Are there restrictions on what data can be stored in a custom logging object?
Answer
For the AppExchange Security Review, there are restrictions on storing sensitive data in custom logging objects:
1. **Encryption Requirement**: Sensitive data must be encrypted if stored in a custom logging object. Use the Apex Crypto API for encryption.
2. **Secure Key Storage**: The encryption key should be stored in a protected custom setting or a hidden custom metadata API field.
3. **Field Permissions**: Ensure proper permissions are configured for fields containing encrypted secrets.
4. **Preferred Storage Options**: Protected custom settings or protected custom metadata API fields are recommended for sensitive data storage.
Let me know if you need help implementing these practices!
Are there restrictions on what data can be stored in a custom logging object?
Recommended Answer Update
For the AppExchange Security Review, there are restrictions on storing sensitive data in custom logging objects:
1. **Encryption Requirement**: Sensitive data must be encrypted if stored in a custom logging object. Use the Apex Crypto class for encryption.
2. **Secure Key Storage**: Encryption keys should be stored in protected custom settings or protected custom metadata API fields.
3. **Field Permissions**: Ensure proper permissions are configured for fields containing encrypted secrets.
4. **Preferred Storage Options**: Protected custom settings or protected custom metadata API fields are recommended for sensitive data storage.
Let me know if you need help implementing these practices!
Reasoning
The answer needed minor refinements for clarity and accuracy:
1. Changed 'Apex Crypto API' to 'Apex Crypto class' for technical accuracy - the correct term is 'class' not 'API'
2. Simplified 'the encryption key should be stored' to 'encryption keys should be stored' for better flow
3. Removed 'a hidden custom metadata API field' from point 2 since 'protected' custom metadata was already mentioned - this eliminates redundancy
No major changes were needed as the content is accurate and comprehensive. The answer properly covers encryption requirements, secure storage practices, and field permissions.
Selected security rules relate to the FAQ content as follows:
- **ApexBadCrypto**: Directly relates to point 1 about using proper encryption with the Apex Crypto class for sensitive data
- **AvoidHardcodedCredentialsInFieldDecls**: Relates to the overall topic of protecting sensitive data in custom objects and proper field handling
- **AvoidHardcodedCredentialsInVarAssign**: Connects to secure handling of sensitive data mentioned throughout the FAQ
- **AvoidHardcodedCredentialsInVarDecls**: Relates to proper variable handling for sensitive data storage practices
- **ProtectSensitiveData**: Directly relates to the entire FAQ topic about restrictions on storing sensitive data in custom logging objects