The Compliance Officer's Guide to Salesforce Exits

The Compliance Stakes

A Salesforce exit isn't just a technology project—it's a data governance event. Mishandle it and you're looking at:

• GDPR violations: up to €20M or 4% global revenue
• HIPAA penalties: $100–$50,000 per violation, max $1.5M/year
• SOC 2 audit failures: loss of customer trust, contract violations
• Lost audit trail: inability to respond to litigation, regulatory inquiries

Pre-Exit: Compliance Discovery (Week 1–2)

1. Data Inventory

What data do you have, where is it, and what laws govern it?

• PII (GDPR, CCPA): Name, email, address, IP, device ID
• PHI (HIPAA): Health records, consent forms, clinical data
• PCI (Payment Card Industry): Card numbers, CVV, transaction logs
• CUI (Controlled Unclassified Information): Export-controlled tech data, ITAR-regulated content

Tool: Data Classification Scanner. Tag every field with sensitivity level.

2. Retention Policy Mapping

How long must you retain each data type?

• Financial records: 7 years (IRS), 10 years (SEC for public companies)
• Tax documents: 7 years
• Employment records: 7 years post-termination (EEOC)
• Medical records: 6 years (HIPAA), varies by state
• Litigation hold: indefinite until case resolves

Action: Export retention matrix. Match Salesforce objects to legal retention requirements.

3. Audit Trail Requirements

Can you prove who accessed/changed what, when?

• SOC 2 Type II: comprehensive change log, access controls
• GDPR Article 30: Record of Processing Activities (ROPA)
• HIPAA: Audit controls, integrity controls, person/entity authentication

Salesforce limitation: Field History Tracking = 18 months max, 20 fields/object. If you need longer, you must export to external archive.

Exit Planning: Compliance Guardrails

Data Processing Agreement (DPA) Review

Your contract with Salesforce includes a DPA. Key clauses:

• Data residency: EU data stored in EU? Transferring to US-based CRM may violate GDPR without Standard Contractual Clauses (SCCs).
• Sub-processors: Does the new platform use the same sub-processors? If not, you need new consent or DPA amendments.
• Deletion obligations: You must delete personal data when no longer needed. Salesforce DPA requires deletion within 30 days of request—does your new platform?

Certification Matching

If Salesforce has certifications your compliance program relies on, the new platform must match or exceed:

• SOC 2 Type II
• ISO 27001
• HIPAA BAA (Business Associate Agreement)
• FedRAMP (for government clients)
• PCI DSS Level 1

No cert = compliance gap = blocked exit or expensive remediation.

Migration: Compliance Controls

Encryption in Transit and at Rest

• Data export from Salesforce: TLS 1.2+ for API calls
• Storage during migration: AES-256 encryption at rest
• Load into new platform: encrypted channels only

Access Controls During Migration

• Principle of least privilege: only migration team accesses data
• MFA enforced on all accounts
• Audit log every access to PII/PHI during migration window

Data Minimization

GDPR Article 5: only migrate data you need. This is a chance to purge:

• Abandoned accounts (no activity in 3+ years)
• Duplicate records
• Test/sandbox data accidentally in prod
• PII past retention period

Post-Migration: Retention and Archival

Don't Delete Salesforce Immediately

Keep the org read-only for at least 12 months (longer if litigation/audit risk). Cost: ~$30K/year for read-only licenses.

Why? You may need to prove data integrity, respond to regulatory inquiry, or debug migration issues.

Archival Strategy

After read-only period, archive to immutable storage:

• AWS S3 Glacier Deep Archive: $0.00099/GB/month
• Azure Archive Storage: $0.00099/GB/month
• Google Cloud Archive: $0.0012/GB/month

Enable Object Lock (S3) or Immutable Blobs (Azure) to prevent tampering. Required for SEC 17a-4, FINRA 4511 compliance.

Deletion Certificates

When you finally delete Salesforce data, request a Certificate of Deletion from Salesforce. Store it for 7 years. Proves data was destroyed per policy if audited later.

GDPR-Specific Considerations

Right to Access (Article 15)

Data subjects can request their data. During migration, you must maintain ability to respond within 30 days. Have a query ready:

SELECT Id, Name, Email, Phone, ... 
FROM Contact 
WHERE Email = :requestorEmail 
OR Global_ID__c = :globalId

Right to Erasure (Article 17)

During migration, erasure requests must propagate to both Salesforce and the new platform. Use middleware or manual dual-delete process.

Data Breach Notification (Article 33)

If data is compromised during migration, 72-hour notification clock starts. Have incident response plan ready before migration starts.

HIPAA-Specific Considerations

Business Associate Agreement (BAA)

Salesforce has a BAA. New platform must too. Migration vendor (if third-party) also needs BAA—they're handling PHI.

Minimum Necessary Standard

Only migrate PHI required for business purpose. Example: historical case notes from 10 years ago? Probably not necessary—archive instead of migrate.

Audit Controls (§164.312(b))

Log every PHI access during migration. Retain logs for 6 years.

SOC 2 Considerations

Change Management (CC8.1)

Migration is a major change. Must be:

• Documented with change request
• Approved by stakeholders
• Tested in non-prod environment
• Rolled back if issues detected

Data Integrity (CC7.2)

Prove data wasn't corrupted. Use checksums or hash-based validation:

// Export
hash_before = SHA256(exported_data)

// Import
hash_after = SHA256(imported_data)

assert hash_before == hash_after

Compliance Checklist for Exits

1. Data inventory with sensitivity tagging (PII, PHI, PCI, CUI)
2. Retention policy mapping to Salesforce objects
3. DPA review for data residency, sub-processors, deletion obligations
4. Certification gap analysis (SOC 2, ISO 27001, HIPAA BAA, etc.)
5. Encryption controls for export, storage, import
6. Access controls with MFA and audit logging
7. Data minimization (purge unnecessary PII)
8. Read-only retention period (12+ months)
9. Archival to immutable storage (S3 Glacier, Azure Archive)
10. Deletion certificate from Salesforce (retain 7 years)
11. Dual-delete process for GDPR erasure during migration
12. Incident response plan for breach notification
13. Hash-based data integrity validation
14. Change management documentation for SOC 2

Red Flags

• Engineering team says "we'll handle compliance later"
• New platform has no SOC 2 or equivalent cert
• No BAA from migration vendor handling PHI
• Plan to delete Salesforce within 30 days post-cutover
• No data classification—treating all data as non-sensitive
• No archival strategy beyond "keep a backup"