GoMeddo Security & Compliance
Our Security Commitment
GoMeddo is committed to protecting your data and maintaining the highest standards of security and compliance. As a 100% native Salesforce application, we leverage Salesforce's world-class infrastructure while adding our own organizational security measures.
If you trust Salesforce with your data, you should trust GoMeddo as well.
Certifications & Compliance
ISO 27001 Certified
GoMeddo is ISO 27001 certified, demonstrating our commitment to information security management. This internationally recognized standard ensures we have:
Systematic approach to managing sensitive information
Risk assessment and treatment processes
Continuous improvement of security controls
Regular internal and external audits
Salesforce Security Review
GoMeddo has passed Salesforce's rigorous AppExchange Security Review. This mandatory review validates that our application:
Follows Salesforce security best practices
Properly handles data access and sharing
Does not contain security vulnerabilities
Respects platform governor limits and guidelines
Every release undergoes this security review before publication.
GDPR Compliant
GoMeddo is fully GDPR compliant (HQ is located in the Netherlands). We offer:
Data Processing Agreement (DPA) available upon request
Data minimization principles
Right to erasure support
Data portability support
Privacy by design in our product development
Contact us at privacy@gomeddo.com for our DPA or privacy-related inquiries.
Architecture & Data Handling
100% Native Salesforce
GoMeddo is built entirely on the Salesforce platform. This means:
Aspect | What this means for you |
|---|---|
Data Location | All your data stays in YOUR Salesforce org. Always. |
No External Servers | We don't operate external databases, APIs, or data processing servers for the core functionality. |
No Data Access | GoMeddo (the company) cannot see, access, or retrieve your data. |
Your Control | You have complete control over security settings, access, and data retention. |
Performance | Reduced latency and faster performance from localized hosting within your org. |
Customization | Full extensibility through Salesforce's native development tools and APIs. |
How It Works
When you install GoMeddo, the application runs within your Salesforce environment:
┌─────────────────────────────────────────┐
│ Your Salesforce Org │
│ ┌───────────────────────────────────┐ │
│ │ GoMeddo App │ │
│ │ (runs in your environment) │ │
│ └───────────────────────────────────┘ │
│ │
│ ┌───────────────────────────────────┐ │
│ │ Your Data │ │
│ │ (stays in your environment) │ │
│ └───────────────────────────────────┘ │
└─────────────────────────────────────────┘
GoMeddo has no access ↑Security Features
Access Control
GoMeddo uses Salesforce's native security model:
Profiles & Permission Sets - Control who can access GoMeddo features
Field-Level Security - Restrict access to sensitive fields
Sharing Rules - Define record-level access
Role Hierarchy - Inherit access based on organizational structure
Audit & Monitoring
Full visibility into system usage:
Salesforce Setup Audit Trail
Field History Tracking (configurable per field)
Login History
Compatible with Salesforce Shield Event Monitoring
Encryption
In Transit: All data encrypted via Salesforce's TLS 1.2+ encryption
At Rest: Compatible with Salesforce Shield Platform Encryption (customer-enabled)
Widget & External Access
GoMeddo offers optional widgets and APIs for external booking. Important security notes:
Feature | Security Model |
|---|---|
Booking Widget / Frontend Builder | Not enabled by default. Requires explicit configuration. |
Guest Booking | Uses Salesforce Sites with your permission settings |
Contact/Lead Creation | Can create contacts/leads only when explicitly enabled by you. |
API Access | Standard Salesforce APIs with your authentication |
Data Exposure | Only fields you explicitly expose are accessible |
You maintain full control over what data is accessible externally.
Industry-Specific Compliance
GoMeddo serves organizations across healthcare, hospitality, real estate, education, and non-profit sectors. Our native Salesforce architecture supports industry-specific compliance requirements.
Healthcare & Life Sciences (HIPAA)
GoMeddo supports HIPAA-compliant deployments when used with an appropriately configured Salesforce environment:
Requirement | How GoMeddo Supports It |
|---|---|
BAA | Customer executes BAA with Salesforce directly. GoMeddo operates within your compliant environment. |
PHI Storage | All data in your Salesforce org. No external transmission. |
Encryption | Compatible with Salesforce Shield Platform Encryption |
Access Controls | Native Salesforce profiles, permission sets, sharing rules |
Audit Logging | Works with Salesforce Field Audit Trail and Event Monitoring |
Customer Responsibilities for HIPAA:
Execute BAA with Salesforce
Use Salesforce Health Cloud or HIPAA-eligible edition
Configure appropriate access controls
Consider Salesforce Shield for enhanced security
Education (FERPA)
Education institutions can configure GoMeddo to support FERPA compliance using Salesforce's Education Cloud security features and native access controls.
Hospitality
GoMeddo supports hospitality organizations with guest data protection through Salesforce's security model, GDPR compliance for EU guests, and configurable data retention policies.
Real Estate
Real estate organizations benefit from GoMeddo's secure scheduling within Salesforce, with full control over client data, viewing appointments, and property access management.
Non-Profit
Non-profit organizations can leverage Salesforce's Non-Profit Cloud security features alongside GoMeddo, with support for donor data protection and volunteer management compliance.
Infrastructure Security
Since GoMeddo runs on Salesforce infrastructure, you benefit from:
SOC 1, SOC 2, SOC 3 certified data centers (Salesforce)
ISO 27001, 27017, 27018 certified infrastructure (Salesforce)
99.9%+ uptime via Salesforce's http://trust.salesforce.com
Global data residency options via Salesforce Hyperforce
Automated backups and disaster recovery (Salesforce)
Vulnerability Management
Salesforce Security Review
Every GoMeddo release passes Salesforce's security review, which includes:
Static code analysis
Security vulnerability scanning
Best practice validation
Manual security review
Responsible Disclosure
Found a security issue? Contact us at security@gomeddo.com. We take all reports seriously and will respond within 48 hours.
Frequently Asked Questions
Does GoMeddo have access to my data?
No. GoMeddo is installed in your Salesforce org. We have no visibility into your environment or data.
Do I need a separate BAA with GoMeddo?
No. Since GoMeddo operates entirely within your Salesforce environment, your BAA with Salesforce covers the data processing.
Is penetration testing performed?
GoMeddo runs 100% on Salesforce infrastructure. Salesforce performs regular penetration testing on their platform. Our code passes Salesforce's mandatory security review.
Where is my data stored?
In your Salesforce org, in the region you selected when setting up Salesforce. GoMeddo does not move or copy your data elsewhere.
Can I get a security questionnaire completed?
Yes. Contact security@gomeddo.com with your questionnaire.
Contact
Security inquiries: security@gomeddo.com
Privacy & DPA requests: privacy@gomeddo.com
General compliance questions: compliance@gomeddo.com