Updated 2026-06-19
Security & data handling
What SmixAI reads, how it's protected, and how tenants stay isolated.
Overview
SmixAI is designed to give you insight without exposing your business data. It reads configuration and usage signals β not the contents of your records β and isolates every organization's data.
What SmixAI reads (and doesn't)
- Reads: object/field definitions, record counts, automation & code metadata, org limits (storage), license totals, and user activity (e.g. last login).
- Does not read: the contents of your records (the actual account names, emails as data, opportunity amounts, etc.). Duplicate detection uses aggregate counts, not row exports.
See What gets inventoried for the full list.
How your data is protected
| Control | Detail |
|---|---|
| Credential encryption | OAuth tokens, secrets, and private keys are encrypted at rest. |
| Tenant isolation | Every query is scoped to your organization; data never crosses orgs. |
| Least privilege | Connect with a scoped/integration user; server-to-server runs as a defined identity. |
| Audit trail | Significant actions are logged (see Activity & audit log). |
| No production writes | Agent changes are sandbox-only; there is no apply-to-production path. |
How to: keep your connection secure
- Use a dedicated, least-privilege Salesforce user for scanning.
- Prefer JWT Bearer for automated scans so no interactive password is involved.
- Rotate credentials periodically (add a new credential, set primary, remove the old).
Use cases
- Security review: confirm SmixAI reads metadata/usage only and encrypts credentials.
- Procurement: point your security team here plus to your contract/DPA for specifics.
Notes
- For formal security documentation (certifications, DPA), contact the SmixAI team.