Access Control Model
Least privilege is the default and role-based permissions are the operational unit. Salesforce uses Profiles + Permission Sets + Permission Set Groups; Dynamics 365 uses Security Roles and Field Security Profiles; HubSpot uses Permission Sets and Teams. Run access reviews quarterly using the platform’s native tooling — Salesforce Security Center, Microsoft Purview Access Reviews, HubSpot’s User Activity log. A dormant admin account is a breach waiting to happen; the 2025 LastPass and Okta incident postmortems both fingered stale admin credentials. Define an offboarding SLA in hours, not days, and instrument an alert when an account is granted Modify All Data, View All Data, or the equivalent global-read permission.
Data Residency
Know exactly where customer data lives. GDPR Article 44-49 governs transfers outside the EU; the EU-US Data Privacy Framework (effective since July 2023, partially adequate) covers most US transfers but is under continuous legal challenge. Regional data laws now include India’s DPDP Act (effective 2025), Saudi Arabia’s PDPL, China’s PIPL, and Brazil’s LGPD. Customer contracts increasingly specify residency — financial services and healthcare buyers will not sign without it. Salesforce Hyperforce currently offers EU, US, India, Japan, Australia, Canada, and Switzerland regions; HubSpot offers EU and US; Dynamics 365 has the broadest regional footprint via Azure. Document residency per object class, not just at the org level.
Audit Logging
Every access, every change, every export must log. Retain per the longest applicable obligation — six years for HIPAA, indefinite for GDPR Article 30 records, five years for PCI-DSS. Forward to a SIEM (Splunk, Sentinel, Datadog Cloud SIEM, Sumo Logic) so the logs survive even if the source platform is compromised. Alert on anomalies: mass exports, unusual access hours, queries against tables a user has never touched. The Salesforce Event Monitoring product, Dynamics 365 Auditing, and HubSpot Security Events all expose the necessary streams; the gap is usually that nobody connected them to the SIEM.
Encryption
Encryption at rest and in transit is table stakes — TLS 1.2 minimum, AES-256 at rest. Field-level encryption (Salesforce Shield, HubSpot’s Sensitive Data BYOK, Microsoft Customer Key) for PII, PHI, and PCI. Key rotation cadence depends on framework — PCI-DSS requires at least annually; FedRAMP High requires more frequent. Bring-your-own-key options matter for regulated industries that must hold the encryption key outside the CRM vendor’s control. The performance cost is real — encrypted fields cannot be used in some operations like SOQL ORDER BY in Salesforce — so apply selectively.
Field Classification Encryption Audit
SSN__c PII-Tax Shield platform Every read
DOB__c PII-Sensitive Shield platform Every read/write
Diagnosis__c PHI Shield + BYOK Every read
Phone PII-Contact TLS only Write onlyRegulatory Frameworks
SOC 2 Type II, ISO 27001, HIPAA, GDPR, PCI-DSS, FedRAMP, IRAP, ENS, India MeitY are the headline frameworks. Your CRM vendor’s posture affects what industries you can serve — a public-sector deal will ask for FedRAMP Moderate or High; a healthcare deal will ask for a HIPAA BAA. Get the reports under NDA, read them, and check the carve-outs (most SOC 2 reports exclude one or two minor controls — know which). The EU AI Act adds a new layer in 2026 for AI-specific obligations on top of the existing data frameworks.
Common Failure Modes
The recurring failures: relying on the vendor’s compliance posture without a customer-side control mapping, never running access reviews, treating Shield/Customer Key as a one-time configuration rather than an ongoing rotation discipline, and forgetting that Sandboxes inherit production data unless masked.
What to do this week
Pull the user list with global-read permissions in your CRM. If the count surprises you, that surprise is the finding. Schedule a 30-minute access-review session and walk the list line by line.
