributes supports demonstrating appropriate technical and organizational measures.
Event Monitoring
4 control(s) in this benchmark section.
SBS-MON-001: Enable Event Monitoring Log Storage
High Source pageControl Statement: Organizations using Salesforce Event Monitoring must ensure that storage of required Event Monitoring logs is enabled for all event types necessary to support the organization's security monitoring and compliance policies.
Why tagged: Demonstrating appropriate measures for personal data requires retaining the event telemetry needed to investigate access and exposure.
SBS-MON-002: Retaining Event Logs
High Source pageControl Statement: Organizations must retain security event logs for the defined retention period and implement measures to protect the logs from tampering and unauthorized deletion to ensure forensic availability.
Why tagged: Accountability and incident investigation for personal data depend on retaining security logs for a sufficient period.
SBS-MON-003: Monitor for Suspicious Logins
High Source pageControl Statement: Organizations must continuously monitor and alert on anomalous login patterns to promptly detect and mitigate compromised accounts and application credentials.
Why tagged: Investigating suspicious authentication activity helps demonstrate who accessed systems processing personal data and whether access was legitimate.
SBS-MON-004: Monitor for Suspicious API Activity
High Source pageControl Statement: Organizations must continuously monitor and alert on all API activity to establish a baseline, detect anomalous and malicious activity, and identify potential application and integration abuse in a timely manner.
Why tagged: Accountability for personal data access includes detecting anomalous API-based access, export, and manipulation activity.
File Security
3 control(s) in this benchmark section.
SBS-FILE-001: Require Expiry Dates on Public Content Links
Moderate Source pageControl Statement: Organizations must ensure that Public Content links have an appropriate expiry date.
Why tagged: Appropriate technical and organizational measures for personal data include limiting how long externally shared content remains accessible.
SBS-FILE-002: Require Passwords on Public Content Links for Sensitive Content
High Source pageControl Statement: Organizations must ensure that Public Content links to sensitive content have a password.
Why tagged: Appropriate technical measures for personal data include requiring authentication for sensitive externally shared content.
SBS-FILE-003: Periodic Review and Cleanup of Public Content Links
Moderate Source pageControl Statement: Organizations must implement a recurring process to review all active Public Content links and remove or remediate links that are no longer required, lack appropriate controls, or were created outside of current policy.
Why tagged: Accountability for personal data sharing includes reviewing externally shared links and removing links that are no longer justified.
Integrations
3 control(s) in this benchmark section.
SBS-INT-002: Inventory and Justification of Remote Site Settings
Moderate Source pageControl Statement: Organizations must maintain an authoritative inventory of all Remote Site Settings and document a business justification for each endpoint approved for Apex HTTP callouts.
Why tagged: Accountability for personal data flows includes documenting which outbound endpoints Salesforce is permitted to contact and why.
SBS-INT-003: Inventory and Justification of Named Credentials
Moderate Source pageControl Statement: Organizations must maintain an authoritative inventory of all Named Credentials and document a business justification for each external endpoint and authentication configuration approved for use in Salesforce.
Why tagged: Accountability for personal data access includes documenting authenticated external endpoints and why Salesforce is permitted to use them.
SBS-INT-004: Retain API Total Usage Event Logs for 30 Days
High Source pageControl Statement: The organization must retain API Total Usage event log data (EventLogFile EventType=ApiTotalUsage) for at least the immediately preceding 30 days using Salesforce-native retention or automated external export and storage.
Description:
If the organization’s Salesforce does not provide at least 30 days of ApiTotalUsage EventLogFile availability in Salesforce, the organization must automatically export newly available ApiTotalUsage event log files at least once every 24 hours to an external log store that retains a minimum of 30 days of data.
Why tagged: Accountability for personal data access includes retaining API activity logs long enough to investigate exposure and misuse.
OAuth Security
4 control(s) in this benchmark section.
SBS-OAUTH-001: Require Formal Installation of Connected Apps
Critical Source pageControl Statement: Organizations must formally install all connected apps used for OAuth authentication rather than relying on user-authorized OAuth connections.
Why tagged: Appropriate technical and organizational measures for personal data include centrally governed OAuth application controls.
SBS-OAUTH-002: Require Profile or Permission Set Access Control for Connected Apps
Critical Source pageControl Statement: Organizations must control access to each formally installed connected app exclusively through assigned profiles or permission sets.
Why tagged: Appropriate technical measures for personal data include explicit access scoping for OAuth-enabled applications.
SBS-OAUTH-003: Add Criticality Classification of OAuth-Enabled Connected Apps
High Source pageControl Statement: All OAuth-enabled Connected Apps must be recorded in an authoritative system of record and assigned a documented vendor criticality rating reflecting integration importance and data sensitivity.
Why tagged: Accountability for personal data access includes maintaining an inventory of OAuth-enabled applications and their business criticality.
SBS-OAUTH-004: Due Diligence Documentation for High-Risk Connected App Vendors
Moderate Source pageControl Statement: Organizations must review and retain available security documentation for all high-risk Connected App vendors and explicitly record any missing documentation as part of the vendor assessment.
Why tagged: Due diligence for vendors handling personal data includes reviewing available privacy and security documentation for high-risk connected apps.