Overview
SafeBase's CRM integrations enable organizations to use their Customer Relationship Management (CRM) Software as a reliable source of truth to manage accounts within their Trust Center, with the most significant benefit being reducing the friction required to gain access to their Trust Center by customers and potential customers.
We currently offer native integrations with Salesforce (SFDC), HubSpot, and Microsoft Dynamics 365 (MSD365) (Beta).
While we support multiple CRMs, some functionalities are available for certain platforms that may not be available for others. As the integration continues to mature, our team aims to ensure consistent features across all supported CRMs.
Components
Our integration is broken down into three components (Additional information on each is available in this article):
1. CRM Integration
Our CRM integration utilizes a middleware service called Tray.ai which integrates to the customer's CRM via an Oauth2 connection.
2. SafeBase Rules Engine (RE)
Our "Rules Engine" or "RE" expands the capabilities of our standard CRM integration using customized logic that is bespoke to the customer.
NOTE: RE is an offering for Enterprise customers, and is NOT self-serve. SafeBase will work with the customer's CRM team to build out custom RE logic.
3. Salesforce (SFDC) Managed App
Our Managed App is an installable Salesforce (SFDC) package that utilizes API authentication. It creates an "Add to SafeBase" button within a customer's Salesforce environment. Additionally, users can create SafeBase accounts, invite contacts to SafeBase from Salesforce, and upload questionnaires into SafeBase directly from the SFDC platform.
Capability Matrix
Function | SFDC | Hubspot | MSD 365 |
Self-Serve Auto-Approve | ✅ | ❌ | ❌ |
Self-Serve NDA-Bypass | ✅ | ❌ | ❌ |
Self-Serve Activity Sync | ✅ | ✅ | ❌ |
Enterprise Analytics | ✅ | ✅ | ❌ |
Auto-Approve (RE) | ✅ | ✅ | ✅ |
NDA-Bypass (RE) | ✅ | ✅ | ✅ |
Auto-Invite (RE) | ✅ | ✅ | ❌ |
Auto-Deny (RE) | ✅ | ✅ | ❌ |
Auto-Revoke (RE) | ✅ | ✅ | ❌ |
Permission-Profile Mapping (RE) | ✅ | ✅ | ❌ |
SFDC Managed App | ✅ | ❌ | ❌ |
Capabilities Overview
The following is a high-level overview of each capability of our CRM integration.
Self-Serve Capabilities
Our "Self-Serve" capabilities are built into the app. SafeBase Admins are able to set these up within the platform.
Self-Serve Auto-Approve
When a user requests access to the Trust Center, we will use the email of the requester and match it against a contact of an account in the CRM and the user will be automatically granted access to the Trust Center.
Self-Serve NDA-Bypass
SafeBase admins can designate a field that will allow requesters to bypass the need to sign a SafeBase NDA. If the requester does not meet this requirement in the CRM, they will be required to sign an NDA.
Self-Serve Activity Sync
SafeBase admins can enable our CRM integration to write events occurring in SafeBase (Access Requests, NDA Consent, File Engagements, etc) back to activity feeds in the CRM.
Additionally, Contacts and Leads can be created in a customer's CRM when someone requesting access to the Trust Center is not yet a contact or lead in their CRM.
Enterprise Analytics
Creates revenue analytics dashboards and pulls account analytics (Customer Type, Annual Revenue, and Deal Stage) into the SafeBase account table.
Rules Engine (RE)
SafeBase's "Rules Engine" is offered to Enterprise customers as an extremely robust logic system that enables the creation of customized logic for a number of workflows. The SafeBase team will work with the customer's CRM team to identify the CRM field values used in the logic.
Once identified, our team will build the logic, enable it on our backend, and work with the customer to test and, if needed, troubleshoot.
CRM Objects available to the Rules Engine
*All objects listed below and the associated fields within can be used logic while building Rules Engine rules.
Salesforce (SFDC)
Contact
Account
Opportunity
Contract
Ironclad Contract Object
Ironclad Status API
Hubspot
Contact
Company
Deals
Microsoft Dynamics 365
Contact
Account
*For questions on whether a not a CRM object/field can be used, please reach out to support@safebase.io
Commonly Used Custom Rules (RE)
Auto-Approve (RE)
Like the self-serve auto-approve, the RE Auto-Approve can use custom logic such as Customer Type, ARR Ranges, Opportunity stages, or a combination of each to determine who should be automatically approved into the Trust Center.
NDA-Bypass (RE)
Like the auto-approve functionality, the RE NDA-Bypass can use custom logic such as Customer Type, ARR Ranges, Opportunity stages, or a combination of each to determine who should receive an NDA after being approved into the Trust Center. These rules can also look at your Ironclad account, if that is NDA provider is integrated with SafeBase.
Auto-Invite (RE)
Auto-Invite is a capability that will proactively invite a contact from a CRM account based on a specific field. For example, a customer might like to invite all accounts once they reach a specific opportunity stage or if their account type changes from prospect to customer.
A custom invite message can be set for all invites sent via this method.
For example, organizations can have the primary contact of an Account invited automatically if there is an open Opportunity associated with this Account that changes Stage from Demo Scheduled to Post Demo.
Invite Frequency & Options
Invitations go out once a day.
Invites match SFDC contacts by domain. If the domain of an auto-invite contact does not exist in the Trust Center, an Account will be created, and the Primary contact will be automatically added to this Account.
Optionally, an invitation email can be automatically sent to this contact.
Auto-Deny (RE)
If this option is enabled, our integration will reach out to a customer's CRM when a user requests access and DENY ACCESS based on a specific field. This is particularly useful if customers would like to deny access to accounts listed in their CRM as churned, or known competitors.
A custom deny message can also be set for these auto-denials.
Auto-Revoke (RE)
Basically the reverse of Auto-Invite, access can be revoked automatically (the account will automatically be set to the "expired" status).
For example, if the account type is changed from "Customer", to "Customer Churned", or if the Opportunity is moved to "Closed/Lost", the integration will revoke access to the Trust Center for that account.
Permission-Profile Mapping (RE)
Permission profiles, the security feature that allows SafeBase to gate documents per account, can be integrated into the Rules Engine.
If a user requests access, and for example, their account has a geocode of "New Zealand", our automated permission profile mapping would automatically add that account to an in-place permission profile labeled "New Zealand Customers"
This is particularly useful for organizations that have separate document sets for different regions or customer types.
Example of Rules Engine Workflow
Additional Logic Examples
Use the Domain/Website field rather than relying on Contacts.
Used by customers with many Accounts/Companies without corresponding Contacts.
Mix and match any number of conditions using AND/OR conditions.
Auto-approve if Type = Customer OR MNDA_Signed__c = True. Allows a company to be auto-approved as long as an NDA is signed.
Custom rules for NDA overrides and not just automatic approval.
Customers are auto-approved based on certain conditions, but still have them sign a DocuSign/Clickwrap NDA.
Use negative conditions
Allows auto-approval if Type is not equal to Competitor.
Rules Engine Visualization
Once custom rules have been set up by the SafeBase team, the logic will be displayed visually in the Settings page under the Accounts, NDA sections, or Auto-Deny Sections (if applicable).
Auto-Approve Tie-Breakers
In certain scenarios, auto-approve may fail due to duplicate contacts, or duplicate contact domains within a CRM.
Essentially, SafeBase's integration reaches out to trying to match the requesting person@company.com or @company.com against an account in the CRM and finds more than one.
The goal is to match a single user, against a single CRM Account.
This is where tie-breakers come in and are put in place so that if more than one CRM account is found, the tie-breaker logic will choose a single account.
Scenarios
The scenarios operate in order received to result in exactly one Account/Company, and will return said result as the “tie breaker” output, which will cause the system to use that for the auto-approval process.
If none of the given scenarios result in exactly one output Account/Company, the request will not be auto-approved and the access request will have to be handled manually.
account-name-match
Filters the Accounts/Companies received on being exactly equal to the access request’s company name, as given by the requestor.
website-domain-match
Filters the Accounts/Companies received on containing the access request’s email domain in either the website, or domain field(s).
last-modified-date
Finds the most recently modified Account/Company, if the second most recent was modified at exactly the same time, no result will be output.
sfdc-max-contact-count
Finds the Account with the most contacts associated with it. This is only available for sfdc.
sfdc-max-contact-count-by-domain
Finds the Account with the most contacts associated with it, but only counts contacts that have the same email domain as the email address of the requester.
Most commonly used scenario
The most commonly used tie-breaker scenario used by SafeBase's Customers is:
sfdc-max-contact-count-by-domain + last-modified-date
This scenario pics an account with the most contacts with the same domain, and if there is a tie, uses the account with the the most recently modified date.