Cloud does not mean automatic compliance. This advisory playbook covers Salesforce's licensing model, common compliance pitfalls, True Forward adjustments, enforcement mechanisms, and best practices for CIOs to proactively manage Salesforce usage and avoid audit surprises.
At its core, Salesforce licensing is primarily user-based — organisations purchase user "seats" (e.g., Sales Cloud or Service Cloud licences) for specific individuals. Each licence type and edition grants a specific set of features and usage entitlements: data storage, API calls, custom objects, and more. Salesforce also offers feature add-ons and usage-based products (Marketing Cloud contacts, Community logins) billed by volume. This mix of per-user licences and usage-based entitlements provides flexibility but also significant complexity.
Unlike on-premises software, you generally cannot exceed the number of user licences purchased — the platform won't allow unlicenced users to log in. This leads many to assume cloud software has no compliance issues. In reality, audit risks still exist in areas beyond simple user counts.
Salesforce's Master Subscription Agreement (MSA) includes strict usage terms — including a clause prohibiting any use that "circumvents a contractual usage limit." In practice, this means even if the system technically allows certain actions, they may violate your contract. Examples include using one account for multiple users, exceeding feature limits, or using Salesforce data in unauthorised ways.
Salesforce historically hasn't been as audit-heavy as legacy software vendors. Still, it retains contractual audit rights to protect its intellectual property and revenue. Audits or compliance checks may be triggered if Salesforce suspects misuse or simply as part of true-ups during renewals.
True Forward provisions in many enterprise agreements mean that if you exceed contracted quantities (extra users, more contacts, API calls above cap), Salesforce will adjust costs upward at the next billing period. This is less a "gotcha" audit and more an automatic billing adjustment — but it can feel like an audit outcome with significant budget impact.
All usage is tracked on Salesforce's servers. If you quietly added 50 more users than contracted or exceeded a usage cap, Salesforce will eventually find out and bill via True Forward or contract amendment. In some cases, Salesforce may formally invoke audit rights to get detailed compliance data — especially if suspected of violating terms.
Even well-managed Salesforce orgs can drift into non-compliance due to everyday pressures and mistakes. Below are the most common compliance issues — each with real-world examples:
Sharing login credentials is prohibited by Salesforce's licensing terms, yet it happens frequently. This includes multiple employees using a single "generic" user account (e.g., a shared support login) or hardcoding one user's credentials into team integrations and scripts. Salesforce considers this "indirect access" — even if all individuals have their own licences, using a single account for collective access violates policy.
Impact: Credential sharing is low-hanging fruit for auditors — easy to detect via abnormal login patterns. If found, Salesforce can require back payment as if each person had their own licence all along.
Salesforce provides API call allowances with most editions. Integrations that over-utilise the API can run into technical limits and licensing scrutiny. One common scenario: using a single low-level licence or integration user to funnel massive transaction volumes from multiple systems — avoiding paying for higher API capacity or additional full licences.
Impact: At minimum, uncontrolled API usage breaks integrations when limits are reached. From compliance view, it can lead to mandated upgrades or add-on purchases. If high API usage is due to indirect access by many users, Salesforce may require you to licence those users or acquire a different product.
Every Salesforce licence comes with specific entitlements — limits on custom objects, data storage, platform events, and feature access. For some features, Salesforce trusts you to self-regulate. A key example: Restricted-Use Licences — discounted licences with contractual functionality limits not enforced by software. The system won't stop a user with a "Service Cloud Restricted" licence from editing an Opportunity if permissions are granted — it relies on the customer to honour terms.
Impact: The MSA typically states that if restricted-use licence restrictions are breached, those licences will be automatically upgraded to full licences from the date of first violation. This means costly back-billing for the entire period of misuse.
Using exported Salesforce data outside the platform can present compliance issues if it effectively extends functionality to users or uses not covered by your licence. This is an indirect access scenario: unlicenced individuals benefiting from Salesforce-originated data. Salesforce's terms typically specify the service is for a customer's internal business use only.
Impact: Using Salesforce data in unlicenced ways is another form of indirect access risk. If discovered, Salesforce can demand appropriate licences be purchased or the practice cease. The financial impact can be similar to an audit finding — significant unexpected licensing costs.
Salesforce employs a combination of contractual rights and commercial mechanisms to enforce compliance. CIOs must understand how these work to anticipate and manage enforcement actions.
True Forward is a provision in larger Salesforce contracts that means if your usage exceeds contracted quantities (user count, storage, API calls), Salesforce will adjust your subscription costs to "true up" with that usage — typically at the next contract period or anniversary. Unlike a one-time penalty, True Forward is a formalised catching-up: you start paying for higher usage in the future (and sometimes for the excess period).
True Forward can also apply to consumption-based products — exceeding Marketing Cloud email or contact counts can automatically trigger higher-tier pricing. True Forward rates for overages are often at list price or with lower discounts — it's not uncommon to see overage rates at 125–150% of normal price if not pre-negotiated. True Forward only moves upward — it generally won't reduce costs if usage drops.
Salesforce's MSA grants the vendor the right to verify compliance. This can include auditing your usage with notice (e.g., 30 days), typically no more than once per year. In practice, Salesforce hasn't been as aggressive with audits as legacy software vendors — they favour selling more capabilities during renewals and upsells. However, audits do happen, especially in large enterprises or when Salesforce suspects violations.
If non-compliance is found, the typical remedy is purchasing necessary licences to cover usage — effective immediately and sometimes retroactively. The contract may specify any shortfall will be charged at then-current list price, which can be much higher than negotiated rates. In rare cases, Salesforce may consider it a breach of contract; most often they prefer to resolve it commercially.
Salesforce automatically enforces hard limits: storage, API calls per 24 hours, maximum users without additional ordering. Hitting these limits forces the conversation — if you need more, you must buy more.
Your Salesforce account executive reviews usage and adoption metrics, especially around renewal time. If they see usage not covered by your contract, they'll bring it up as an upsell. Softer than an audit — but the goal (selling more to cover your needs) is the same.
Large deals may include periodic usage reporting requirements, True Forward terms, and audit cost recovery provisions. If an audit finds significant underpayment, you may also have to pay the costs of the audit itself.
Need help identifying Salesforce compliance gaps before your next renewal or audit?
Salesforce Licence Optimisation →Set an unambiguous internal policy forbidding shared Salesforce accounts or credentials. Every person accessing Salesforce must use their own licenced account. Make this part of your security policy and communicate it to all employees, contractors, and partners. Leverage Salesforce's technical controls — enable two-factor authentication and single sign-on (SSO) to make sharing difficult. Clearly state that violations could lead to disciplinary action.
Procurement or vendor management should maintain a summary of what's purchased and key usage restrictions. If you negotiated restricted-use licences or a cap on Marketing Cloud contacts, ensure these details are accessible to your Salesforce admin and development teams. Non-compliance often occurs simply because IT admins were unaware of contractual restrictions. Briefing admins whenever new contracts are signed — translating licence terms into administrative configurations — is essential.
Use Salesforce's built-in profile and permission-set infrastructure to enforce licensing boundaries. If a group has restricted licences that shouldn't access Object X, create a profile that removes that access. Align profiles with licence types — this follows both compliance and security best practices (principle of least privilege). Conduct periodic access reviews to ensure users have correct profiles for their licence type.
Form a cross-functional "Salesforce Governance Board" meeting quarterly. Include IT (platform owner), Security/Compliance, Procurement, and business stakeholders. This group reviews licence usage, upcoming needs, and policy violations — elevating compliance from an administrative task to a management issue. They can approve or deny unusual requests (e.g., sharing a login "temporarily" — answer: no).
Use Salesforce admin reports and dashboards to monitor: User Login Activity (identify inactive users for licence recycling; flag unusual patterns like concurrent multi-location logins); API Usage (check via Setup; set alerts at 80% of daily limits); Feature Limits (review data storage, file storage, custom objects via System Overview); Licence Assignments vs. Purchased (proactively manage counts rather than waiting for Salesforce to flag at renewal).
Conduct internal compliance audits at least annually — preferably semi-annually or quarterly for large orgs. Review all active accounts and licence types, check for generic or suspicious accounts, validate restricted-use licence holders are actually restricted in the system, and ensure no production use of trial features. Document findings and remediate immediately. Self-audits also reveal optimisation opportunities — unused licences that can be reclaimed.
For large deployments or multiple orgs, consider SAM tools or Salesforce's own License Management App. These automate tracking of usage vs. entitlements, simulate what-if scenarios, and aggregate data across instances. While not strictly necessary, tools ease the monitoring burden and provide alerts and reports for the CIO and stakeholders.
Before renewal, conduct thorough review of actual usage vs. what you're paying for. Go into negotiations with a clear picture — you can drop unused licences (saving money) or secure proactive discounts on growth. This reduces True Forward surprise and treats renewal as a "licence true-up on your terms" rather than Salesforce dictating it. See our Salesforce Contract Negotiation Service.
Create and maintain an integration register — a list of all systems connecting to Salesforce, what data they exchange, and what accounts they use. Each integration should have a named owner, documented purpose, and appropriate Salesforce user account. Avoid situations where integrations inexplicably use an admin's account or an undocumented generic account.
Use separate "integration user" accounts for major external systems. For example, an ERP sync should use its own API-only licence — not piggyback on a human user's account. This improves security, traceability, and prevents the integration from requiring excessive permissions. Important: these accounts still count as user licences — budget for and purchase them, don't try to "save" by sharing.
Don't hardcode usernames and passwords in integration code. Use OAuth and certificate-based connections. This ensures you can centrally control and revoke access, ties into Salesforce's audit logs, and lets you enforce login IP ranges or login hours for integration users to reduce misuse risk.
Assign someone to regularly review integration logs. Correlate with Salesforce's API usage stats. If one integration suddenly floods the system or fails and retries (potentially exceeding call limits), intervene quickly. Code reviews for Salesforce integrations should include checks against governor limits and licenced allowances.
Clearly distinguish integration accounts by username (e.g., "INTG_EcommerceSite" or "API_DataWarehouse") so they stand out in user lists. Ensure these accounts are not used interactively by people — they should be API-only. If you suspect someone logged into an integration account to use the Salesforce UI, address that immediately.
If you use Experience Cloud (Community) or portals, govern those closely. Ensure you're not giving portal access to someone who should be a full internal user, and vice versa. Any person — internal, partner, public — who consumes Salesforce-stored data or functionality should be accounted for in your licensing strategy.
Work with legal counsel to understand the audit clause: notice period, what you must provide, scope limits. Determine who is the primary contact for Salesforce audits (typically procurement or asset management) and ensure IT is in sync.
Like an incident response plan: Salesforce platform owner (IT), legal, procurement/vendor management, and finance. Legal manages communications and NDAs; IT gathers usage data; procurement and finance handle commercial discussions. This team convenes immediately if an audit notice arrives.
Take Salesforce's perspective: produce the reports they'd request (active users and licence types, external system access evidence, usage-based consumption metrics). If anything looks off — e.g., 10 more active users than licences, or 300 partner community users against a 250 contract — fix it before Salesforce asks.
All audit communications should be channelled through a single point person (procurement or legal) — not ad-hoc replies from various IT personnel. Have legal review any data before it's sent. Only provide scope of data required by contract — don't volunteer extra information.
Non-compliance findings aren't the end of the story. Negotiate a fair resolution: instead of paying full list price retroactively, negotiate a new deal at discounted rates. Salesforce often waives strict back-billing as goodwill if you're also renewing other products. Involve independent negotiation experts to strategise this — they know what concessions are achievable.
CIOs should take proactive steps to ensure Salesforce compliance and be prepared for any audits or True Forward adjustments. Here is the comprehensive checklist:
Implement a strict policy against shared Salesforce accounts or credentials. Ensure every individual user has their own licence and login. Monitor and prevent any credential sharing.
Keep an updated playbook of Salesforce licence entitlements, limits, and restrictions. Educate admins and users (especially developers integrating systems) on these terms so everyone understands what is and isn't allowed.
Conduct periodic self-audits of Salesforce usage — review user lists, roles, and feature usage against your contract. Clean up unused accounts and correct incorrect assignments. Catch and fix issues internally before Salesforce notices.
Set up dashboards or alerts for key usage metrics: API calls, storage usage, active users vs. purchased. Early detection of unusual usage prevents inadvertent violations and provides time to purchase more capacity if needed.
Control how external systems access Salesforce. Use dedicated integration user accounts (licenced appropriately), don't share them, and monitor their activities. Ensure any person or system accessing Salesforce data externally is properly licenced.
Match users with the right licence type for their role. Don't give a full Sales Cloud licence to someone who only consumes reports — and don't try to have a service agent operate with a lower licence than they need. Regularly right-size to stay compliant and cost-efficient.
Anticipate growth and include buffer in your agreement. Negotiate better overage terms (caps or discounts on True Forward charges) during contract negotiations. Budget for potential True Forwards if in a fast-growing environment. Better to slightly over-licence upfront than be caught by surprise at worse prices.
Treat licence compliance as a team effort. Involve legal and procurement in establishing policies and responding to vendor inquiries. If an audit notice comes, have a clear internal game plan and unified communication with Salesforce.
Build a transparent relationship with your Salesforce account manager. Proactively discuss usage and roadmap. If you foresee needing more licences or hitting a limit, work out a plan. Salesforce is less likely to initiate an adversarial audit if you're showing good faith.
For complex Salesforce environments, engage independent software licensing advisors or use specialised tools to maintain compliance. An external perspective identifies obscure issues like indirect access loopholes and advises on remediation before the vendor intervenes.
Approaching a Salesforce renewal? Get independent benchmark data and negotiation strategy before Salesforce sets the terms.
Salesforce Negotiation Service →Whether you're approaching a renewal, preparing for an audit, or simply want to ensure your Salesforce estate is compliant and optimised, Redress Compliance delivers vendor-independent advisory with a track record of significant savings for Fortune 500 enterprises.
Also managing Oracle, Microsoft, SAP, or IBM contracts? We cover all major vendors.
All Advisory Services →