Trusted Cloud Computing Andrew Randall Success Architect, Public Sector arandall@salesforce.com

Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995:

This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.

The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.

Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

•  Introduction to Government Cloud •  Government Cloud - Unique Technical Aspects •  Additional Available Resources

Agenda

Multi-tenancy Innovation is the Core of Our Enterprise Cloud

Trusted Enterprise Security Always on Availability Performance at Scale Application Innovation Continuous Improvements

Single-Tenant vs. Multi-Tenant Architecture

Single tenancy gives each customer a dedicated software stack – and each layer in each stack still requires configuration, monitoring, upgrades, security updates, patches, tuning, and disaster recovery.

On a multi-tenant platform, all applications run in a single logical environment: faster, more secure, more available, automatically upgraded and maintained. Any improvement appears to all customers at once.

Shared infrastructure

Other apps

Server OS

Database App Server

Storage Network

App 1

Server OS

Database App Server

Storage Network

App 2

Server OS

Database App Server

Storage Network

App 3

10 Years of Government Adoption and Success 23 of 23 CFO Act Federal Agencies

45 Out of 50 States

More than 100,000 Success Stories

2005

2014

2007 2008 2009

2011

2012

2013

2010

2006

2015

Government Cloud Success Is Built on Trust

FedRAMP (SaaS & PaaS) Moderate Impact Level

Secure

trust.salesforce.com

Trusted

2.1 Billion Transactions per day

Proven

9

Our FedRAMP Approach

For U.S. Government customers only

Dedicated databases and supporting pod infrastructure

Secure software access controls to separate customer data

Located in two U.S. production data centers

U.S. Based U.S. Citizens w/ Tier 3 MBI

government cloud

Identical core hardware

Identical core code base

Multitenant infrastructure shared w/ commercial clients

Multitenant infrastructure shared w/ government clients

128-bit or 256-bit (RC4) encryption in transit (TLSv1.0/SSL 3.1)

FIPS 140-2 validated 128-bit or 256-bit AES encryption in transit (TLSv1.2)

128-bit AES Encrypted Custom Fields FIPS 140-2 validated 128-bit AES Encrypted Custom Fields

Worldwide follow the sun support Support provided by US based, US citizens

Backup to tape Backup to disk

ISO 27001, SOC 2, PCI, HIPAA ISO 27001, SOC 2, PCI, HIPAA and FedRAMP

Premiere+ Support not included

Premiere+ Support included

government cloud

Technical Overview Government Cloud - Unique Technical Aspects

•  My Domain •  Encryption in Transit •  Packaging •  Application Security – Code Analysis •  New Government Cloud Features

Government Cloud - Unique Technical Aspects

•  My Domain - Is required for all organizations on Government Cloud •  A custom domain name for login and authentication with your Salesforce organization

(https://<mydomain>.my.salesforce.com)

•  Unique Aspect - End users and API users are not able to connect via login.salesforce.com or test.salesforce.com. All connections require the use of https://<mydomain>.my.salesforce.com

•  Impact - Solutions require the ability to add/update the My Domain as a connection configuration for integrations with Salesforce

My Domain

•  Outbound Connections (Call-outs) – •  Requires TLSv1.2 with AES128-SHA or AES256-SHA

•  Inbound Connections (Call-ins) – •  Supports TLSv1, TLSv1.1, and TLSv1.2 using the following encryption

options: •  AES256-SHA256 (TLSv1.2 only) •  AES256-SHA

•  AES128-SHA256 (TLSv1.2 only) •  AES128-SHA •  DES-CBC3-SHA (aka 3DES)

•  No version of SSL (e.g. SSL3) is supported

Certificates and Ciphers Encryption in Transit

Source Destination Package Type Commercial Cloud Government Cloud

Government Cloud Managed ✔ ✔

Unmanaged ✔ ✔

Commercial Cloud Managed ✔ ✔*

Unmanaged ✔ ✖

Future Roadmap State Cross Cloud Compatibility Matrix for Packaging

*Requires completion of the Salesforce Security Review, https://developer.salesforce.com/page/Security_Review

Government Cloud to Commercial Cloud Government Cloud Packaging – Current Process

1. Create Package

government cloud

2. Contact Support

commercial cloud

3. Available for Installation

Government Cloud to Commercial Cloud Government Cloud Packaging – Future Process

1. Create Package

government cloud commercial cloud

2. Available for Installation

Automatically Enabled

Application Security - Code Analysis

•  Salesforce Source Code Scanner is not available for the Government Cloud

•  http://security.force.com/security/tools/forcecom/scanner

•  Alternative Options •  Checkmarx - https://www.checkmarx.com/ •  WebInspect -

http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/

•  Analytics Cloud •  Platform Encryption

GA Commercial Cloud Features coming to the Government Cloud New Government Cloud Features

•  Partner Success Community •  Public Sector Group -

https://partners.salesforce.com/_ui/core/chatter/groups/GroupProfilePage?g=0F9300000009MIh

•  Trust – our public pages on availability, performance, and security •  https://trust.salesforce.com

•  Vulnerability Assessment and Penetration Test •  https://help.salesforce.com/apex/HTViewSolution?urlname=Vulnerability-Assessment-and-Penetration-

Test&language=en_US

•  Salesforce Administrator and Developer Training •  Trailhead - https://developer.salesforce.com/trailhead

Additional Resources

Thank you