Salesforce Shield / Platform Encryption with all Blackthorn apps

Overview

If your Salesforce org has implemented data security with Shield Platform Encryption, here's how you can set this up and prevent running into any errors while using our Blackthorn apps.

Salesforce Shield and Blackthorn's apps work with Salesforce Shield aka Platform Encryption enabled. It works with Deterministic based encryption. This must be done in three places. The key, the global option, and per-field.

Setup

Step 0: The running user of each app, typically the person who installed both apps, must have a profile that can view encrypted fields. Alternatively, you can use a dedicated integration user that no one has access to with this profile to query and create records with the necessary fields.

📘

Note:

If you're a system admin and don't have "View Encrypted Data" access on profile, you can create a custom permission set to include the access and assign it to your users. See required user permissions for shield platform encryption here.

To configure this, navigate to Setup, type 'plat' to find the below (short for platform). The red arrows highlight where you'll need to click to get to the configuration areas below:

  • Classic navigation
Classic navigationClassic navigation

Classic navigation

  • Lightning Navigation
Lightning navigationLightning navigation

Lightning navigation

Step 1: Setup | Platform Encryption | Key Management. Select 'Data in Salesforce (Deterministic)' and generate your key.

Step 2: Visit Setup | Platform Encryption | Advanced Settings. Enable 'Deterministic Encryption'.

Step 3: Setup | Platform Encryption | Encryption Policy then click 'Encrypt Fields'. For the Email field (or any other erroring field you get when enabling Shield and/or installing our apps, whichever comes first, set those fields to Deterministic - Case Insensitive.

To know more about how Shield Platform Encryption Works, see here.

Suggested Configuration for Blackthorn Fields

📘

  • The tables below will provide a list of fields from our applications that should NOT be encrypted using Salesforce Shield.
  • These fields are used to filter the SOQL result and so they should be excluded from the encryption in order for our apps to work.
  • Formula & Reference fields cannot be encrypted.
  • After marking all fields for encryption if historical data is present you will need to export and import records to trigger a full encryption of data at rest or log a case with Salesforce Support to have a back end encryption job processed. As of Spring '19 you can now also perform this encryption sync yourself using the self service option in the Salesforce help portal.
  • Picklist fields can not be encrypted.
  • Blackthorn will maintain the list whenever a new field is added to the apps.

Payments

Object Name

Field Name

Object Type

Encryption Type

Contact

Email

Standard

No Encryption

Product2

Product_ID__c

Standard

No Encryption

Transaction__c

Transaction_Id__c

Custom

No Encryption

Transaction__c

Transfer_Payment_Id__c

Custom

No Encryption

Transaction__c

Key__c

Custom

No Encryption

Payment_Intent__c

Payment_Intent_Id__c

Custom

No Encryption

Payment_Method__c

Card_Id__c

Custom

No Encryption

Payment_Method__c

ACH_Key__c

Custom

No Encryption

Payment_Method__c

Fingerprint__c

Custom

No Encryption

Payment_Gateway__c

Webhook_Label__c

Custom

No Encryption

Payment_Gateway__c

Stripe_User_Id__c

Custom

No Encryption

Plan2__c

Plan_Id__c

Custom

No Encryption

Coupon2__c

Coupon_Id__c

Custom

No Encryption

Dispute__c

Dispute_ID__c

Custom

No Encryption

Stripe_Customer__c

Email__c

Custom

No Encryption

Stripe_Customer__c

Customer_Id__c

Custom

No Encryption

Events

Object Name

Field Name

Object Type

Encryption Type

Account

Name

Standard

No Encryption

Attendee__c

Registration_Status__c

Custom

Deterministic

Attendee__c

Email2__c

Custom

Deterministic

Attendee__c

Key2__c

Custom

Deterministic

Attendee__c

Email__c

Custom

Deterministic

Attendee__c

Attendence_Status__c

Custom

Deterministic

Email_Template__c

SF_Template_Id__c

Custom

Deterministic

Email_Template__c

Name

Custom

No Encryption

Event_Group__c

Name

Custom

No Encryption

Event__c

Name

Custom

No Encryption

Event__c

Event_Start_Date__c

Custom

No Encryption

Event__c

Key2__c

Custom

Deterministic

Contact

Name

Standard

No Encryption

Event_Item__c

Item_Name__c

Custom

No Encryption

Event_Notification__c

Title__c

Custom

No Encryption

Form_Element__c

Maps_To_Object__c

Custom

Deterministic

Form_Element__c

Question__c

Custom

No Encryption

Form_Submission__c

Key__c

Custom

No Encryption

Lead

Name

Standard

No Encryption

Session__c

Start_Date__c

Custom

No Encryption

Speaker__c

Last_Name__c

Custom

No Encryption

Speaker__c

First_Name__c

Custom

No Encryption

Sponsor__c

Tier__c

Custom

No Encryption

Sponsor__c

Display_Name__c

Custom

No Encryption

Track__c

Name

Custom

No Encryption

Event_Setting__c

Name

Custom

No Encryption

Payment_Gateway__c

Name

Custom

No Encryption

Form__c

Name

Custom

No Encryption

Campaign

Name

Custom

No Encryption

📘

  • For any fields that are lookups the reference object Name field cannot be used to encrypt.
  • This is not supported in Event Wizard.
  • If you are not planning to add these fields in the Event Wizard fieldset, the fields can be encrypted. The type should be Deterministic.

Did this page help you?