FAQ-000001 - AI and External Service Security / AI Application Development and Packaging

When building, packaging, and reviewing applications with AI features like Einstein Copilot, consider these security requirements: **Data Security & Privacy:** • Implement proper CRUD/FLS enforcement using `WITH USER_MODE` in SOQL queries and `AccessLevel.USER_MODE` for Database methods • Use appropriate sharing keywords (`with sharing`, `inherited sharing`) to respect record-level security • Protect sensitive data through field-level security and proper data classification • Validate and sanitize all user inputs to prevent injection attacks • Escape output data properly to prevent XSS vulnerabilities **External Integrations:** • Use Named Credentials for secure authentication with AI services • Ensure HTTPS endpoints for all external AI service calls • Avoid hardcoded credentials in code, metadata, or configuration files • Implement proper API security patterns for AI service integration **Code Security:** • Follow secure coding practices for all Apex classes that interact with AI features • Validate user permissions before processing AI requests • Implement proper error handling without exposing sensitive information • Use current API versions to leverage latest security enhancements **Packaging Considerations:** • Include comprehensive security documentation in your package • Test security controls in different org configurations • Validate that AI features respect user permissions and organization security settings • Document data processing and external service dependencies clearly **Review Requirements:** • Demonstrate compliance with Salesforce security best practices • Provide clear documentation of AI data flows and processing • Show evidence of security testing across different scenarios • Address any scanner findings related to data handling and external service usage

The FAQ question asks specifically about security considerations for AI applications but has no answer content provided. I created a comprehensive answer covering the key security areas relevant to AI application development on Salesforce. The answer addresses data security, external integrations, code security, packaging, and review requirements - all critical for AI applications that typically process user data and integrate with external services. I selected security rules that directly apply to common patterns in AI applications: data access controls (ApexCRUDViolation, ApexSharingViolations), input validation (ApexSOQLInjection), output security (ApexXSSFromEscapeFalse, ApexXSSFromURLParam), external service security (ApexInsecureEndpoint, ApexSuggestUsingNamedCred), credential management (AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, AvoidHardcodedCredentialsInHttpHeader), and data protection (ProtectSensitiveData, AvoidSecurityEnforcedOldApiVersion). Each selected rule relates to security patterns commonly found in AI applications that process user data and integrate with external AI services.