Feature availability: Some features described in this article may require an upgrade or add-on. Refer to Vanta Plans and Pricing for details.
Trust Center's Salesforce integration provides an easy way to leverage automation when granting access to your report. This integration allows you to control who should be automatically approved for access and who should be required to sign an NDA by leveraging the data you already have in your Salesforce records.
Connecting with Salesforce
From the left-hand navigation panel, select Integrations
Search for Salesforce and choose Connect
To approve the OAuth app, Salesforce requires that the connected account have the Approve Uninstalled Connected Apps permission enabled
Once you've successfully connected your Salesforce account, navigate to Trust Center settings and configure your desired auto-approval and NDA bypass settings
In your account header, click the Settings icon
In the Settings page menu, scroll to the Features section, select Customer Trust, and go to the Trust Center tab
Note: There are two options for If request meets condition
Salesforce Contact matches the email
This will match the exact email addresses found in your Salesforce Contact records
Salesforce Contact matches the email domain
This will match against the email domain of any Contacts found in your Salesforce records. For example, “[email protected]” will match against “[email protected]”
In addition to matching Contacts, you can optionally configure a boolean field that must be set to true on the linked Account to that Contact for the auto-approval to go through
Once these rules are in place, viewers who have been matched will appear in the viewer's table with the Salesforce logo.
Viewers who have been auto-approved, will show that their NDA was signed and bypassed by Salesforce.
Tag-based access control with Salesforce
In addition to controlling whether a viewer is auto-approved, you can also control what they receive access to automatically, based on Salesforce field values.
Vanta lets you map Salesforce field values to document tags in your Trust Center. This means customers who have purchased specific products, belong to certain industries, or meet any other criteria you track in Salesforce will automatically receive only the content relevant to them, with no manual review required.
To configure tag-based access control:
Go to Customer Trust, select Trust Center, then click on the Settings button (the gear icon).
Select the Tags tab.
To learn more about setting up the Tag usage section, read Using Tags: Trust Center.
Once you've configured those tag settings, scroll to the Account tag automation section. Here you can match the tag category to the Salesforce field by selecting the correct field from the dropdown menu.
⚠️ Note: Vanta only supports string fields for tag-based automation. Tag values must be stored in Salesforce as a comma-separated string (e.g., "Product A, Product B") where each value matches the corresponding Vanta tag exactly, character for character, including capitalization and spacing.
To ensure a match, either:
Update your Vanta tags to match the values already in your Salesforce field, or
Create a formula field in Salesforce that outputs the correctly formatted comma-separated string and map that field in Vanta instead.
When a viewer is granted access, Vanta reads the relevant Salesforce field values in real time and applies the matching tags to determine which documents they can see.
ℹ️ Note: Tag values are captured at the moment access is granted. After that, tags sync from Salesforce every 24 hours — so any changes made in Salesforce will be reflected in Vanta within that window. For this feature to work, the mapped fields need to be populated on the relevant Contact or Account records in Salesforce. If an account has no tags set, viewers associated with that account will not be granted access to any resources.
Customer Trust Accounts automation
Once Salesforce is connected, Vanta can automatically create and link Customer Trust Accounts based on Salesforce data, and use Salesforce fields to control account-level auto-approval.
Account linking
When you manually create a Customer Trust account, Vanta automatically finds and links the matching Salesforce account based on the domain you enter.
When a viewer is granted access via Salesforce-based auto-approval, Vanta automatically creates a Customer Trust account for that viewer's email domain (if one doesn't exist) and links it to the corresponding Salesforce account. If a matching account already exists but isn't linked, it is linked at that time.
When a viewer's access is granted manually (with Salesforce connected), Vanta looks up the user in Salesforce and automatically creates and links an account if a matching Salesforce account exists.
Adding account-level conditions to auto-approval
Once you've set up Salesforce-based auto-approval (see Connecting with Salesforce), you can optionally add an account-level condition. In the auto-approval settings, click + Add account condition and select a Salesforce field. The field must be a boolean type (true enables auto-approvals for that account, false disables them).
Auto-approval can still be manually disabled for individual accounts from the account details view, which overrides the Salesforce sync for that account.
Trust Center Salesforce Integration: Required Permissions
The Trust Center Salesforce integration requests the api and refresh_token OAuth scopes. From Salesforce’s documentation about the api scope:
“Allows access to the current, logged-in user’s account using APIs, such as REST API and Bulk API 2.0.”
In other words, the Trust Center Salesforce integration’s access is determined by which account initiates the OAuth linking flow in Vanta. To limit the integration’s access, we recommend creating a separate service user with limited permissions in Salesforce and linking with that user.
(Note: If you’re already currently logged into your own Salesforce account, you may need to log out first before clicking “Connect Salesforce” in order to link with the service user)
Required Permissions by Feature
The following permissions are necessary for the following capabilities:
Augmenting viewer data in Activity and Access Requests for contacts found in Salesforce
Automated access approvals
NDA Bypass
Customer Trust Accounts automation (account linking and CRM account sync)
Tag-based access control
While we recommend granting access to all non-sensitive default fields on these objects to avoid functionality breaking if we request more information in the future, the minimal required permissions are the following:
Accounts
Object Permissions
Read
Field Permissions
Read Access
Name
Type
OwnerId
Contacts
Object Permissions
Read
Field Permissions
Read Access
Email
AccountId
Name
Revenue Tracking
If you’d like to take advantage of the Revenue Tracking reporting features, we will the above permissions and read access to opportunity objects in Salesforce.
While we recommend granting access to all non-sensitive default fields on opportunities to avoid functionality breaking if we decide to request more information in the future, the minimal required permissions are the following:
Opportunity
CloseDate
Amount (or equivalent custom field specifying revenue*)
Stage (or equivalent custom field specifying opportunity stage*)
CurrencyIsoCode (if multi-currency is enabled)
*For opportunity stage and revenue, you can specify custom fields to use over the defaults from within the Trust Center settings page.
Lead Creation
Vanta Trust Centers now has the ability to create leads in SFDC for viewers that are not found in Salesforce. If you’d like to take advantage of this capability, we will need the following permissions:
Object Settings
Lead
Object Permissions
Create
Field Permissions
Edit Access
Email
Name
Company
Create Salesforce Task
Vanta Trust Centers can now push Trust Center activity to Salesforce. If you’d like to take advantage of this capability, we will need the following permissions:
System Permissions
Access Activities
Edit Tasks
Profile > Field-Level Security > Task
Edit Access
Comments
Related To
Name