When a government contractor or VAR adds a new application to their Salesforce environment, the question of data security isn't abstract. Their Salesforce org contains customer records, pipeline data, pricing strategy, and contract details. They need to know who can see it, where it goes, and what happens if something goes wrong.

Quote.ly is a managed Salesforce application built by VirtualDojo, Inc. This post covers the security architecture behind it including the certifications, the controls, and the specific technical decisions that determine how your data is handled. No vague assurances. Just the facts.

The question isn't whether Salesforce is secure. It's whether the app you're adding to it is.

Where Quote.ly Runs and Why It Matters

Quote.ly operates across three environments, each carrying its own FedRAMP authorization. The Quote.ly application itself runs on the Salesforce Platform. The API endpoint (api.quote.ly) is hosted in Microsoft Azure Government (GCC), FedRAMP Moderate authorized through Agency ATOs from over 30 federal agencies. AI processing runs through Google Cloud Vertex AI, which holds FedRAMP High authorization.

All customer data remains within FedRAMP-authorized boundaries at every stage of processing. There's no stage where your data passes through an environment that hasn't been authorized.

The Salesforce AppExchange Security Review

Every application listed on the Salesforce AppExchange must pass a mandatory security review before it can be made available to customers. Quote.ly has successfully passed this review and continues to pass it annually.

What most people don't realize is how rigorous this review actually is. It's not a self-certification checklist. It's an independent evaluation by Salesforce's dedicated security team that typically takes four to five weeks and covers:

•       Code-level analysis — automated scanning and manual code review of all Apex, Visualforce, Lightning, and JavaScript code for vulnerabilities including SQL injection, XSS, and CSRF

•       Authentication and authorization — verification that the application enforces object-level, field-level, and record-level security and never bypasses Salesforce's built-in permission model

•       Data protection — review of how sensitive data is stored, transmitted, and processed, including encryption and data-at-rest protections

•       External integrations — security assessment of all external endpoints, APIs, and third-party services the application connects to

•       AI-specific security — evaluation of AI-driven logic, sensitive data handling in AI contexts, and risks from adversarial inputs

A failed review requires full remediation and resubmission. There are no shortcuts, no exemptions, and no workarounds. The review is performed independently of the application vendor.

The API Endpoint — Hosted in Azure Government

Quote.ly's external API endpoint (api.quote.ly) is hosted exclusively in Microsoft Azure Government Cloud (GCC) which is a physically and logically isolated environment, separate from commercial Azure, operated solely within U.S. sovereign data centers by screened U.S. persons.

All data in transit is encrypted via TLS 1.2+, and data at rest is encrypted using FIPS 140-2 validated modules.

What Salesforce Independently Verifies

As part of the AppExchange Security Review, Salesforce tests every external endpoint an application connects to. For api.quote.ly, that means:

•       TLS 1.2 or higher enforced for all connections — legacy protocols disabled, verified via Qualys SSL Labs at grade A

•       Dynamic Application Security Testing (DAST) conducted by Salesforce using OWASP ZAP and Burp Suite — all high-severity findings must be remediated before the review passes

•       Full OWASP Top 10 compliance — including injection attacks, broken authentication, XSS, CSRF, sensitive data exposure, and server-side request forgery

•       OAuth 2.0 authentication — Salesforce Session IDs are never transmitted to external endpoints; no secrets passed in URLs

•       Content Security Policy (CSP) — all external resources loaded over HTTPS and registered as CSP Trusted Sites within Salesforce

•       Continuous dependency scanning — all third-party libraries verified free of known vulnerabilities against Snyk and the CVE database

These controls aren't self-reported. They are verified by Salesforce's security team as a condition of the listing.

VirtualDojo, Inc. Does Not Have Access to Your Data

This is the most important thing to understand about Quote.ly's architecture, and it's worth being direct about it: VirtualDojo, Inc. does not host, store, or have standing access to any customer data.

Quote.ly operates as a managed package within the customer's own Salesforce org. All data remains under the customer's control, within their Salesforce security boundary. VirtualDojo engineers and staff cannot access customer data by default and there is no backdoor, no persistent access, and no administrative override.

The three data touchpoints in the Quote.ly architecture each have a clear access boundary. Customer Salesforce data is accessible to the customer only. The api.quote.ly endpoint processes requests in real time and does not persist customer data. Vertex AI and Gemini process inference requests in real time and do not retain or train on customer data.

Support Access Is Customer-Controlled

If a customer requires hands-on support, they must explicitly grant access to VirtualDojo through Salesforce's built-in Login Access Policy or by granting a support user temporary org access. The customer defines the duration and scope. Once that period expires, access is automatically revoked.

Upon removal of support access, VirtualDojo immediately returns to zero access. There is no residual access, no cached credentials, and no persistent connection that survives the revocation. All support access is logged and auditable within the customer's Salesforce org.

AI Processing — Google Vertex AI at FedRAMP High

Quote.ly uses Google Gemini through Google Cloud's Vertex AI service for AI-powered features. Vertex AI has achieved FedRAMP High authorization covering more than 140 Google Cloud services.

Customer data sent to Gemini for inference is not used for model training and is processed within Google's FedRAMP-authorized boundary. The AI inference layer carries the same authorization standard as the rest of the architecture.

Security Controls Across the Platform

Access Control

•       Role-based access control (RBAC) enforced at the Salesforce platform level

•       Least-privilege principle applied to all API integrations

•       Multi-factor authentication (MFA) required for all administrative access

Data Protection

•       Encryption in transit via TLS 1.2+ across all components

•       Encryption at rest using AES-256 or equivalent FIPS 140-2 validated encryption

•       No customer data stored outside of FedRAMP-authorized boundaries

Vulnerability Management

•       Annual Salesforce AppExchange Security Review

•       Ongoing vulnerability scanning and patching across API infrastructure

•       Secure software development lifecycle (SDLC) practices

Incident Response

•       Defined incident response procedures aligned with NIST SP 800-61

•       Leverages incident response capabilities of Salesforce, Microsoft, and Google — all FedRAMP-authorized platforms

Audit and Monitoring

•       Comprehensive logging of API access and administrative actions

•       Salesforce Event Monitoring for in-platform activity

•       Cloud-native audit logging in Azure Government and Google Cloud

Network Security

•       API endpoint hosted within Azure Government's isolated network

•       Web application firewall (WAF) and DDoS protection on all public-facing endpoints

The Bottom Line

Quote.ly is built on a security architecture that most standalone SaaS tools can't match because it inherits the FedRAMP-authorized infrastructure of Salesforce, Microsoft Azure Government, and Google Cloud, and adds its own layer of application-level controls on top.

Government contractors and VARs working on sensitive programs need to know their quoting data is handled inside authorized boundaries, by a vendor that has no standing access to their environment, with controls that are independently verified and not self-reported. That's the architecture Quote.ly is built on.

If you have security questions that aren't answered here, we want to hear them.