FAQ-000511 - Custom Settings and Configuration Security / Protected Custom Settings vs Other Storage Methods

The difference between storing sensitive data in protected custom objects and protected custom metadata types lies in their use cases and implementation: 1. **Protected Custom Metadata Types**: - **Best for**: Secure, metadata-driven configurations in managed packages. - **Security**: Secrets are securely stored and aren't accessible or modifiable by subscribers or untrusted code. - **Use Case**: Ideal for configurations packaged with the application. 2. **Protected Custom Objects**: - **Best for**: Storing sensitive data that needs to be accessed dynamically. - **Security**: Requires encryption of the data, with the encryption key stored separately (e.g., in a protected custom setting or hidden custom metadata API field). - **Implementation**: Needs additional setup to ensure encryption and access control. In summary, use protected custom metadata types for secure, static configurations and protected custom objects with encryption for dynamic, sensitive data storage.

The FAQ content is generally accurate and well-structured. I made minor phrasing improvements to enhance readability: changed 'not accessible or modifiable' to 'aren't accessible or modifiable' for better conversational tone per the brand guidelines. The content correctly addresses the security considerations for both storage methods and appropriately emphasizes the need for encryption when using protected custom objects for sensitive data. For security rule associations: - ApexBadCrypto is relevant because this FAQ discusses encryption requirements for sensitive data stored in protected custom objects. The FAQ specifically mentions 'Requires encryption of the data, with the encryption key stored separately' which directly relates to proper cryptographic practices that this rule addresses. - ProtectSensitiveData is relevant because the entire FAQ is about different approaches to storing sensitive data securely. The FAQ discusses both protected custom metadata types and protected custom objects as methods for 'storing sensitive data' which is the core focus of this security rule.