Last updated: June 2026
For data processed through the service, you act as the data controller and SchemaForce acts as the data processor. We process data only on your documented instructions, which include your use of the product.
We process Salesforce metadata — object and field definitions, picklists, relationships, descriptions, and configuration — together with the account data needed to operate the service. We do not process the contents of your Salesforce records.
We encrypt Salesforce credentials at rest, isolate tenant data with row-level security, restrict access to authorized systems and personnel, and keep tokens and identifiers out of URLs.
We engage a limited set of subprocessors to provide infrastructure (database, hosting, billing, and language-model services). None receive the contents of your records. We maintain the current list on our Security page and will provide notice of material changes.
We will assist you, taking into account the nature of processing, in responding to data subject requests and in meeting your security, breach-notification, and impact-assessment obligations.
On termination, you may export or request deletion of processed data, subject to legal retention requirements.