Tokenization in Salesforce & Marketing Cloud to Comply with Canadian Data Residency Requirements

 In Canada, stringent data residency regulations mandate that businesses store personally identifiable information (PII) of their customers exclusively within the country. These requirements are particularly rigorous for specific sectors, such as financial services.

Here’s the challenge: While Salesforce CRM servers operate within Canada, Marketing Cloud servers are based in the USA. Consequently, Canadian businesses subject to data residency legislation must take extra precautions when using Salesforce Marketing Cloud (SFMC). 

The Tokenization Solution
Drawing from my personal experience, I recommend leveraging the Datex solution to tokenize PII—such as names and email addresses—when storing data in Marketing Cloud. During email deployment, an external service can then detokenize this information, ensuring compliance while enabling effective communication. 

For companies with diverse lines of business, some regulated by data residency laws and others not, consider the following approach: 

• Create Special Business Units: 
• Establish a Tokenized Business Unit within your Marketing Cloud instance. 
• Integrate this unit with your Salesforce CRM account. 
• For non-regulated lines of business, maintain separate non-tokenized Business Units.

Implementation Steps 

• Data Flow: 
• Your Salesforce CRM Account is linked to your Marketing Cloud Account.
• The external system, housing customer details, sends daily events to Salesforce (including first names, last names, and email addresses). 

• Tokenization Process: 
• When Salesforce receives events for the Tokenized Business Unit: 
• An API call is made to the Datex solution, which tokenizes the PII. 
• Salesforce now holds both original and tokenized data (e.g., first name and tokenized first name).

• Campaign Integration: 
• Create a process flow in Salesforce to add this data to a campaign (as campaign members—leads or contacts). 

• Marketing Cloud Journey: 
• Set up a journey within the Tokenized Business Unit. 
• Use “campaign member created/updated” as the entry source. 
• Limit access for the Salesforce Connector API user to tokenized fields only. 

• Email Deployment: 
• Deploy emails using another service. 
• Retrieve tokenized data from Marketing Cloud. 
• Detokenize this information with assistance from the Datex server. 

By following these steps, your organization can seamlessly manage PII while adhering to data residency requirements. Remember that seeking professional advice and staying informed about evolving regulations is crucial for maintaining compliance.