Will Contour break my page layouts or integrations?

No. Before deployment, the reference scanner maps every layout, Lightning page, and permission set. You see exactly what will change, and our one-click rollback restores every setting to its exact prior state if needed.

We already have Salesforce Shield. Why do we need Contour?

Shield encrypts data at rest in the database. Contour masks data on screen, in reports, and for AI agents. Together, they provide full coverage: storage security plus display governance.

Is Contour a managed package? Has it passed security review?

Yes. Contour is a second-generation managed package distributed through AppExchange. It enforces 'with sharing' and USER_MODE, ensuring no data ever leaves your Salesforce org.

How does it handle formula fields that reference the original field?

Masked formula fields are created alongside the originals as companions. Existing references continue to work, while FLS controls which roles see the original vs. the masked version.

Can Contour produce reports for auditors?

Every deployment is logged with timestamps and field counts. These detailed event records are persisted as Salesforce Files, making them downloadable and shareable for compliance audits.

Does it work with permission sets, or just profiles?

Both. The deployment chain includes separate batch steps for profiles and permission sets, allowing both to be updated or restored in a single action.

What scan modes are available in Contour?

Three modes: Full Org (every object), Custom (selected objects), and Persona-Based (scoped to objects accessible by a specific role).

How does Contour help with HIPAA and GDPR compliance?

Contour addresses HIPAA's Minimum Necessary Standard and GDPR Article 25 (Data Protection by Design) through role-based masking and a persistent audit trail for evidence.

What makes production data masking different from sandbox masking?

Most tools only work in sandboxes. Contour masks data in production at the display layer using formula fields. The original data is never modified, allowing compliance roles to see full records while agents see masked values.

How does this relate to standard Salesforce Field-Level Security (FLS)?

Standard FLS is binary (visible or hidden). Contour adds a third option by creating masked formula fields and using standard FLS settings to control visibility between the original and masked versions.

Contour

Salesforce Data Masking Beyond Binary FLS

Scan your org for exposed sensitive data, deploy fields with role-based visibility, and roll back any change in one click. Salesforce native app. No data leaves your org.

    
    Native Salesforce Managed Package
  
    No data leaves your org

          
Contact Record
Service Agent View

        Social Security No.
        ***-**-4321
      
        Credit Card
        ****-****-****-1234
      
        Email
        j*****@g****.com
      
        Date of Birth
        08/14/1989
      
        Phone
        +1 (415) 555-0123
      
        ✓ FLS Deployed
        Audit Logged
        PCI-DSS v4.0

The Manual Reality Of Salesforce Data Protection

400+

Objects to Scan

You do not know where all your sensitive data lives. Every missed field is a compliance gap you personally own.

200-400 hrs

To Mask Manually

Masking one field takes an hour of metadata surgery: formula field, page layout, FLS, and you have hundreds.

NO

Rollback Options

One wrong FLS change and you break half the org. There is no undo button. That is why nobody touches it.

How Contour Protects Sensitive Data In Salesforce?

Five steps. One workflow. Full rollback.

Step 01

Scan

Scan field names, labels, and actual record data across your org to find sensitive information.

Step 02

Discover

See every layout, Lightning page, profile, and permission set that references each sensitive field.

Step 03

Mask

Choose from 6 masking templates: Last 4, Last 2, Full Mask, Email, Card number, National ID.

Step 04

Deploy

One click updates page layouts, Lightning pages, profile FLS, and permission set FLS with full audit trail.

Step 05

Rollback

Every change captured. One-click rollback restores the exact prior state: layouts, FLS, pages, and fields.

Book a Demo →

Built For The Regulations You Answer To!

Contour addresses specific Salesforce HIPAA compliance, PCI-DSS display masking, and GDPR data protection requirements with auditor-ready evidence.

HIPAA
PCI-DSS V4.0
GDPR
SOX
CCPA

PCI-DSS v4.0, Requirement 3.4.1

PAN must be masked when displayed. Mandatory since April 2024. Contour's Card Masking template renders ****-****-****-1234 with audit evidence.

HIPAA Necessary Standard

Service agents see masked patient data. Compliance roles see the full record. Same object, different views based on role.

Auditor-Ready Evidence

Every deployment logged. Evidence persisted as Salesforce Files: downloadable, shareable, and survives even if the log record is deleted.

What Can Contour Do For Your Salesforce Org?

Automated Sensitive Data Discovery

Two-pass scanner checks records and metadata for classification. Detects sensitive data even in generic text fields and covers 7 pattern categories.

Replaces 2–3 weeks of manual field-by-field review

Role-Based Partial Visibility

Service agent sees ***-**-1234. Compliance sees the full value. Different users see different versions of the same field based on access.

The third FLS option Salesforce does not offer natively

One-Click FLS Across All Profiles

Update field-level security on every profile and every permission set in a single deployment. No need to update each permission set manually.

30 profiles updated in one click, not 30 manual edits

Full Reference Mapping

Before any change, see every layout, Lightning page, profile, and permission set that references a sensitive field.

Preview exactly what will change before it touches anything

Precision Rollback

Every deployment captures the exact prior state. Rollback restores layouts, FLS, Lightning pages, and deletes formula fields.

Eliminates the 'afraid to touch permissions' paralysis

Persistent Audit Trail

Deployment logs stored as Salesforce Files (ContentVersion). Downloadable, shareable, survives record deletion.

Audit prep from 3 weeks to on-demand

Discuss Your Requirements →

Where does Contour Fit in your Salesforce Security Stack?

Every layer solves a different problem. Together, full coverage.

Shield
Encryption at rest + Event Monitoring — protects data in the database layer.
Database Layer
Contour
Display masking + FLS automation — protects what users and AI agents see on screen.
Display Layer
Data Mask & Seed
Sandbox masking — protects data in non-production environments.
Sandbox Layer

Shield encrypts stored data. Data Mask & Seed protects sandboxes. Contour protects what your users, reports, and AI agents see on screen in production. Each layer protects a different part of your data. Contour controls what users see on the live Salesforce org and completes the stack.

AI Agent Can See Every SSN In Your Org!

Salesforce data governance is a prerequisite for Agentforce. Not a nice-to-have.

Agentforce — Contact Record · SSN Field
AI Agent View
SSN
***-**-4321
Email
j*****@g****.com
Card No.
****-****-****-1234
Name
Jane Doe
Agent Perm Set
Compliance View
SSN
555-12-4321
Email
jane@gmail.com
Card No.
4111-1111-1111-1234
Name
Jane Doe
Compliance Perm Set

1. Agents inherit field access from permission sets

If the permission set can read email, the agent reads email. Give the agent access to Email_Mask__c instead — the agent sees j*****@g****.com.

2. No code changes to the AI

The backend integration keeps full access through a separate permission set. No Trust Layer workaround. Just field-level security, the way Salesforce already works.

3. Same record, different visibility

The compliance user sees the full record. AI agent sees the masked version. All controlled through standard Salesforce FLS.

Book a Demo →

How Much Does Manual Data Masking Cost Your Team?

Admin saves per masking project

$15K-$60K at standard admin billing rates.

200-400 hrs

Audit prep time reduced

$12K-$32K saved per audit cycle

Weeks → minutes

Profiles updated in one click

Vs. one-by-one through Setup for each field

30+

Full rollback

Layouts, FLS, Lightning pages, formula fields

1-click

Built For Orgs That Cannot Afford To Get This Wrong

2GP managed package. Installed from AppExchange. Runs inside your org. No external APIs, no data exports, no third-party data processing.

100% Native Salesforce

All service classes enforce 'with sharing' and USER_MODE data access. Dedicated permission set (Masker_Admin_User) controls access.

Security Review Passed

Scans, masking, deployment, and audit logs all happen inside Salesforce. Zero external callouts for sensitive data. Your data stays where your compliance team can see it.

No Data Leaves Your Org

Questions Salesforce admins ask before installing

Before any deployment, the reference scanner maps every layout, Lightning page, profile, and permission set that uses the field. You see exactly what will change. If anything goes wrong, one-click rollback restores every setting to its exact prior state.
Shield encrypts data at rest in the database. Contour masks data on screen, in reports, and for AI agents. They protect different surfaces. Together, they provide full coverage: storage security plus display governance.
Yes. Concretio Contour is a second-generation managed package distributed through AppExchange. All service classes enforce 'with sharing' and USER_MODE. No data leaves your Salesforce org.
Masked formula fields are created alongside the originals, not as replacements. Existing formula references to the original field continue to work. FLS controls which roles see the original vs. the masked version.
Every deployment is logged with timestamps and field counts. Detailed event records are persisted as Salesforce Files (ContentVersion), so they are downloadable, shareable, and survive even if the parent record is deleted.
Yes. The deployment chain has separate batch steps for profiles and permission sets. Both are updated in a single deployment, and both are restored on rollback.
Three modes: Full Org (every object), Custom (you pick the objects), and Persona-Based (scoped to objects accessible by a specific role). Start narrow, expand as needed.
Contour addresses HIPAA's Minimum Necessary Standard by ensuring each role sees only the data it needs. For GDPR Article 25 (data protection by design), Contour provides field-level governance metadata and role-based masking that demonstrates ongoing compliance. The persistent audit trail provides evidence for both frameworks.
Most Salesforce masking tools only work in sandboxes during data copy. Contour masks data in production at the display layer using formula fields with role-based FLS. The original data is never modified. Service agents see masked values while compliance roles see the full record on the same object.
Field-level security (FLS) controls which profiles and permission sets can read or edit each field. Salesforce FLS is binary: a field is either visible or hidden. Contour adds a third option by creating masked formula fields and controlling which roles see the original vs. the masked version through standard FLS settings.

See What Is Exposed In Your Org

Book a 30-minute demo. We will scan a sample org live and show you exactly how Contour finds, masks, and rolls back sensitive field changes.