Salesforce Shield is a set of security, compliance, and data governance add-ons for Salesforce – designed for organisations that handle sensitive data and need audit trails, encryption, event monitoring, and field history retention beyond what Salesforce’s standard security features provide. If your organisation operates under regulatory requirements such as HIPAA, GDPR, PCI DSS, FedRAMP, or SOC 2 and uses Salesforce as a core business system, Shield is the product that closes the gap between Salesforce’s standard controls and enterprise compliance requirements. This guide covers the three core Shield components – Platform Encryption, Event Monitoring, and Field Audit Trail – and explains how they address specific security and compliance scenarios.
That consistency matters for long-term governance.
It also helps the team stay consistent.
That makes the policy easier to apply in practice.
The best guide is the one that makes compliance feel more concrete.
A useful explanation should help the reader understand where Shield fits in the broader platform.
That means the guide should focus on practical control rather than technical branding.
For many teams, the value is in lowering risk while keeping the system usable.
It should also show how security features fit into everyday CRM governance.
A good guide should explain what Shield is meant to do and why those protections matter.
That makes it a specialised product rather than a basic admin setting.
Salesforce Shield is useful because some teams need a stronger security and compliance layer around their CRM data. It helps organisations think more seriously about encryption, monitoring, and protected handling of sensitive information.
That consistency matters for long-term governance.
It also helps the team stay consistent.
That makes the policy easier to apply in practice.
The best guide is the one that makes compliance feel more concrete.
A useful explanation should help the reader understand where Shield fits in the broader platform.
That means the guide should focus on practical control rather than technical branding.
For many teams, the value is in lowering risk while keeping the system usable.
It should also show how security features fit into everyday CRM governance.
A good guide should explain what Shield is meant to do and why those protections matter.
That makes it a specialised product rather than a basic admin setting.
Salesforce Shield is useful because some teams need a stronger security and compliance layer around their CRM data. It helps organisations think more seriously about encryption, monitoring, and protected handling of sensitive information.
What Salesforce Shield Includes
Salesforce Shield is a bundle of three products:
- Shield Platform Encryption: encrypts Salesforce data at rest (not just in transit) using AES-256 encryption with customer-managed or Salesforce-managed encryption keys
- Event Monitoring: logs every user interaction with Salesforce – logins, report exports, data access, API calls – for security monitoring and forensic investigation
- Field Audit Trail: extends Salesforce’s standard field history tracking from 18 months to 10 years, with the ability to track up to 60 fields per object
Shield Platform Encryption
What It Encrypts (and What It Doesn’t)
Standard Salesforce security encrypts data in transit (HTTPS) and protects data at the infrastructure level – but data is stored in a readable (unencrypted) format in Salesforce’s database. Shield Platform Encryption adds application-layer encryption: data is encrypted before it is written to Salesforce’s database. This means that even Salesforce employees with database access cannot read the encrypted field values in plaintext.
Specifically encryptable field types include:
- Text, Text Area, Long Text Area, Rich Text Area fields
- Email and Phone fields
- URL fields
- Date and Date/Time fields
- Number, Percent, Currency fields
- Files and attachments (File Encryption)
Important limitations to understand: Encrypted fields cannot be used in formula fields, roll-up summaries, or most list view filters. Shield Encryption also cannot encrypt all field types – lookup fields, picklists, and some system fields are not encryptable. Before enabling encryption, organisations must map exactly which fields contain sensitive data and verify that encryption won’t break existing automation, integrations, or reporting that depends on those fields.
Encryption Key Management
Shield provides two key management options:
- Salesforce-managed keys: Salesforce generates, rotates, and manages the encryption keys. This is the simpler option but means Salesforce controls the keys – some compliance frameworks require customer-controlled keys.
- Customer-managed keys (Bring Your Own Key – BYOK): the organisation generates its own encryption key material and derives the tenant secret. This means only the customer has the ability to generate the encryption key – Salesforce cannot decrypt the data without the customer-controlled tenant secret. BYOK is required by some data sovereignty frameworks and regulatory requirements.
Shield also supports Cache-Only Keys – an advanced option where the encryption key is held in the customer’s external key service (AWS KMS, Azure Key Vault) and is never persisted in Salesforce. If the key service goes offline, Salesforce cannot decrypt data. This is the most restrictive configuration and is used by defence and highly regulated financial organisations.
Encryption in Practice
Enabling Shield Encryption for existing data requires an encryption policy that specifies which fields to encrypt, followed by a backfill process that re-encrypts all existing records. During the backfill, Salesforce runs an asynchronous job – for large orgs with millions of records, this can take hours or days. After the backfill completes, all new records and updates are automatically encrypted.
Event Monitoring
What Events Are Logged
Salesforce Event Monitoring captures a comprehensive log of user activity in event log files – CSV files stored in Salesforce for download or forwarded in real time to a SIEM (Security Information and Event Management) system. Logged event types include:
- Login events: timestamp, user, IP address, browser, login result (success or failure)
- Report events: which reports were run, by whom, at what time – critical for detecting mass data export attempts
- API events: all API calls (REST, SOAP, Bulk) with the querying user, objects accessed, and record counts returned
- UI track events: user page views and navigation within Salesforce Lightning Experience
- Data export events: when a user exports data using the Data Export functionality
- Dashboard events: which dashboards were accessed and by whom
Real-Time Event Monitoring (Streaming)
Shield’s standard Event Monitoring delivers log files that are available for the previous day (approximately 24 hours after the event). Shield also offers Real-Time Event Monitoring as a separate add-on – which streams events as they happen via Salesforce Platform Events. This enables:
- Detecting and automatically blocking suspicious activity as it occurs (e.g., a rep downloading all Accounts at 11pm – automatically suspend the session)
- Streaming events into a SIEM like Splunk, Microsoft Sentinel, or IBM QRadar for real-time security analysis
- Transaction Security Policies that can automatically log out a user, block an action, or send an alert when specific conditions are met (e.g., a login from an unusual geolocation, or an API call returning more than 5,000 records)
Event Monitoring Use Cases
- Data loss prevention (DLP): identify users who are mass-downloading CRM data (a leading indicator of departing employee data theft)
- Compliance audit evidence: provide regulators with evidence that specific data was accessed by specific users at a specific time
- Insider threat detection: correlate login locations, access times, and data volumes to detect anomalous behaviour
- License optimisation: identify inactive users who have not logged in to Salesforce in 30 days – a common use of Login event data outside the security context
Field Audit Trail
Why Standard Field History Is Insufficient for Compliance
Salesforce’s standard Field History Tracking captures the before and after values of up to 20 fields per object, retained for 18 months. For many compliance requirements – particularly in financial services, healthcare, and legal – 18 months is insufficient. Regulators may require 5-10 years of audit history for specific data fields. Field Audit Trail extends this:
- Retention: up to 10 years of field change history (compared to 18 months standard)
- Field count: up to 60 fields per object (compared to 20 standard)
- Big Objects storage: Field Audit Trail stores historical data in Salesforce Big Objects – a separate, high-volume storage tier that does not count against the organisation’s standard data storage limits
Field Audit Trail Querying
Field Audit Trail data is queried using SOQL against the FieldHistoryArchive object – accessible via the Salesforce API. Salesforce’s standard History related lists on record pages do not display Field Audit Trail data; accessing it requires custom development or a third-party AppExchange app that surfaces the extended history in the UI.
Shield Pricing
Salesforce Shield is priced as a percentage of the total Salesforce contract value – not as a flat per-user or per-feature fee. According to Salesforce documentation and partner data, Shield is typically priced at 30% of the Salesforce platform contract value. For example, if an organisation pays $500,000 per year for Salesforce licences, Shield would add approximately $150,000 per year. This pricing model means Shield is most commonly deployed by enterprise organisations with substantial existing Salesforce investments where the incremental percentage cost is more manageable relative to the compliance requirement.
When Shield Is Required vs Optional
Shield is a compliance requirement (not optional) for organisations that:
- Store PHI (Protected Health Information) in Salesforce under HIPAA – Shield Platform Encryption with field-level encryption of PHI data is commonly required by BAA (Business Associate Agreement) provisions
- Need to demonstrate data sovereignty – that no third party (including Salesforce) can access encrypted data – required by some EU data regulations and defence/government contracts
- Operate under regulatory frameworks that require 5+ years of data change audit trails (financial services, legal)
Shield is a valuable but optional investment for organisations that:
- Want proactive security monitoring and insider threat detection (Event Monitoring)
- Have had or are concerned about data exfiltration by departing employees
- Are preparing for SOC 2 Type II or ISO 27001 certification and want to include Salesforce in the compliance evidence scope
Getting Maximum Value from Salesforce Shield
What does Salesforce Shield include?
Shield includes Platform Encryption (field-level encryption at rest), Event Monitoring (detailed audit logs), and Field Audit Trail (extended data history up to 10 years).
Is Salesforce Shield required for HIPAA compliance?
Shield helps meet HIPAA encryption requirements, but Shield alone does not make your org HIPAA-compliant. You also need a Business Associate Agreement from Salesforce.
How much does Salesforce Shield cost?
Shield is typically priced at 30% of your existing Salesforce license cost per user per month.
Does Shield encryption affect Salesforce search?
Deterministic encryption supports exact-match search but not partial or wildcard search. Probabilistic encryption does not support search at all. Plan which fields need to remain searchable before encrypting.
What is the difference between Shield and standard Salesforce security?
Standard security includes sharing rules, profiles, and SSL-in-transit. Shield adds encryption at rest, deep field-level activity monitoring, and extended audit history required by regulated industries.
Problem: Shield Platform Encryption Breaking Existing Workflows
Encrypting fields after data exists can break formula fields, reports, and Apex code. Fix: Run Salesforce Check Field Usage tool before encrypting any field. Update formula fields to encryption-compatible functions. Test in a full-copy sandbox with representative data before enabling in production.
Problem: Event Monitoring Logs Consuming Excessive Storage
Event Monitoring generates large log volumes counting against your storage allocation. Fix: Use EventLogFile retention policies to delete logs after your compliance-required window (typically 90 days). Export logs nightly to an external SIEM (Splunk, Datadog), then delete from Salesforce to maintain compliance while freeing storage.
Problem: Dynamic Data Masking Policies Creating User Friction
Overly aggressive masking frustrates legitimate users, leading to shadow workarounds. Fix: Implement masking by permission set, not profile. Grant unmask permissions to specific roles via named permission sets. Use conditional masking tied to record ownership so owners always see their own data unmasked.
The best security layer is the one that protects data without getting in the way. If the controls are too heavy, the system becomes harder to use.
The best security layer is the one that protects data without getting in the way. If the controls are too heavy, the system becomes harder to use.