Preparing Compliance-Ready Documentation
Compliance audits require evidence that your Salesforce configurations are documented, reviewed, and maintained. aprity generates documentation that can serve as audit artifacts, covering business rules, security configurations, access controls, and cross-object dependencies.
What Auditors Look For
Compliance frameworks such as SOC 2, GDPR, and internal audit standards typically require evidence in the following areas:
| Area | What Auditors Need | How aprity Helps |
|---|---|---|
| Change management | Proof that changes are documented and reviewed | Scan history shows when documentation was generated; Business Rule Changelog tracks changes between scans |
| Access controls | Documentation of who can access what | Validation rule and sharing rule documentation; permission-related metadata |
| Business logic | Clear description of automated business rules | AI-generated business rule documentation with evidence from triggers, flows, and validation rules |
| Data integrity | Controls that protect data quality | Validation rule documentation showing data quality enforcement |
| Process documentation | End-to-end descriptions of business processes | Process documentation generated from execution graphs |
Delivering Documentation to Auditors
aprity delivers all documentation through the web portal -- there are no downloadable documentation files. There are a few ways to give auditors access to the evidence:
Web portal deep-links
Share portal deep-links scoped to the relevant scan. Because each scan is a point-in-time record, a deep-link to a specific scan gives auditors a stable snapshot of how the org was configured on that date.
Publish into Salesforce Knowledge or Confluence (Intelligence / Trial)
On the Intelligence and Trial plans, aprity can publish documentation into Salesforce Knowledge or Confluence. This places the generated content in a system auditors may already have access to, alongside their existing controls and review history. (Documentation and Trial differ: publishing is not available on the Documentation plan.)
StorySite backlog export (Excel / CSV)
The StorySite backlog is the one artifact you can download, as an Excel or CSV file. It is useful when an auditor wants a tabular inventory of business rules expressed as work items.
For compliance audits, run a fresh scan immediately before the audit period begins. The scan record gives auditors a dated, point-in-time snapshot they can reference through the portal.
Key Features for Compliance
Global Analysis
Global Analysis provides a cross-object view of your Salesforce org, showing how objects, automation, and processes interact. This is valuable for compliance because:
- It reveals hidden dependencies between objects that may affect data integrity.
- It documents cross-object automation chains that auditors need to understand.
- It provides an org-wide map that demonstrates comprehensive documentation coverage.
Enable Global Analysis in the scan configuration to include it in your output.
Business Rule Changelog
The Business Rule Changelog tracks how business rules change between scans:
- Additions -- New validation rules, triggers, or flows added since the last scan.
- Deletions -- Automation components removed since the last scan.
- Modifications -- Changes to existing business logic.
This changelog serves as a change audit trail, demonstrating that modifications to business rules are tracked and documented.
Execution Graph
The Execution Graph provides a visual representation of trigger execution order, showing:
- Which triggers fire on each DML operation.
- The order of execution across triggers, flows, and validation rules.
- Dependencies between automation components.
This is particularly relevant for compliance reviews of complex automation that involves multiple interacting components.
Building a Compliance Documentation Package
Step 1: Generate comprehensive documentation
Run a scan with the following configuration:
- All business-critical objects selected.
- Global Analysis enabled.
- Business Rule Changelog enabled (if you have a previous scan to compare against).
- Documentation reviewed in the web portal; publish into Salesforce Knowledge or Confluence if your auditors work there (Intelligence / Trial).
Step 2: Include scan history as evidence
The scan history in the aprity Scans tab serves as an audit trail:
- It shows the date and time of each documentation generation run.
- It identifies who initiated each scan.
- It records the configuration used for each scan.
Export or screenshot the scan history to include in your compliance package.
Step 3: Document your feedback process
If you have used the Feedback feature to correct AI-generated documentation, include evidence of this review process:
- The Feedback tab shows all submitted corrections with timestamps.
- Feedback entries demonstrate that documentation was reviewed by human experts.
- The progression from ACTIVE to ARCHIVED feedback shows that corrections were applied and verified.
Step 4: Include access control evidence
Document who has access to aprity features:
- Export the list of users assigned to Aprity_Admin and Aprity_User permission sets.
- Reference the permission set comparison in the Permission Sets Explained article to show the separation of duties between admins and viewers.
Compliance Framework Alignment
SOC 2
| SOC 2 Trust Criteria | aprity Evidence |
|---|---|
| CC6.1 (Logical access) | Permission set assignments, JWT authentication documentation |
| CC8.1 (Change management) | Scan history, Business Rule Changelog |
| CC3.1 (Risk assessment) | Global Analysis showing cross-object dependencies |
GDPR
| GDPR Requirement | aprity Evidence |
|---|---|
| Article 30 (Records of processing) | Documentation of data-related objects and their automation |
| Article 25 (Data protection by design) | Validation rule documentation showing data integrity controls |
| Article 17 (Right to erasure) | Metadata purge capability documented in Data Residency |
Internal Audits
For internal audit teams, aprity documentation provides:
- A comprehensive inventory of all documented objects and automation.
- Business rule descriptions in plain language (not code).
- Evidence of documentation review through the feedback system.
- Historical snapshots through scan history.
Maintaining Compliance-Ready Documentation
- Schedule regular scans to ensure documentation stays current.
- Run a fresh scan before each audit to capture the latest state.
- Review and resolve feedback before generating audit documentation.
- Keep the scan record for each audit period -- the dated scan in the portal is your point-in-time historical evidence.
Related Pages
- Scan Strategy -- Prioritizing what to document
- Documentation Governance -- Review workflows
- Data Residency and Privacy -- Where data is stored
- Audit and Activity Logging -- What is logged