Event-Driven Workato Orchestration for Compliance
Some compliance checks take minutes to return. A Salesforce transaction cannot wait that long. We co-built an event-driven Workato layer with a Tier-1 digital-asset exchange to run Enhanced Due Diligence (EDD) off-platform, keeping Salesforce lightning fast and strictly decoupled.
At a Glance
About the Client & Domain
The client is a Tier-1 US-based digital-asset exchange. Salesforce acts as their system of record for onboarding, KYC, compliance cases, and screening.
Institutional onboarding requires Enhanced Due Diligence (EDD): an external service assesses entity data, documents, adverse media, and industry risk. This process runs asynchronously and takes minutes to return structured reports and files.
Tier-1
Digital Exchange
KYC/EDD
Compliance Domain
Escaping the Salesforce Transaction
A regulated exchange needed external due diligence orchestrated reliably, off the Salesforce transaction path. Salesforce is their system of record for onboarding, KYC, compliance cases, and screening. Institutional onboarding requires enhanced due diligence: an external service assesses entity data, documents, adverse media, and industry risk, then returns a structured report and files. The assessment runs asynchronously and takes minutes.
What the Integration Had To Do
The Hard Part: What Most Teams Hit Late
- Assessments run for minutes. Salesforce transactions do not.
- API calls, file transfer, and polling inside Apex hit governor limits and break under load.
- Fire too early — before data or documents are ready — and the result is incomplete.
- Put orchestration in code, and every vendor change needs a deployment.
Salesforce Signals. Workato Orchestrates.
Platform events keep the two decoupled.
Salesforce
System of record decides when to assess, show results to analysts in an LWC, and publish a platform event to start an assessment.
Workato
The orchestration layer. Subscribes to the event, calls the provider, manages the long-running job, and writes results and files back.
External EDD Provider
Runs the AI-driven assessment — entity data, documents, adverse media, and industry risk — and returns a structured report.
Why Workato carried out the orchestration
It was already the estate's standard integration platform — third-party screening, system-to-system sync, approval routing, and quality-control checkpoints already ran on it, so EDD reused proven connections, monitoring, and ops ownership.
Its triggers subscribe to Salesforce platform events natively, fitting the high-volume, publish-after-commit pattern. Integration ops can change mappings, retries, and alerting in a recipe — with no Salesforce deployment per vendor change.
Inside the Workato Build
This is where the integration skill shows: each request is handled by an event-triggered recipe that runs this sequence.
Subscribe
Listen to the Salesforce platform event, high-volume and published after commit, so there is no synchronous trigger callout.
Gather Context
Query Salesforce through the connector for the entity, documents, and dataset the assessment needs.
Start the Job
Call the EDD provider's API to begin the assessment, then write the returned job and case IDs back to the record.
Resolve Completion
Use a webhook where the provider supports it, fall back to polling otherwise, so long jobs hold nothing open.
Ingest Results
Pull the returned report in PDF and JSON formats, upload it to Salesforce Files, and update the status and completion date.
Hand Off
Publish a follow-on event for downstream outreach when the flow requires it.
Reliability Built Into the Recipes
Retries & Error Queues
Failed vendor calls retry automatically, with alerting routed to integration ops.
Batching & Replay
Reprocess records at volume without a Salesforce deployment.
Least-Privilege Connections
Vendor API keys live in Workato — never with business users.
Key Highlights
The decisions that make the integration hold up in production.
Event-Driven
Recipes trigger on platform events. Salesforce stays off the orchestration path and within limits.
Long-Job Handling
Webhook-or-poll completion keeps minutes-long assessments from blocking anything.
Binary File Handling
Reports move from the provider into Salesforce Files cleanly — no Apex callout gymnastics.
Operable
Error queues, retries, and alerting make failures visible and recoverable.
Replayable
Batching and recipe replay reprocess volume without a deployment.
Contained
Least-privilege connections isolate vendor credentials.
Why An Orchestration Layer, Not Apex?
The split that worked: Salesforce keeps the rules, the UI, checklist parsing, and compliant data access. Workato keeps orchestration, polling, file ingestion, and cross-system error handling.
| Dimension | All-Apex in Salesforce | Salesforce + Workato (Chosen) |
|---|---|---|
| Long-Running Jobs (minutes) | Queueable chains plus scheduled polling, fragile | Event-triggered recipes with webhook-or-poll completion |
| Governor Limits | Callout, CPU, and heap pressure in-transaction | Salesforce only publishes a platform event and inserts a record |
| File Ingestion (PDF and JSON) | Manual callout plus ContentVersion logic | Workato handles binary transfer and upload cleanly |
| Bulk and Replay | Needs code changes and deployments | Batching, error queues, and replay in Workato, no deploys |
| Operational Ownership | Dev cycle for every vendor change | Ops adjust mappings and retries in Workato recipes |
| Security | Risk of credentials in code or config | Least-privilege connections, keys held in Workato |
What changed?
Two Audiences, Two Takeaways
This engagement shows event-triggered recipe design, long-running job handling with webhook-or-poll completion, binary file ingestion into Salesforce, error queues and replay, and least-privilege connection management on Workato — integrated cleanly with a Salesforce system of record. Co-delivered with the client's integration team.
Salesforce stayed the system of record and the analyst surface, used Platform Events natively, and offloaded orchestration — which the platform is not built to do. A partner reference for regulated accounts that need Salesforce and a serious integration layer working together.
Co-Delivered By Concretio & Client Team
Concretio led the recipe design and the Salesforce eventing architecture that feeds it.
Frequently Asked Questions
-
Salesforce is our system of record and engagement; Workato is our enterprise-grade orchestration and agent layer. We chose Workato to:
Integrate securely with multiple compliance/EDD/KYC vendors, core banking, data lakes, and on‑prem systems via prebuilt connectors and robust API management—without custom code sprawl.
Centralize business logic and approvals across apps with low-code “recipes,” reducing change risk and accelerating time-to-value while preserving Salesforce simplicity for users.
Enforce observability, governance, and auditability across automations and AI agents (critical for regulated environments) while keeping Salesforce configurations lean and maintainable.
Avoid vendor lock‑in for EDD/KYC: swapping or multi-homing providers becomes a configuration change in Workato, not a major Salesforce refactor.
-
Automated failover strategy:
The circuit breaker trips after threshold errors; Workato routes to a secondary EDD provider or a deferred queue.
Requests enter a resilient, idempotent queue with exponential backoff and jitter; partial responses are discarded, and no duplicate cases are created.
Operational safeguards:
Workato posts real‑time health events to an “EDD Provider Status” dashboard (and Slack/Email/PagerDuty) with runbooks for manual review.
Salesforce shows a clear “EDD Pending” status with the last-attempt timestamp and next-retry window so Ops has full visibility.
Compliance posture:
All failures, retries, fallbacks, and operator overrides are logged with user, time, payload hash, and disposition to support audits and SAR lookbacks.
-
Storage:
Final EDD/KYC reports and decision artifacts are written to secure, WORM-capable storage (e.g., S3 with Object Lock) with encryption at rest and bucket‑level retention policies aligned to regulatory schedules (e.g., 5–7+ years).
Metadata (provider, version, controls, timestamp, and checksum) is stored in Salesforce for discovery, while the document itself resides in the governed repository to minimize PHI/PII duplication.
Access:
Deep links from Salesforce navigate to the governed copy using short-lived, permission-scoped URLs; access is role-based and logged.
Enterprise Search is permission-aware; only users with mapped entitlements can locate and open artifacts.
Audit:
Immutable audit trails capture report generation, views, exports, and distribution, with automated exception reports for compliance review.
-
Yes—by design. Workato abstracts provider-specific APIs behind recipes and skills. Adding a provider entails:
Installing/authorizing the new connector (or HTTPS/OAuth2 generic connector).
Mapping a normalized decision schema (e.g., risk score, watchlist hits, proofs) to our canonical model.
Enabling provider selection rules (primary/secondary/by region/product/risk tier) in configuration, not code.
Result: rapid onboarding, A/B validation against incumbents, and straightforward rollback without impacting Salesforce page layouts or flows.
-
Yes. The pattern (Salesforce for engagement + Workato for orchestration, governance, and agents) generalizes to banking, payments, lending, insurance, and wealth:
Common workloads: KYC/KYB, fraud checks, AML monitoring triggers, adverse media, sanctions screening, credit pulls, consent management, adverse action letters, and dispute workflows.
Regulated fit: Centralized policy enforcement, auditable automations, and separable provider layers meet evolving compliance needs without re-architecting core CRM.
-
Elastic throughput:
Workato scales horizontally, batching and rate‑limiting per provider to respect SLAs while maximizing parallelism; backpressure prevents Salesforce governor-limit breaches.
Resilient queues and idempotency:
Queue-first patterns ensure durable processing; idempotent keys prevent duplicates on retries and user resubmits.
Cost and performance controls:
Autoscaling concurrency, step-level timeouts, and dynamic sampling of non-critical enrichments maintain SLOs.
Real-time KPIs (time-to-approve, queue depth, error rates) guide ops actions; overflow rules can route lower-risk cohorts to alternate providers or deferred processing windows.
Need compliance work orchestrated off your Salesforce transaction path?
Concretio co-builds event-driven Workato + Salesforce architectures for regulated, high-stakes workflows.

