Claude
Skills
Sign in
Back

salesforce-data-handling

Included with Lifetime
$97 forever

Implement Salesforce data privacy, GDPR/CCPA compliance, and field-level encryption patterns. Use when handling PII in Salesforce records, implementing data subject access requests, or configuring Salesforce Shield encryption. Trigger with phrases like "salesforce data privacy", "salesforce PII", "salesforce GDPR", "salesforce data retention", "salesforce encryption", "salesforce CCPA".

Generalsaascrmsalesforce

What this skill does

# Salesforce Data Handling

## Overview

Handle sensitive data correctly when integrating with Salesforce: PII classification, GDPR/CCPA compliance with Salesforce's Individual object, data retention, and field-level encryption.

## Prerequisites

- Understanding of GDPR/CCPA requirements
- Salesforce org with data classification enabled (Setup > Data Classification)
- For encryption: Salesforce Shield license (Platform Encryption)

## Instructions

### Step 1: Salesforce Data Classification

```typescript
// Salesforce has built-in data classification on fields
// Setup > Object Manager > [Object] > Fields > [Field] > Edit > Data Sensitivity Level

// Query field classification metadata
const conn = await getConnection();
const contactMeta = await conn.sobject('Contact').describe();

const sensitiveFields = contactMeta.fields
  .filter((f: any) => f.compoundFieldName === null) // Skip compound fields
  .map((f: any) => ({
    name: f.name,
    label: f.label,
    type: f.type,
    encrypted: f.encrypted || false,
    // Check custom data sensitivity via field metadata
  }));

// PII fields in standard Salesforce objects
const PII_FIELDS: Record<string, string[]> = {
  Contact: ['FirstName', 'LastName', 'Email', 'Phone', 'MailingAddress', 'Birthdate'],
  Lead: ['FirstName', 'LastName', 'Email', 'Phone', 'Company'],
  Account: ['Phone', 'Website'], // Less PII, but may contain it
  User: ['Email', 'Phone', 'Username'],
  Case: ['SuppliedEmail', 'SuppliedName', 'SuppliedPhone'],
};
```

### Step 2: GDPR — Individual Object & Consent

```typescript
// Salesforce has a built-in "Individual" object for GDPR consent tracking
// Setup > Data Protection and Privacy > Enable Individual object

// Link Contact to Individual for consent tracking
await conn.sobject('Individual').create({
  FirstName: 'Jane',
  LastName: 'Smith',
  HasOptedOutTracking: false,
  HasOptedOutProcessing: false,
  HasOptedOutSolicit: true,
});

// Check consent before processing
const contact = await conn.query(`
  SELECT Id, FirstName, LastName, Email,
    Individual.HasOptedOutTracking,
    Individual.HasOptedOutProcessing
  FROM Contact
  WHERE Id = '003xxxxxxxxxxxx'
`);

const individual = contact.records[0]?.Individual;
if (individual?.HasOptedOutProcessing) {
  console.log('Contact has opted out of data processing — skip');
}
```

### Step 3: Data Subject Access Request (DSAR)

```typescript
// GDPR Article 15: Right of Access
async function exportContactData(contactId: string): Promise<object> {
  const conn = await getConnection();

  // Gather all data related to this contact
  const [contact, cases, activities, opportunities] = await Promise.all([
    conn.query(`
      SELECT FIELDS(ALL) FROM Contact WHERE Id = '${contactId}' LIMIT 1
    `),
    conn.query(`
      SELECT Id, Subject, Description, CreatedDate, Status
      FROM Case WHERE ContactId = '${contactId}'
    `),
    conn.query(`
      SELECT Id, Subject, ActivityDate, Description
      FROM Task WHERE WhoId = '${contactId}'
    `),
    conn.query(`
      SELECT Id, Name, StageName, Amount
      FROM Opportunity WHERE Id IN (
        SELECT OpportunityId FROM OpportunityContactRole WHERE ContactId = '${contactId}'
      )
    `),
  ]);

  return {
    exportDate: new Date().toISOString(),
    subject: 'Data Subject Access Request',
    contact: contact.records[0],
    cases: cases.records,
    activities: activities.records,
    opportunities: opportunities.records,
  };
}
```

### Step 4: Right to Deletion (Right to be Forgotten)

```typescript
// GDPR Article 17: Right to Erasure
async function deleteContactData(contactId: string): Promise<void> {
  const conn = await getConnection();

  // 1. Delete related records first (due to lookup relationships)
  const tasks = await conn.query(`SELECT Id FROM Task WHERE WhoId = '${contactId}'`);
  if (tasks.records.length > 0) {
    await conn.sobject('Task').destroy(tasks.records.map((t: any) => t.Id));
  }

  // 2. Delete the contact
  await conn.sobject('Contact').destroy(contactId);

  // 3. Audit log (required — don't delete this)
  await conn.sobject('Integration_Log__c').create({
    Action__c: 'GDPR_DELETION',
    Record_Id__c: contactId,
    Object_Type__c: 'Contact',
    Timestamp__c: new Date().toISOString(),
  });

  // 4. Delete from local caches/databases too
  console.log(`Contact ${contactId} deleted from Salesforce (GDPR erasure)`);
}
```

### Step 5: Data Redaction in Logs

```typescript
// NEVER log raw Salesforce records containing PII
function redactSfRecord(record: Record<string, any>, objectType: string): Record<string, any> {
  const piiFields = PII_FIELDS[objectType] || [];
  const redacted = { ...record };

  for (const field of piiFields) {
    if (redacted[field]) {
      redacted[field] = '[REDACTED]';
    }
  }

  return redacted;
}

// Usage in logging
const contacts = await conn.query('SELECT Id, FirstName, LastName, Email FROM Contact LIMIT 5');
for (const contact of contacts.records) {
  console.log('Processing:', redactSfRecord(contact, 'Contact'));
  // Logs: { Id: '003xx', FirstName: '[REDACTED]', LastName: '[REDACTED]', Email: '[REDACTED]' }
}
```

### Step 6: Salesforce Shield Platform Encryption

```
For field-level encryption at rest (Salesforce Shield license required):

Setup > Platform Encryption > Encryption Policy:
- Encrypt: Contact.Email, Contact.Phone, Lead.Email
- Key Management: Salesforce-managed or customer-managed (BYOK)

Limitations of encrypted fields:
- Cannot use in WHERE clause (use deterministic encryption for filters)
- Cannot use in ORDER BY
- Cannot use in aggregate functions
- SOQL LIKE operator not supported on encrypted fields
```

## Output

- Data classification for PII fields documented
- GDPR consent tracking via Individual object
- DSAR export function for data subject access
- Right to deletion with audit trail
- Log redaction preventing PII exposure

## Error Handling

| Issue | Cause | Solution |
|-------|-------|----------|
| `FIELD_NOT_FOUND: Individual` | Individual object not enabled | Setup > Data Protection > Enable Individual |
| Can't delete Contact | Related records exist | Delete related Tasks/Events first |
| Encrypted field in WHERE | Shield encryption limitation | Use deterministic encryption or query differently |
| PII in logs | Missing redaction | Wrap all SF logging with redactSfRecord |

## Resources

- [Salesforce Data Protection & Privacy](https://help.salesforce.com/s/articleView?id=sf.data_protection_and_privacy.htm)
- [Individual Object](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_individual.htm)
- [Shield Platform Encryption](https://help.salesforce.com/s/articleView?id=sf.security_pe_overview.htm)
- GDPR Compliance in Salesforce

## Next Steps

For enterprise access control, see `salesforce-enterprise-rbac`.
Files: 1
Size: 7.4 KB
Complexity: 18/100
Category: General
Source: https://github.com/jeremylongshore/claude-code-plugins-plus-skills/tree/main/plugins/saas-packs/salesforce-pack/skills/salesforce-data-handling

Related in General

modeling-omnistudio-epc-catalog

Included

Salesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).

Generalscripts

relationship-science-coach

Included

Use this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.

Generalscripts

building-sf-integrations

Included

Salesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).

Generalscripts

venue-templates

Included

Access comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.

Generalscripts

let-fate-decide

Included

Draws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.

Generalscripts

net-ops

Included

Cross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.

Generalscripts
Sign up & unlock — $97