Security Narrative: GPTfy

This security narrative shares our perspective on various security-related areas.

Prepared by Rob Arnold, CISSP.

Last updated on : April 26, 2021

Audit Management Narrative

It is the policy of GPTfy (“the Company”) that our information security policies, procedures, standards, and plans are proprietary information and may not be disclosed outside the company.

Information Security Narrative

The Company is committed to preserving the confidentiality, integrity, and availability of all information systems and applications within our systems, which are limited to the purposes of developing our products.

The Company maintains a regularly updated Information Security program that addresses all legal, regulatory, and contractual compliance requirements such as, but not limited to:

  • Disaster Recovery and Business Continuity planning and preparedness;
  • Information Security Incident Response and Management;
  • Data Backup policies and standards;
  • Avoidance of privacy breaches; and
  • The enforcement of access control to systems.


Control objectives for each area are contained in Company policy, procedure, and standards documents, which are updated annually or as needed.

All Company staff and external parties identified and authorized to support the Information Security program are expected to comply with this and all applicable policies and procedures under penalty of disciplinary action.

Software Development Lifecycle Narrative

From a security perspective, our products are 100% cloud-native (built on the Salesforce platform) and store and process no data outside of Salesforce.

Our application is hosted in Customer’s Salesforce Org and runs in the Salesforce security context.

It also does not make outbound web calls to any service or http endpoint.

The Company does not access Salesforce customer data. The company’s products are security reviewed by Salesforce.

Each release undergoes Salesforce-prescribed code scanning before being published on the Salesforce AppExchange.

Services Narrative

Company’s implementation services work within a Salesforce Dev Sandbox (which by design has no customer data) to set up and configure our product.

Once it is set up, either our team or Customer’s Salesforce Admin moves this configuration into the QA/Test instance. Finally, the migration into Production is managed by Customer’s Salesforce team.

As a practice, we explicitly ask not to be given access to any Salesforce Org with actual customer data and will not access your Salesforce Prod instance.

Our implementation team will work with your admin/other IT folks over a shared screen during the Test/QA and production migrations, but that is usually the extent of our involvement.