Is Salesforce Quantum Safe?
Not yet. Salesforce has not publicly announced post-quantum cryptography migration plans for its platform. All Salesforce API connections and data-in-transit use classical TLS with RSA/ECDSA key exchange.
Key Takeaway: Salesforce is NOT quantum safe. Scan your Salesforce integrations with QScout to map all cryptographic dependencies. Monitor Salesforce Trust (trust.salesforce.com) for PQC announcements. Consider application-level PQC encryption for highest-sensitivity data.
- Modality
- SaaS Platform
- Vulnerability
- All Salesforce TLS connections use classical key exchange (RSA/ECDH) vulnerable to quantum attack. Shield encryption (AES-256) for data at rest is quantum-resistant.
- NIST status
- Salesforce has not publicly announced alignment with NIST PQC standards.
- Replaced by
- Salesforce TLS will need to migrate to ML-KEM for key exchange when Salesforce deploys PQC support
- Deprecation
- Salesforce has not published PQC migration timelines. Follow NIST guidance for planning.
Technical Analysis
Salesforce is NOT quantum safe today.
Current State
Salesforce uses TLS 1.2 (with TLS 1.3 rollout in progress) for all API connections, browser sessions, and inter-service communication. Authentication tokens, OAuth flows, and Salesforce Shield encryption all rely on classical cryptography.
PQC Progress
Salesforce has not publicly released a PQC migration roadmap:
- Shield Platform Encryption: Uses AES-256 for data at rest (quantum-resistant), but key exchange and key wrapping use classical algorithms.
- Salesforce APIs: REST and SOAP APIs use TLS with RSA/ECDSA certificates.
- MuleSoft: Integration platform uses classical TLS for all connections.
HNDL Risk
Salesforce contains some of the most sensitive enterprise data: customer records, pipeline data, commercial terms, contracts. Data intercepted in transit today could be decrypted by a future quantum computer. This is especially concerning for financial services and government Salesforce deployments.
What Organizations Should Do
Inventory all Salesforce integrations, connected apps, and API connections. Identify data flows with long-term confidentiality requirements. Use QScout to discover all cryptographic dependencies in your Salesforce ecosystem including MuleSoft, Heroku, and Tableau.
At a glance
| Full Name | Salesforce CRM and Platform |
| Category | saas |
| Quantum Vulnerability | All Salesforce TLS connections use classical key exchange (RSA/ECDH) vulnerable to quantum attack. Shield encryption (AES-256) for data at rest is quantum-resistant. |
| NIST Status | Salesforce has not publicly announced alignment with NIST PQC standards. |
| Deprecation Timeline | Salesforce has not published PQC migration timelines. Follow NIST guidance for planning. |
| Replaced By | Salesforce TLS will need to migrate to ML-KEM for key exchange when Salesforce deploys PQC support |
Migration Guidance
Scan your Salesforce integrations with QScout to map all cryptographic dependencies. Monitor Salesforce Trust (trust.salesforce.com) for PQC announcements. Consider application-level PQC encryption for highest-sensitivity data.
How Qtonic Quantum Can Help
Don’t Know Where Salesforce Lives in Your Stack?
QScout discovers instances of Salesforce across your infrastructure in 7 days — designed to minimize operational disruption. 72-hour time to first findings.