How Leading Financial Institutions Are Protecting Their Salesforce Data

Financial services organizations hold some of the most sensitive data in the world. Customer financial records, transaction histories, insurance policies, investment portfolios — all of it increasingly lives in Salesforce, and all of it carries regulatory, legal, and reputational consequences if something goes wrong.

The stakes are high and getting higher. Global data privacy regulations are expanding in scope. Compliance frameworks like GDPR, CCPA, and emerging standards like DORA are raising the bar for what "adequate protection" actually means. And the data volumes involved — billions of records across multiple Orgs, spanning dozens of countries — make brute-force approaches to backup and recovery unworkable.

Here's how leading financial institutions are meeting that challenge.

1. Matching backup frequency to the cost of data loss

In financial services, the question isn't whether to back up Salesforce data; it's how much data the organization can afford to lose in a worst-case scenario. That number drives everything else.

For Manulife, one of the world's largest financial services groups managing over $1 trillion in assets and nearly 30 million customers, the answer was clear: hourly backups for the most critical Salesforce objects, on top of automated full backups across key Orgs. At that scale, hundreds of gigabytes across thousands of objects spanning multiple Salesforce Orgs, a daily backup cadence leaves too much exposure. An incident occurring hours after the last backup means hours of customer data, transaction records, and interaction history potentially unrecoverable.

Defining backup frequency isn't a technical decision in isolation. It's a business continuity decision that starts with understanding what an hour, a day, or a week of lost data actually costs in regulatory exposure, customer impact, and operational disruption. For financial institutions running mission-critical processes on Salesforce, that conversation consistently leads to higher-frequency backup requirements than generic solutions provide.

2. Surviving security audits that last more than a year

Financial institutions don't take vendor selection lightly, especially when the vendor will have access to some of their most sensitive data. The evaluation process at large banks and insurers routinely involves security audits, third-party oversight reviews, and compliance assessments that can span months.

One of the world's largest banks spent more than a year evaluating a Salesforce data protection platform before committing, including multiple rounds of security audits and two independent third-party oversight evaluations. The selection criteria were unambiguous: speed and performance at large data volumes, security features capable of protecting highly sensitive financial data, and a demonstrated track record in enterprise Salesforce environments.

The outcome of that process: backups running every 15 minutes for the most critical objects across eight Salesforce Orgs, protecting more than 2.5 billion records and 2 terabytes of data.

For financial institutions navigating similar evaluations, the lesson is that security posture isn't just a feature checklist; it's a demonstrated capability that holds up under sustained scrutiny. Vendors who can't survive a rigorous audit process aren't appropriate partners for institutions operating under this level of regulatory oversight.

3. Navigating local regulation inside a global architecture

Financial services organizations rarely operate in a single jurisdiction. They manage business units across countries, each subject to data privacy laws, residency requirements, and retention mandates. Building a Salesforce data protection strategy that satisfies all of them, without creating a patchwork of point solutions, is one of the most complex challenges in enterprise data management.

Manulife operates across Canada, Asia, and Europe, serving customers under different regulatory frameworks in each market. For their Salesforce environment, the requirement wasn't just to back up data; it was to govern it globally while honoring local requirements. That means flexible architecture capable of applying different rules to different business units, in different countries, from a single platform.

Coast Capital, a Canadian federal credit union, faced a related but distinct constraint: certain member data cannot be exposed to public cloud platforms under Canadian financial regulation. Any backup and recovery solution had to operate within those boundaries, not around them. The ability to demonstrate compliance with Canadian data retention requirements wasn't optional; it was a prerequisite for selection.

Regulatory complexity at this level requires a data protection platform that treats jurisdiction as a first-class consideration, not an afterthought configured after implementation.

4. Aligning data protection with broader security architecture

Enterprise financial institutions don't evaluate Salesforce data protection in isolation. It has to fit into a broader security strategy that already includes identity management, encryption standards, SIEM tooling, and platform-level controls like Salesforce Shield.

For Manulife, alignment with Salesforce Shield Platform Encryption and the organization's data residency strategy was an explicit requirement, not a nice-to-have. The data protection platform had to work in concert with existing security investments, not create new gaps or redundancies. That meant support for Bring-Your-Own-Key encryption, multi-layered encryption standards, two-factor authentication, and IP restriction; alongside ISO 27001 certification and SOC 2 compliance.

Reaching backup speeds of up to 300 million records per hour was also part of the equation. At that data volume, performance and security aren't in tension; they're both requirements. A solution that's secure but too slow to complete backups within operational windows isn't viable for an institution at this scale.

For large financial institutions, Salesforce data protection is an enterprise security decision, not just an IT operations one. It gets evaluated against the same standards as any other critical infrastructure.

5. Building disaster recovery plans that regulators can verify

Regulatory frameworks increasingly require financial institutions to demonstrate, not just claim, that they can recover from a data loss event. That means documented recovery plans, tested restore procedures, and evidence that the organization can meet its stated RTO and RPO commitments under real conditions.

Coast Capital built its data protection implementation explicitly around disaster recovery readiness. The selection process centered on one core question: in the event of data loss or corruption, can we restore Salesforce data quickly and completely? The answer had to be demonstrable, not theoretical. Backups run hourly, every four hours, daily, and weekly; covering 3.5 billion records across 2,700 objects, with 62 gigabytes of data and 135 gigabytes of files protected.

The ability to restore individual records, specific objects, or an entire org quickly is what converts a backup strategy into a credible disaster recovery plan. For financial institutions operating under regulatory scrutiny, the difference between having backups and being able to prove recoverability is significant.

6. Treating data protection as a trust asset, not a cost center

The financial services organizations getting this right share a common perspective: protecting Salesforce data isn't an operational expense to be minimized; it's fundamental to the customer relationships the business is built on.

Manulife's investment in Salesforce data protection was explicitly framed around reinforcing customer trust. When customers share financial information, insurance details, and investment data with an institution, they're extending trust that the organization will protect it. A data loss event, or a compliance failure, doesn't just create operational disruption. It damages the relationship that is the product in financial services.

For institutions managing tens of millions of customers across multiple countries, that framing changes how data protection gets prioritized, resourced, and evaluated. It becomes less about meeting the minimum standard and more about building the infrastructure that earns and maintains customer confidence at scale.

Odaseva helps financial services organizations protect and manage Salesforce data at enterprise scale, across complex data models, multiple Orgs, and global regulatory environments. [Book a demo.]