Einstein Activity Capture Security Guide

1 Einstein Activity Capture SecurityGuideSalesforce, Spring 22 @salesforcedocsLast updated: January 26, 2022 Copyright 2000 2022 , inc. All rights reserved. Salesforce is a registered trademark of , inc.,as are other names and marks. Other marks appearing herein may be trademarks of their respective Activity Capture .. 1 Einstein Activity Capture System Requirements.. 2 Access and Authentication.. 4 Allowing Network Access When Using Einstein Activity Capture with a MicrosoftExchange Server.. 5 Exchange Web Sevices (EWS) and API.. 7 Einstein Activity Capture Data Flow.. 8 How Data Is Stored and Used.. 9 Encryption.. 11 Data Privacy.. 12 Data Storage and Retention.. 14 Einstein Activity CAPTUREEDITIONSA vailable in: LightningExperienceAvailable with Sales Cloudin: Essentials, Professional,Enterprise, Performance,and Unlimited EditionsAvailable with Sales CloudEinstein, which is availablefor an extra cost in:Enterprise, Performance,and Unlimited EditionsAvailable with Inbox, whichis available for an extra costin: Professional, Enterprise,Performance, andUnlimited EditionsAvailable with High VelocitySales, which is available foran extra cost in: Enterprise,Performance, andUnlimited EditionsAvailable with RevenueIntelligence, which isavailable for an extra costin: Enterprise and UnlimitedEditionsEinstein Activity Capture is a productivity-boosting tool that helps keep data between Salesforceand your email and calendar applications up to date.

2 To keep data up to date between applications, Einstein Activity Capture focuses on three types of data emails, events, and Activity Capture also includes tools to summarize sales activities that were added toSalesforce manually and by Einstein Activity Capture . The Activities dashboard breaks down datawith various charts and filters. Activity Metrics lets you use Activity data with Salesforce platformcapabilities, such as triggers and list information, including setup steps, limitations, and details about how the feature works,is available in Salesforce : In Salesforce documentation, the term Capture refers to when data that is gatheredfrom the connected Microsoft of Google account and added to Salesforce. The captured dataisn t stored in Salesforce and isn t used to create Salesforce records. For example, captureddata is added to the timeline of related Salesforce records and is used to generate insightsand engagement Activity Capture SYSTEM REQUIREMENTSEDITIONSA vailable in: LightningExperienceAvailable with Sales Cloudin: Essentials, Professional,Enterprise, Performance,and Unlimited EditionsAvailable with Sales CloudEinstein, which is availablefor an extra cost in:Enterprise, Performance,and Unlimited EditionsAvailable with Inbox, whichis available for an extra costin: Professional, Enterprise,Performance, andUnlimited EditionsAvailable with High VelocitySales, which is available foran extra cost in: Enterprise,Performance, andUnlimited EditionsAvailable with RevenueIntelligence, which isavailable for an extra costin.

3 Enterprise and UnlimitedEditionsBefore you set up Einstein Activity Capture , confirm that your Google G Suite account or Microsoft Exchange-based server meet the system company must be using G Suite by Google Cloud. Einstein Activity Capture supports Basic,Business, and Enterprise editions. Einstein Activity Capture offers the user-level connection methodfor companies working from Google. Data is authorized to be fetched from users email serviceusing the OAuth Exchange Online with Office 365 Einstein Activity Capture offers three connection methods for companies working from MicrosoftExchange Online with Office Settings toEnableAuthentication MethodConnection MethodExchange Web Services (EWS)on an SSL connectionData is authorized to befetched from users emailservice using the OAuth accountMicrosoft Exchange 2019, 2016, or 2013 Einstein Activity Capture offers two connection methods for companies working from MicrosoftExchange 2019, 2016, or Settings toEnableAuthentication MethodConnection MethodExchange Web Services (EWS)

4 On an SSL connectionMake sure your server supportsBasic Authentication is authorized to befetched from users emailservice using accountMake sure to allow thenecessary network Exchange Hybrid DeploymentsFor companies working from a combination of Microsoft Exchange Online and Microsoft Exchange on-premises severs, Einstein ActivityCapture only supports user-level connections for the Capture Activity Capture System RequirementsACCESS AND AUTHENTICATIONA ccessTo use Einstein Activity Capture , users must be assigned to one of the permission sets that includes Einstein Activity Capture . For details,see Select Who Can Use Einstein Activity Capture in Salesforce a user s events and contacts to be synced, an admin must also add the user to an Einstein Activity Capture configuration with syncingenabled. For details, see Create a Configuration for Einstein Activity Capture in Salesforce ProvisioningWhen Einstein Activity Capture is enabled in an org, a corresponding Einstein Activity Capture org is created on Salesforce s AmazonWeb Service (AWS) servers.

5 The integration between Salesforce and AWS is authenticated through an encrypted private key. WhenEinstein Activity Capture makes API calls to AWS, the org-specific key is choices of how to connect and authenticate users email and calendar application depend on which email and calendar applicationyou use. For details about the available connection and authentication methods, see the System Requirements all cases, the connection allows Salesforce to: Read, send, delete, and manage users email. View the files in users Google drive, if applicable. Manage users contacts. Manage users NETWORK ACCESS WHEN USING EINSTEINACTIVITY Capture WITH A MICROSOFT EXCHANGE SERVERWhen setting up Einstein Activity Capture with a Microsoft Exchange on-premises server (2019, 2016, or 2013), make sure that you allowthe necessary network in: Lightning ExperienceAvailable with Sales Cloud in: Essentials, Professional, Enterprise, Performance, and Unlimited EditionsAvailable with Sales Cloud Einstein , which is available for an extra cost in: Enterprise, Performance, and Unlimited EditionsAvailable with Inbox, which is available for an extra cost in: Professional, Enterprise, Performance, and Unlimited EditionsAvailable with High Velocity Sales, which is available for an extra cost in.

6 Enterprise, Performance, and Unlimited EditionsInbound ConnectionsIf an IP or VPN restricts the Exchange Web Services (EWS) endpoint, add the following addresses to the allowlist. This method ensuresthat your Exchange server is visible to your Salesforce instance is located in EuropeIf your Salesforce instance is locatedoutside of Europe more information about Salesforce IP addresses that aren t specific to EWS or Einstein Activity Capture , see Salesforce IP Addressesand Domains to ConnectionsIf you have restrictions on Exchange outbound connections, you need to allow outbound access to the following domains. Then, whennew emails and events arrive in Exchange, push notifications are sent to your Salesforce instance is located in EuropeIf your Salesforce instance is located outside of Network Access When Using Einstein ActivityCapture with a Microsoft Exchange ServerEXCHANGE WEB SEVICES (EWS) AND APITo access contacts and events from Exchange, Salesforce makes the following calls via : For details, visit Microsoft s support website and search for the calls mentioned API CallCreates a folder in a contact or event in Exchange.

7 The Salesforce record IDis added to the Exchange item contacts or events based on the Saleforce record a folder in a contact or event based on given search information about Exchange a folder from information about a contact or event in information from time zone definitions that are availableon the Exchange all changed contacts and events with requested one or more contact or events with new field Activity Capture DATA FLOWWhen email, event, or contact data moves from the connected account to Salesforce, the data follows the same flow from the user semail account to Salesforce, regardless of which email service is connected to Salesforce. First, Salesforce AWS servers Capture the , the email and event data is fetched from AWS to display on the Activity timeline of related Salesforce records. Contact data is alsocaptured and stored on AWS to be used by other Salesforce features, such as Einstein Email Insights.

8 Finally, the activities metadata isstored in the core Salesforce servers. In additition to AWS storage, event and contact data is also stored in the core Salesforce contacts or events move only from Salesforce to the connected account, no data is stored in DATA IS STORED AND USEDI nbox and Einstein Activity Capture can be used together or separately. However, the way each feature captures, stores, and uses datais the Inbox or Einstein Activity Capture initiates the data capturing, which is the process for gathering data. The data is stored on theSalesforce AWS servers and databases, which are hosted by Amazon Web Services behind an AWS Virtual Private Cloud (VPC). The datais used by either Inbox, Einstein Activity Capture , or both to bring productivity-boosting tools to assigned more about Salesforce details about what data is captured and stored, and how the data is data is usedDetailsWhat s captured and stored by AWSE instein Activity Capture uses the data todisplay events in the Activity timeline andthe Salesforce uses the date for the Insert Availabilityand Recommended Connections all event data (except eventattachments) that comes from users connected Microsoft or Google accountsCalendar eventsContact data is used by other Salesforcefeatures, such as Einstein Email data comes from what s displayedin the Contact Profile screen (from Gmail,Exchange, Sales Cloud).

9 Contact detailsEinstein Activity Capture and Inbox use thedata to connect users email accounts details about users connectedMicrosoft or Google accounts, includingemail address, server, and domainEmail accountsEinstein Activity Capture doesn t currentlyuse the attachment uses the attachments and metadatafor the Send Later the metadata for emailattachments. For Einstein Activity Capture ,the attachments themselves aren t storedor shown on the Activity Inbox, the Send Later feature stores theattachments until the email is attachmentsDuring the Inbox email send action,attachments can be Email Attachmentsdynamically fetched from the Google orExchange server by passing the emailmessage Activity Capture uses the data toadd emails to the Activity timeline of relatedSalesforce Insights (available with both Inboxand Einstein Activity Capture ) uses the datato create email messages from users connected Microsoft or Google email elements that are stored include.

10 Subject, From, To, CC, and sent headers and metadata9 How data is usedDetailsWhat s captured and stored by AWSR ecommended Connections (available withboth Inbox and Einstein Activity Capture )uses the data to generate Activity Capture uses the data todisplay emails in Salesforce. The data is alsoused to generate email HTML bodiesIncludes the OAuth refresh and accesstokens used to connect users Google orMicrosoft accounts to users connect their account toSalesforce with OAuth , we don t storePasswords and OAuth tokensusers passwords. Therefore, if users changetheir email password after connecting theiraccount to Salesforce, they don t have toreauthenticate against Google or users that use an on-premises Exchangeemail accounts that use passwordauthentication, we do store the mobile app (not the Inbox desktopversion) uses the data to improveIncludes metadata (such as permissions,fields, and page layouts) for records such asSalesforce recordsperformance when looking up recordsrelated to an email or Activity Capture also copies emailaddresses from contact and lead recordscontacts, leads, and opportunities.