Conga Orchestrate

Security, Privacy & Architecture

Conga Orchestrate is a powerful Salesforce® workflow application that orchestrates end-to-end processes inside of Salesforce. Conga Orchestrate turns time-consuming, unstructured procedures into automated, efficient workflows that can handle the complex needs of today’s businesses. Easily configure, automate and manage large numbers of workflow steps. At Conga, we understand that our customers care passionately about the security of their data, especially when stored in the cloud. We are committed to providing enterprise-level security for all our applications—including Conga Orchestrate

Salesforce-level security

Because Conga Orchestrate is a native Salesforce application, the solution processes your data completely within Salesforce. When using Conga Orchestrate, the solution does not send or store any data outside of your Salesforce instance, unless it is configured to work in tandem with other services which may do such.

High availability

As a native Salesforce application, Conga Orchestrate has the same availability guarantees as Salesforce: if your Salesforce instance is available, Process is available. Conga is a platinum ISV partner of Salesforce and follows the standards, policies, and best practices listed at

Access and audit logs

Access and audit logging of Conga Orchestrate is controlled by your Salesforce administrator.

Privacy & compliance

As an AppExchange application, Conga Orchestrate has completed the Salesforce Security Review process. All applications enrolled in the ISVForce or Embedded Partner Programs must go through a mandatory periodic security review. The Security Review has been developed to assess the security posture of partner offerings, to ensure that applications published on the AppExchange follow industry best practices for security, and to promote trust. Salesforce privacy and compliance standards can be found here:

Among Conga, Salesforce and our customers, we abide by the following share of responsibility across our controls:

Control CategoryConga ProcessSalesforceAzureCustomer
Access ControlResponsible
Audit LoggingResponsible
Data RetentionResponsible
Application TestingResponsible
Security TestingResponsibleResponsibleResponsible
Security ControlsResponsibleResponsible

Architecture Summary

Microsoft Azure-Level Security

To simplify the setup and configuration of Conga Orchestrate, the Salesforce managed package includes a Connected App. Connected apps allow Salesforce administrators to set various security policies and have explicit control over who can use the corresponding apps. Using this application accesses metadata only, with optional access controlled by a Salesforce administrator. Salesforce communicates with this Azure application using TLS 1.2 encryption. Conga Orchestrate utilizes Azure regions located in the United States. See Azure security information and SOC reports.

About Conga

Conga® developed its suite of enterprise-grade applications to help businesses using the Salesforce Sales Cloud remove systems and process pain points and fill the gap in Salesforce out of the box. The Conga Suite, which includes Conga Composer—a top paid application on the AppExchange—simplifies and automates data, documents, contracts and reporting.

For more information about Conga privacy, see here.
For Conga security policies, please visit Also see our GDPR compliance statement.