Launching your app on the Salesforce AppExchange is a major milestone—but before you can go live, you must pass Salesforce’s Security Review. This process ensures your managed package meets Salesforce’s strict standards for data protection, code quality, and customer trust.
Whether you're a technical cofounder or product leader, understanding this review process is crucial. In this step-by-step guide, we’ll break down what to expect, what to prepare, and how to navigate it efficiently.
What Is the AppExchange Security Review?
The AppExchange Security Review is a mandatory evaluation for all managed packages that will be distributed publicly on the Salesforce AppExchange. It’s conducted by Salesforce’s internal security team and covers:
Code vulnerabilities (e.g. XSS, SOQL injection)
Data storage and encryption
API access and authentication
Adherence to Salesforce platform best practices
Secure handling of external integrations
The review applies whether your app is a full-fledged SaaS product or a small internal utility—if it’s listed, it must pass.
Step-by-Step: How the Review Works
Step 1: Join the Salesforce Partner Program
You’ll need to register your company as a Salesforce ISV Partner via the Partner Community.
Once accepted, you’ll get access to:
Business Org Hub (for managing listings)
License Management App (LMA)
Security Review submission portal
💡 Tip: Use your business email and provide clear use case information in your application for faster approval.
Step 2: Build and Package Your App
Before submitting for review, you must create a managed package. This should include:
Custom objects and fields
Apex classes and triggers (if used)
Lightning Web Components or Visualforce (if used)
Proper permissions, metadata, and packaging
If you're building your app in-house, consider using ISV Copilot by Appnigma — it guides you through packaging, validates your code for security risks, and automates documentation generation for the review process.
Step 3: Run Salesforce’s Scanner Tools
Use the Salesforce CLI Scanner or Checkmarx scanner to:
Scan Apex code for security issues
Generate pre-review reports
Clean up any major errors or red flags
⚠️ Required: All scanner reports must be uploaded as part of your security submission package.
Step 4: Gather Required Documentation
When submitting your app, Salesforce will ask for:
Scanner results (PDF/CSV format)
Architecture diagram or data flow diagram
Explanation of how you handle auth and data
Test login credentials to install the app in a scratch org
Your explanations should clearly outline:
What external systems you call
Where data is stored or logged
What permissions are requested and why
Step 5: Submit for Review
Upload your package, scanner reports, and documentation through the Partner Portal. You’ll receive a confirmation and estimated timeline.
Reviews typically take 4–6 weeks depending on app complexity and backlog. Expect communication from the Salesforce security team if they require clarifications or fixes.
✅ Pro tip: Submit ahead of Dreamforce or fiscal quarter ends—those times often have longer queues.
Step 6: Address Feedback and Re-Test (If Needed)
If the Salesforce team identifies issues, you’ll get a detailed report with required remediations. Common reasons for rejection:
Storing sensitive data unencrypted
Not respecting FLS/CRUD permissions
Over-permissioned OAuth scopes
Hardcoded secrets or URLs
You must fix the issues, re-scan your code, and re-submit for review. ISV Copilot provides remediation guidance based on your scanner results.
Step 7: Approval and AppExchange Listing
Once you pass, you’ll receive:
Approval notice from Salesforce
Go-ahead to publish your app listing
Permission to use the “Security Reviewed” badge
Your listing is now visible on the AppExchange and ready for customer installs.
What If You're Not a Developer?
The security review process can be intimidating—especially for non-technical founders or ops teams. That’s why Appnigma built ISV Copilot: a smart assistant that:
Guides you through the security checklist
Flags packaging or metadata issues
Generates the docs Salesforce requires
Helps you navigate partner onboarding
It’s ideal for SaaS companies that are building their package internally but want to fast-track their AppExchange launch without delays or surprises.
Final Thoughts
Security Review is a rite of passage for any serious Salesforce app. While it’s thorough and rigorous, it doesn’t have to be stressful. With the right tools—and some upfront preparation—you can pass on your first try and get to market faster.
Already building your app? Try ISV Copilot and get step-by-step help navigating the review and Salesforce partnership process.
