an abstract blog hero image for the salesforce appexchange

Salesforce AppExchange Security Review Guide for ISVs

The Salesforce AppExchange Security review takes time – and is a frustrating experience for many independent software vendors (ISV). While the process can last several months, there are only two primary approvals required to list an app publicly on the AppExchange: 1) a Business plan approval from Salesforce Legal and 2) Security Review approval. 

Keep reading our guide to learn how Invisory customers successfully pass the AppExchange Security Review.


Step 1: Creating your Salesforce AppExchange Business Plan 

The business plan starts by creating a partner account on the Salesforce Partner Center. This is where we’re going to fill out all of our required information, link salesforce packages and orgs, submit for security review, and update listing and designate pricing for our app. Below is a capture of the primary steps

Within the Business plan, you will fill out all of the appropriate information regarding our company, website, application details, pricing and also have to determine how you wish to market the application. There are of course several partnership options and many pricing options. You will need to map out which options are most logical for your business.



Licensing options for AppExchange

Most partners publish an app on the Salesforce AppExchange and encourage installs into customers’ existing configured sales or service cloud (Partner ISVForce or Checkout license agreements), while others will sell platform licenses with their application configured on the platform. This is called an Original Equipment Manufacturer (Partner OEM license agreements).

For more details, here’s a thorough article by CodeScience that helps define OEM vs ISVForce, the reasoning behind each, the licensing and even the revenue sharing for both directions. Either option or perhaps both may be more beneficial to you and the business depending upon your desired model. 


Salesforce AppExchange pricing

From a pricing perspective, ISV apps can go through security review as paid or free applications depending upon whether or not you plan to charge customers for use of your packaged technology. Salesforce offers an array of flexibility for paid models as well. A few examples are charging by licensed user, event utilization of the tool, flat fee per customer/org per month, year or even in perpetuity. 

In the event you choose a paid app route, part of the process also requires how customers will pay for the use of our application and how you will share revenue with Salesforce. Salesforce has an out-of-the-box checkout process, which we can set up through a quick click-through agreement within the business plan (Partner Checkout license). In this process, customers will pay directly from the AppExchange. Salesforce will collect their revenue sharing directly from this process during checkout, which may certainly reduce administrative burden. 



If you would rather bill customers separately on your own paper, you will need to leverage your Partner Account Manager to assemble and execute a separate custom agreement (Partner ISVForce license) with Salesforce, which requires each customer order be submitted to Salesforce via a Channel Order Application (COA). The custom agreement only requires 9 additional questions from your partner account manager and can be assembled quickly. 

Ultimately when you close deals with new customers using your Salesforce tech, you’d then submit an order to Salesforce through the COA online process and Salesforce then bills you for the portion of revenue sharing that is due (usually 15%). This is a simple process but does take a few additional steps. 


Submitting your AppExchange business plan

Upon submission of your business plan review, Salesforce will review the details and approve or decline (with feedback). Approval means you can move forward with the security review of your application. A decline only means we need to address concerns legal has with our plan, then resubmit the application. 

The business review process takes a couple weeks to complete.


Step 2: Passing the Salesforce AppExchange Security Review


Create a managed packaged

Creating a managed package with your specific namespace is similar to creating an unmanaged packaged, but requires a salesforce developer org with managed packaged turned on. Your namespace is unique to all apps on the exchange and prevents any duplicate objects or fields in your customer’s environment. 


Create an AppExchange listing 

Once your package is ready to be submitted for security review, it’s time to turn your focus towards your AppExchange listing. Your AppExchange listing is your calling card and where Salesforce buyers, sellers and SIs will search to learn more about your application. Salesforce provides a guided step-by-step process to create your listing asking for highlights, key features, compatibility details, demo video, pricing, collateral and more. Invisory offers a lot more separate content about creating a world-class buyer’s journey via your AppExchange listing in other articles


Return to the Salesforce partner portal & AppExchange listing 

When you’ve packaged up your  technology, you’re ready to go into the Salesforce partner portal and attach your package and select your version of the package to be reviewed. You’ll also want to do a final review of your AppExchange listing.  Since your listing is your calling card for Salesforce customers, employees and partners it is critical that you spend time and energy on putting your best foot forward. This should include high-quality PDFs in the carousel, highlights, product details and collateral. 

I would also highly suggest adding in a gated demo video so that you can start collecting leads. Invisory offers a lot more separate content about creating a world-class buyer’s journey via your AppExchange listing in other articles. You can also check out our tips for a world-class AppExchange listing on our YouTube page


Ensure your technology meets the AppExchange’s standards for Security review

The Salesforce AppExchange Security Review application requires that each ISV provides details around your application technology, an architecture document, and any applicable security certification information like those surrounding HiTrust or HIPAA. The Security Review application also requires that you install and configure your application in a clean developer org, provide those credentials, and run a security scan on the environment to ensure no vulnerabilities. 

Salesforce offers free scanning tools like Checkmarx to quickly scan the org and yield a clean report within an hour, which is to be added to your Security Review application. Applications communicating with separate platforms require an external scan. You will also need to leverage OWASP ZAP, Chimera or Burp Suite.


Submit your Security Review Application

Finally, you can submit your application for review. If your application is a free app to customers, then there is no security review fee. All others require an annual listing fee of $150 and a one-time security fee of $2,550, totalling $2,700 upon initial review. 

Then you wait. It can take a number of weeks for an initial security review to be processed.


Follow-up, if questions are asked

While you may have read in the Salesforce Trailhead on security reviews that the whole process takes 4-8 weeks, don’t be surprised if it takes several months, especially if there are security questions or other follow up items from Salesforce. Also don’t be surprised if your application fails the first time. Most ISVs do have questions that come back and require additional work before allowing the application to go live. You may have to justify your app architecture or answer specific security concerns. In this event, we recommend booking time with the security review team to explain your strategy which can expedite the back and forth. 


Pass the Security Review

After passing, then the excitement begins. Your listing can be made public on the AppExchange from the partner portal. This is why having your listing ready while you wait for security review helps to ensure you are ready to go once approved. Invisory has great insight here on how you can get more views and enable user friendly experiences with your listing with videos, test drives and more! 


Set up up your app

After passing the AppExchange Security Review, there are some additional items to consider. 

From your listing in the partner portal, you can create leads in your production environment when customers view videos or install the application. A simple workflow can trigger an email or Slack notification when a prospect installs or watches a demo, for instance. If you don’t have a production environment, Salesforce will provide you with one free of charge for up to 2 users. 

If you opted for billing customers directly and not using Salesforce’s checkout process, you will need to set up the Channel Order Application in your production environment. Here, you can install the Channel Order App (COA) and submit orders when you close deals with customers. You should also install License Management App (LMA), which allows you to to control the number of licenses your customer can use within their Salesforce environment. 


Resources to help you pass the AppExchange Security Review

We recommend reading some of the information that Product Development Outsourcers (PDOs) like CodeScience, Appiphony, Aquiva Labs, VRP Consulting, Brillio, and more publish on the topic. 

  • Salesforce’s Security Review material
  • Salesforce’s Trailhead on Security Review 
  • CodeScience’s guide to the Security Review – 
  • LinkedIn post from a Technical Evangelist (TE) 
  • The Salesforce Code Analyzer is a great tool that lets Salesforce ISVs check their code for security vulnerabilities. This is not a replacement for Zap or similar tools. It allows you to incorporate security checks as part of your daily development effort and not the last thing you do before submitting to Security Review. 
  • ForceTalks blog post on the topic 
  • Eric Ramos summarizes some work that he did to launch on the Salesforce AppExchange in a medium blog post that may be worth a read.
  • Gary Stom’s LinkedIn posts. Gary has shepherded a number of applications through the security review process during his career, including two native apps that he has brought to market bootstrapped, as well as composite apps he has brought to the AppExchange for his employer. 

Want to learn more about turbocharging your Salesforce GTM strategy? Check out our other blog posts:

Share our post on social media and tell us what you think!

Resources to help you grow & scale your business

The Black Hat USA 2024 conference, which will take place August 3-8, 2024 in Las Vegas, is just around the corner, and

If you’re an ISV looking for a new revenue channel, you’re probably listed (or thinking about listing) on cloud marketplaces. Maybe you’re

At the peak of the pre-Covid tech boom, a new category began to emerge: cloud go-to-market, or cloud GTM for short.  With