Technology & Tool Disclosures

Last updated: June 2026 (v1.17.0)

SFDevTools is built on modern, battle-tested infrastructure. Below is a transparent disclosure of the third-party services and technologies that power the platform.

Hosting & Infrastructure

Component Provider Purpose
Frontend App Cloudflare Pages Hosts the SFDevTools web application at app.sfdevtools.com
Landing Page Vercel Hosts this site (sfdevtools.com)
Backend API Railway Containerized Bun/Hono API at api.sfdevtools.com
Database Railway Self-managed PostgreSQL 16
Cache Railway Self-managed Redis 8 for performance caching
Analytics PostHog Privacy-first product analytics (fully anonymous, no user identification)
AI Agent Anthropic, Google (Gemini) Powers the optional AI Agent chat feature; processes your prompts and tool-call results to generate responses

Analytics

  • PostHog for privacy-first product analytics. All events are fully anonymous — no identify() calls, no person profiles (person_profiles: "never"), no PII collected.

Frontend Stack

  • React with Vite for the main application
  • TanStack Router for file-based routing
  • TanStack Query for server state management
  • Tailwind CSS and Shadcn UI (Radix Primitives) for the interface
  • Lucide React for iconography

Backend Stack

  • Bun runtime with Hono framework
  • Drizzle ORM for database operations
  • Better Auth for user authentication (magic link + Google OAuth)
  • ioredis client for cache operations
  • Zod for request/response validation

AI Agent

  • AI Agent is an optional chat assistant with read-only access to your connected Salesforce org data, powered by Anthropic (Claude) and Google (Gemini) models — you choose a "Fast" or "Most capable" tier rather than a specific model.
  • The agent can only call read-only endpoints; it cannot create, update, or delete Salesforce records or metadata.
  • For questions spanning more than one connected org, the agent can delegate to focused sub-agents — one per org — and combine their answers in a single conversation.
  • Conversations are saved to our database so they persist across sessions, and can be deleted at any time.
  • AI usage is tracked against a shared team credit balance (visible on the Company page) rather than a per-user daily cap.
  • The agent can produce Artifacts — self-contained HTML deliverables (charts, summaries, reports) that are saved to your conversation and can be reopened at any time.

AI Dashboards

  • AI Dashboards is an optional feature that lets you describe a Salesforce dashboard in plain language and have an AI agent build it for you.
  • The AI authors a structured layout with field bindings; it does not write or execute raw SOQL directly. The frontend hydrates the layout by building safe, structured queries from the binding definitions and running them against your Salesforce org under your own credentials.
  • Once built, a dashboard re-queries your org live on every view without consuming AI credits.
  • Dashboard layouts, field bindings, version history, and builder conversation history are stored in our database. Dashboards can be deleted at any time.
  • The dashboard builder is powered by Anthropic (Claude) and Google (Gemini) — the same providers as the AI Agent.

Security Infrastructure

  • AES-256-GCM encryption for stored Salesforce OAuth tokens
  • Application-level tenant isolation enforces strict data separation between users and teams
  • Gzip compression for cached data (reduces Redis footprint ~10x)

Data Processing & Authentication

  • Better Auth handles user authentication (magic link and Google OAuth).
  • Salesforce OAuth 2.0 (PKCE) handles org connections via standard Connected App flow.
  • All Salesforce API calls are proxied through our backend - your credentials never touch the browser.
  • Dynamic Scopes: We strictly follow the principle of least privilege. "Session Only" connections request only api and web scopes. "Persistent" connections additionally request refresh_token and offline_access.
  • OAuth tokens are encrypted at rest and decrypted only when making API calls on your behalf. "Session Only" connections are explicitly purged upon user logout.
  • Query results and metadata can be optionally cached with a user-controlled TTL.
  • User execution history (SOQL/Apex) defaults to browser Local Storage. Cloud synchronization to our database is strictly opt-in.

For questions about our technology choices or security practices, contact us at support@sfdevtools.com.