Security in an Uncertain World: How Axy7 Defends Its Platform, Partners, and Customers

June 2025

We live in an age of pervasive instability—geopolitical and digital.

Tensions continue to rise across the Middle East, with overlapping cyber-conflict scenarios involving nation-state actors such as Iran, Russia, and others targeting Western platforms and infrastructure. These developments are not abstract—they have direct implications for the cloud-based tools businesses rely on.

For companies operating within the Salesforce ecosystem, including ISV partners like Axy7, the stakes are high. Enterprise clients expect continuous availability, resilient automation, secure data flows, and strict compliance with Salesforce platform requirements. Cyberattacks, API abuse, and infrastructure probing have become daily occurrences across SaaS systems.

In this environment, security is not a checkbox—it’s a shared responsibility and a pillar of trust.

At Axy7, we treat security as a strategic investment. Our mission-critical solution—CurrencyUpdater—is built entirely on Salesforce, leveraging Apex, platform APIs, and secure integrations. It runs inside your org. It integrates with your finance stack. It connects to third-party services. And it must work safely—always.

A Surge in Threats — 340% Increase in Malicious Activity

Over the past month, Axy7’s operational logs have detected a 340% increase in attempted attacks against our services. These included:

• API probing and brute-force attempts on older endpoints
• High-frequency scanning from foreign IPs targeting Heroku
• Attempts to disrupt synchronization flows using malformed requests

Despite this surge, no breach or downtime has occurred. Our security architecture, rate-limiting, and layered controls have functioned precisely as designed. This reinforces our belief that early investment in secure architecture and rigorous monitoring pays off in operational resilience.

This pattern is not unique to us. It mirrors alerts published by the Cybersecurity & Infrastructure Security Agency (CISA), especially their recommendations in the context of heightened geopolitical cyber-risk. We align our threat model accordingly, raising alert thresholds and revalidating incident protocols during such periods.

Why Enterprise Security Is More Than a Feature — It’s a Standard

As a Salesforce ISV, we build for the same environment you trust every day: Salesforce Sales Cloud, CPQ, Accounting Seed, and other financial packages where accuracy and availability are essential.

Axy7’s CurrencyUpdater app automates multi-currency exchange rate synchronization inside your Salesforce org. This means:

• Our code runs within your org’s Apex context
• It interacts with your accounting or quote records
• It calls out to external financial APIs and reconciles currency data

We treat this level of access with the same seriousness as any enterprise-grade security team would.

We follow Salesforce security guidelines, deploy using Salesforce CLI and DX-based processes, and ensure that all customer data remains within the bounds of the org. And, as you’ll read below, we validate this maturity through industry-standard frameworks.

Our CIS Controls Assessment: Proving Our Security Readiness

In 2025, we voluntarily conducted a full security self-assessment using the CIS Controls v8 Implementation Group 1 framework through the official CIS CSAT platform.

This framework is recognized by CISA, the U.S. Department of Homeland Security, and many global cybersecurity benchmarks.

Our score:
76/100
(Industry average for similar SaaS businesses: 30/100)

We evaluated our practices across areas such as:

• Software and asset inventory
• MFA enforcement and access control
• Patch and vulnerability management
• Logging, monitoring, and alerting
• Backup, recovery, and incident planning

All areas were scored, documented with internal evidence, and reviewed with improvement plans in place.

How We Apply This Every Day

Here is how we turn frameworks into action across our stack:

We also review CISA guidance regularly, such as their Shields Up advisories, to ensure our systems stay hardened and well-monitored.

Our Alignment with Salesforce ISV Security Requirements

Our solution is not just secure by design—it’s approved by Salesforce.

Every major release of CurrencyUpdater is reviewed through the AppExchange Security Review process. This includes:

• Static code analysis (PMD and Salesforce proprietary scanners)
• Enforced adherence to CRUD/FLS principles
• Manual reviews for callout scope, authentication patterns, and sharing rules

We also comply with the Salesforce Secure Coding Guidelines, and implement CI/CD best practices using GitHub and Salesforce CLI.

Our Heroku infrastructure is deployed in shielded environments, using environment variables for all secrets, rate-limited endpoints, and automated patch management.

Transparency That Builds Trust

We’ve published a detailed Security Policy Document that aligns with both Salesforce ISV practices and the CIS Controls framework. It includes:

• Documentation of controls implemented
• Frequency of review and evidence collection
• Incident management protocol and escalation paths

You can download it here:
Download the Axy7 Security Policy (PDF)

Conclusion: Security Is a Shared Journey

The world is unstable. Cyberattacks are increasing. But your automation shouldn’t have to live in fear of that.

At Axy7, we’ve demonstrated that serious security is possible—even for small teams—when it’s embedded from the beginning.

Our app isn’t just safe because Salesforce runs it—it’s safe because we’ve tested, reviewed, and hardened it ourselves, using the same tools and frameworks trusted by government agencies and large enterprise vendors.