Salesforce Shield Licensing:
Platform Encryption, Event Monitoring & Field Audit Trail Costs

What Is Salesforce Shield and How Is It Priced?

Salesforce Shield is a premium security and compliance add-on that bundles three distinct capabilities: Platform Encryption, Event Monitoring, and Field Audit Trail. It is not a standalone product — it is layered on top of an existing Salesforce subscription, and Salesforce prices it accordingly. In most enterprise contracts, Shield is quoted at 25–30% of your total Salesforce Annual Contract Value (ACV), meaning an organisation paying £500,000 per year for Sales Cloud and Service Cloud can expect Shield to add £125,000–£150,000 to the bill. That percentage does not change based on how many Shield features you actually use.

The bundled structure is deliberate. Salesforce does not readily sell Platform Encryption, Event Monitoring, or Field Audit Trail as separate SKUs, though in certain negotiations — particularly for large customers — it is possible to license individual components at reduced rates. Most customers discover this only when working with an independent adviser. For a detailed breakdown of how Salesforce structures its security add-on pricing, download our Salesforce licence optimisation guide, which covers common over-spend patterns across the Shield portfolio.

Platform Encryption: What It Does and What It Does Not Encrypt

Salesforce Platform Encryption uses AES-256 encryption to protect data at rest within the Salesforce platform. It covers standard and custom fields, files, attachments, and search indexes. However, the encryption is applied at the field level, which means you must explicitly choose which fields to encrypt — it does not encrypt your entire Salesforce database by default. This is a common misconception that leads to compliance gaps, particularly in GDPR and HIPAA-regulated environments where organisations assume "we have Shield" means "we have full data encryption."

There are material limitations. Encrypted fields cannot be used in certain SOQL queries, formula fields, or Apex logic without additional configuration. Encryption also affects performance on large data sets — expect query response times to increase by 10–20% on encrypted fields when running bulk operations. Salesforce's own Tenant Secret management requires careful governance; if your Tenant Secret is deleted or rotated incorrectly, data becomes permanently inaccessible. Organisations deploying Salesforce CPQ and Revenue Cloud alongside Shield should audit which CPQ fields require encryption before enabling Platform Encryption, as incompatibilities can break quoting workflows.

Event Monitoring: Licence Levels and What Each Covers

Event Monitoring tracks user behaviour across the Salesforce platform — logins, logouts, API calls, report exports, data exports, and page-view activity. There are two tiers: standard Event Monitoring (included in some enterprise editions) and Real-Time Event Monitoring, which is the Shield-grade version. Real-Time Event Monitoring streams events to an external SIEM or to Salesforce's own Event Log Browser as they occur, rather than providing next-day log files. This distinction matters enormously for security teams running 24/7 SOC operations.

Without Real-Time Event Monitoring, you receive 24–48 hour delayed log files covering 40+ event types. With Shield's Real-Time Event Monitoring, you get streaming access to 13 real-time event types including ApiEvent, LoginEvent, ReportEvent, and SessionHijackingEvent. Critically, Transaction Security — the policy engine that allows you to automatically block suspicious actions (e.g. bulk data export by a user outside working hours) — is only available with Shield-level Event Monitoring. Organisations that rely on Salesforce data as a core business asset, such as those also managing Salesforce Marketing Cloud with customer PII, should treat Real-Time Event Monitoring as a mandatory compliance control rather than an optional add-on.

Field Audit Trail: Retention Windows and Licensing Rules

Salesforce's standard field history tracking retains data for 18 months. Field Audit Trail — a Shield component — extends this to 10 years for up to 60 fields per object. This is the only Shield capability with a genuinely compelling standalone business case for regulated industries: financial services firms subject to MiFID II, healthcare organisations under HIPAA, and government contractors needing FedRAMP audit trails all require multi-year field-level change history that the standard platform cannot provide.

Field Audit Trail works by writing historical field values to a separate FieldHistoryArchive object, which is queryable via SOQL. The storage costs are separate from your standard Salesforce data storage allocation. Salesforce typically includes 10 GB of Field Audit Trail storage per contract, with additional storage charged at roughly $4 per GB per month. For large enterprises tracking changes across multiple objects, storage costs can add $15,000–$40,000 per year beyond the Shield licence fee. This is rarely disclosed upfront in the initial Shield quote and should be explicitly negotiated before signing. Our Salesforce contract terms guide covers the 10 clauses most commonly missed in Shield and multi-cloud agreements.

Salesforce Shield Negotiation: Four Tactics That Work

Shield pricing is one of the most negotiable line items in a Salesforce enterprise agreement, precisely because most customers accept the 25–30% ACV quote without challenge. The first and most effective tactic is component-level unbundling: if you only need Field Audit Trail for compliance reasons, make clear to your Account Executive that Platform Encryption and Event Monitoring are not in scope. Salesforce will resist this, but at contract values above £300,000 ACV it is achievable — typically yielding a 40–60% reduction versus the full Shield bundle price.

The second tactic is phased deployment. Negotiate Shield at a reduced rate for year one, with an agreed expansion price for subsequent years. This gives Salesforce revenue certainty while you validate the business case. Third, use competitive alternatives as leverage: Tokenisation vendors such as Virtusa, Protegrity, or Tonic.ai can replicate many Platform Encryption use cases at lower cost, and naming them in conversations with Salesforce consistently produces discounts. Fourth, include Shield in your annual review of your overall Salesforce licence portfolio — organisations that book a confidential advisory call with our team before renewal consistently achieve better outcomes than those who negotiate directly with their Salesforce Account Executive alone.

There is also a fourth avenue: ask whether specific Shield features are included within your existing Salesforce edition. Shield is typically add-on to Professional, Enterprise, and Unlimited editions, but certain Unlimited+ (formerly Unlimited Edition with Einstein) contracts already include Event Monitoring at no additional charge. Verify your current contract terms against your exact edition type before purchasing Shield.