This service is for faculty, staff, student, student workers, and vendors.
In order to maintain the security, integrity, and compliance of our St. Thomas Salesforce environments, we have established standards and processes regarding access by hired and contracted third-party vendors. These standards and processes ensure our constituent data (students, alumni, etc.) and internal business functionality remains secure while still allowing vendors to provide necessary support and services.
Can Third-Party Vendors Have Direct Access to Salesforce Environments?
Third-party vendors, whether hired on a permanent or contract basis, are not permitted to have direct user account access to any of our Salesforce Environments (Production, Staging, or Testing). This applies to all vendors regardless of their role or the nature of the services they provide.
Reasoning
- Security: Direct access by third parties increases the risk of unauthorized access, data breaches, and other security risks. Even with limited profiles there is still the ability to download data, obtain personally identifiable information, or misuse the data without any traceability.
- Compliance: As the University and government entity we must comply with various regulator requirements, like FERPA, that mandate strict control over access to sensitive row-level data. Our Salesforce environments contain a plethora of educational, biographical, and financial data.
- Data Integrity: With direct user access the vendor could potentially delete, add, or change data unknowingly to the University. Creating unintended changes that may not be able to be restored or fixed, causing harm to our environments.
- Costs: The University Salesforce license structure is based on current employee counts and maintained diligently to stay within budget. Each additional license is a large cost to the University and not typically taken into consideration when signing vendor contracts.
Approved Access Methods
While direct access is not allowed, we have established alternative methods to enable third-party vendors to perform their tasks effectively:
- Manual Data Pulls from St. Thomas to Vendor Secure File Transform Process (SFTP) site: The St. Thomas employee who is the acting product owner for the third-party vendor is able to create the data report needed directly in Salesforce and extract the data manually. One can upload the data securely in the designated SFTP site provided by the Vendor.
- Shared Sessions: Vendors can work alongside an internal St. Thomas team member through screen-sharing sessions, allowing them to provide guidance without direct access.
- Ensure the meeting is set up by St. Thomas team member and not recorded if sensitive information is reviewed.
- For Weekly Data Needs --Automate Data File Posting to Vendor SFTP Site: Our ITS teams have the ability to create necessary data files that can be automatically posted weekly to the vendor containing salesforce data. It is the responsibility of the product owner to manage the process and completion each week.
Our Vendor Says they Gain Direct Access with All Their Clients?
While we understand each school and university conducts their processes differently and/or has different resource capabilities, our Universities current data and technology processes, policies and frameworks do not support direct vendor access.
Again, these processes and standards are designed to protect our data, technology, and maintain compliance with regulatory requirements. It is our goal to work effectively with vendors and business partners to ensure success for all under the processes and standards set forth by the University.
To report a problem or receive additional troubleshooting, please contact the
Tech Desk.