144 controls. 5 frameworks. One Salesforce audit.

A Salesforce compliance audit maps your Salesforce configuration against control frameworks (SOC 2, ISO 27001, GDPR, HIPAA, NIST CSF) and identifies which controls pass, fail, or are partial. For each finding, the audit produces auditor-ready evidence. Clientell's audit tracks 144 controls across 5 frameworks and runs in 10 minutes via read-only OAuth.

No. Salesforce-the-platform is SOC 2 Type II compliant (the infrastructure layer). Your specific configuration (who can access what, what is logged, who is monitored) determines whether YOUR org meets SOC 2 controls. Most orgs assume the platform's compliance flows through to their config; it does not.

Salesforce Shield is a paid Salesforce product that adds Event Monitoring, Platform Encryption, and Field Audit Trail. These are compliance-relevant features. Our compliance audit measures whether your config (Shield or otherwise) satisfies specific framework controls. Use Shield for the underlying capabilities, our audit for the framework mapping.

No. A Big-4 audit is required for a SOC 2 Type II report. Our compliance audit is the pre-audit: pre-flight your control posture before the Big-4 starts the engagement. Most orgs that pre-audit save 50% on the actual SOC 2 audit cost and avoid the typical 30-day remediation scramble that follows a failed first attempt.

Yes. For every control, the audit produces the live Salesforce configuration that satisfies (or fails to satisfy) it. Screenshots, configuration JSON, log excerpts, user-permission matrices. Pre-formatted in the structure SOC 2 and ISO 27001 auditors actually request. You hand the export to the auditor without translating.

Yes. Scan, mapping, dashboards, evidence export, continuous monitoring, and remediation backlog are all free with no paid engagement required. Most orgs use the audit to prep for a $30-80K Big-4 engagement, saving more than the entire Clientell subscription cost in audit fees alone.

Salesforce-the-vendor will sign a BAA for HIPAA-relevant editions. Our audit measures whether your specific config (signed BAA + appropriate technical safeguards) satisfies HIPAA Security Rule 164.312 (access control, audit controls, integrity, transmission security). The BAA covers the platform; the audit covers your implementation.

Continuously. SOC 2 annual audits are the regulatory minimum, but configuration drift happens daily (admins add profiles, contractors get permissions, integration users are created). Continuous monitoring catches drift within 30 minutes. Annual point-in-time audits catch it months later, after the gap has been exploited or noticed by an external party.

The 5 frameworks (SOC 2, ISO 27001, GDPR, HIPAA, NIST CSF) cover most use cases. For financial services we map to SOX equivalents within the existing frameworks. For federal we map to NIST 800-53 (FedRAMP context). Specialized industry frameworks (FedRAMP authorization, FISMA, custom regulator frameworks) are roadmap items.

Drata and Vanta are excellent end-to-end SOC 2/ISO compliance platforms that cover your entire org (not just Salesforce). Our audit focuses specifically on the Salesforce slice and integrates with the broader Clientell audit suite (Permissions, Change Intelligence, License). If you have Drata or Vanta, our audit complements them with deeper Salesforce-specific control mapping. If you do not yet have a compliance platform, our audit is a strong starting point for the Salesforce surface.