Salesforce Shield Licensing Guide: Platform Encryption, Event Monitoring, and Field Audit Trail

What Is Salesforce Shield?

Salesforce Shield is a suite of security, governance, and compliance tools that layers additional protective capabilities on top of the standard Salesforce platform. It is sold as an add-on to any Salesforce edition and is priced as a percentage of your total Salesforce net spend — not as a fixed per-user fee. This percentage-of-spend pricing model means that as your Salesforce estate grows, your Shield cost grows proportionally, unless you negotiate fixed or capped terms.

Shield consists of four distinct components, each addressing a different compliance or security requirement: Shield Platform Encryption, Event Monitoring, Field Audit Trail, and Data Detect. You can purchase the full bundle or any combination of individual components. Salesforce recommends starting with the components most aligned to your specific regulatory obligations, and this is genuinely the right approach — provided your compliance team drives the scope decision rather than the Salesforce account executive.

The compliance frameworks most commonly driving Shield adoption are GDPR (for organisations processing personal data of EU residents), HIPAA (for US healthcare organisations), SOX (for public companies requiring financial data integrity controls), PCI DSS (for organisations handling payment card data), and FCA/PRA regulations in the UK financial services sector. Not all of these frameworks require Shield — some can be satisfied by native Salesforce platform features without the Shield add-on. Understanding which requirements genuinely demand Shield is essential before signing any agreement.

Shield Platform Encryption: Deep Dive

Shield Platform Encryption provides AES-256 encryption for data at rest within Salesforce. It operates at the field level, meaning you can select specific fields — such as Social Security numbers, health information, financial account details, or other regulated data categories — for encryption, rather than encrypting the entire database. This granular approach allows organisations to encrypt only what needs protecting rather than incurring the performance overhead of encrypting the entire data set.

The pricing for Platform Encryption standalone is 20% of your net Salesforce spend. For an organisation with a $1 million annual Salesforce investment, Platform Encryption alone adds $200,000 per year. At $3 million annual Salesforce spend, that becomes $600,000 per year for encryption. This is a significant cost, and it is essential to validate that native Salesforce security controls — field-level security, profile and permission set restrictions, data masking capabilities — do not already satisfy the relevant compliance requirement before committing to Platform Encryption.

A common misconception is that Platform Encryption provides complete data security for all regulatory purposes. In fact, Salesforce holds the encryption keys by default, meaning that Salesforce staff and the cloud infrastructure have theoretical access to encrypted data. For organisations in highly regulated sectors where key management must be under the organisation's exclusive control, Salesforce offers a Bring Your Own Key (BYOK) capability as an extension of Platform Encryption. This adds further complexity and cost but is genuinely required for certain FCA, HIPAA, and defence-sector compliance scenarios.

When Platform Encryption Is Genuinely Required

Platform Encryption is genuinely required when your organisation stores regulated personal data categories in Salesforce fields that are not already protected by native controls, and where your DPA, HIPAA Business Associate Agreement, or sector regulator specifically requires encryption at rest. It is not required merely because you store customer names and email addresses — these are protected by access controls, not by encryption mandates. The decision should be driven by a Data Protection Impact Assessment (DPIA) or equivalent regulatory analysis, not by Salesforce's renewal proposal.

Event Monitoring: Capabilities and Cost

Event Monitoring provides detailed logging and monitoring of user activity within Salesforce. It captures more than 50 distinct event types, including login and logout events, API calls, report exports, Apex executions, page loads, Lightning performance metrics, and user interactions with specific objects and fields. The logs are available for real-time streaming to SIEM tools or for retrospective analysis via the EventLogFile object in the Salesforce API.

Event Monitoring is priced at 10% of net Salesforce spend as a standalone component. For a $2 million annual Salesforce investment, this is $200,000 per year for monitoring capability. The business case for this spend must be evaluated against what your existing security operations tooling already captures — many organisations with comprehensive SIEM implementations and identity-aware network monitoring already have substantial coverage of the user activity categories that Event Monitoring provides.

The genuine use cases where Event Monitoring provides unique value that cannot be replicated by other means include: detecting data exfiltration attempts through abnormal report export volumes, forensic investigation of specific user actions following a security incident within Salesforce, compliance reporting requirements that specifically mandate Salesforce activity audit trails, and advanced threat detection against privileged Salesforce administrator accounts. For organisations where these scenarios represent real risk, the cost is justifiable. For organisations primarily motivated by general compliance assurance, a targeted subset of events rather than the full Event Monitoring licence may provide adequate coverage at lower cost.

Field Audit Trail: Extended Data Retention

Standard Salesforce includes 18 months of field history retention — tracking changes to field values on records across up to 20 fields per object. Field Audit Trail extends this in two dimensions: it allows tracking of up to 60 fields per object (tripling the standard allocation), and it retains field history data for up to 10 years rather than 18 months.

The 10-year retention period is the primary driver of Field Audit Trail adoption in regulated industries. Financial services firms subject to MiFID II record retention requirements, healthcare organisations maintaining HIPAA audit trails, and public companies with SOX data integrity obligations are the principal use cases. For these organisations, Field Audit Trail is not optional — it is the mechanism by which Salesforce satisfies statutory retention obligations.

Field Audit Trail is priced at 10% of net Salesforce spend. The financial analysis should compare the Shield component cost against alternative approaches — for example, periodic data exports to a compliant third-party archive. In some cases, particularly for organisations with lower overall Salesforce spend, an archival solution combined with standard Salesforce retention may be more cost-effective than Field Audit Trail.

One critical architectural point: Field Audit Trail requires planning at the point of implementation. The fields you designate for extended history tracking must be selected before the retention period begins. You cannot retroactively extend history retention to cover fields that were not tracked at the time. Any organisation considering Field Audit Trail should ensure that the field selection is driven by the compliance requirement, not by a desire to track everything, since more tracked fields increase implementation complexity and storage consumption.

Data Detect: Sensitive Data Discovery

Data Detect is the fourth component of the Shield bundle. It uses pattern-matching and classification algorithms to scan your Salesforce data and identify potential instances of sensitive information — such as credit card numbers, Social Security numbers, passport numbers, and health information — stored in fields that are not currently protected by encryption or field-level security controls. Data Detect produces a compliance risk report identifying where sensitive data exists and whether it is adequately protected.

Data Detect is priced at 15% of net Salesforce spend. It is primarily useful as a one-time or periodic assessment tool rather than a continuous monitoring capability, and for many organisations, running Data Detect once during an initial compliance assessment provides the insight needed without requiring an ongoing licence. If your organisation has already conducted a thorough data mapping exercise for GDPR or HIPAA purposes and has documented which Salesforce fields contain regulated data, the continuous licensing cost of Data Detect may not be justified.

The Full Shield Bundle: Pricing and Commercial Logic

The full Shield bundle — encompassing all four components — is priced at 30% of net Salesforce spend. This is a significant commercial concession from the sum of the parts (which total 55% if purchased individually at list), reflecting the efficiency of a single bundled procurement. For organisations that genuinely need all four components, the bundle is better value than purchasing individually.

The most important commercial issue with the bundle pricing is that Salesforce's standard sales approach pushes the full bundle regardless of whether all four components are required. In many negotiations, Salesforce will present the bundle as the only Shield option, without proactively itemising the individual components. Organisations that do not challenge this framing end up paying for Data Detect and components they may not need.

The Org-Scope Problem: Who Pays for Shield?

One of the most commercially significant issues with Shield licensing is Salesforce's standard position that Shield must be applied across the entire Salesforce organisation, not just to specific user populations. This means that if you have 1,000 Salesforce users and only 50 of them handle the regulated data categories that require encryption, Salesforce will typically insist on charging for Shield based on your total Salesforce spend — not on the spend attributable to the 50 users with the actual compliance requirement.

This all-org pricing is particularly contentious for Event Monitoring. If your Security Operations Centre only needs to monitor privileged administrator activity and a specific set of finance users, paying for Event Monitoring based on total Salesforce spend that includes hundreds of low-risk read-only service users is poor value. There are negotiation options available here — including scoping Shield to specific orgs rather than the enterprise total, or agreeing a user-count-based proxy rather than a total-spend-based calculation — but these require active negotiation rather than acceptance of the standard commercial proposal.

Shield and the Annual Uplift Clause

Shield pricing is calculated as a percentage of net Salesforce spend. This means that the 8–10% annual uplift that applies to your base Salesforce licence also flows through to your Shield cost automatically. If your base Salesforce spend increases by 10% — whether through adding users, upgrading editions, or accepting the contractual uplift — your Shield cost increases by the same 10% without any separate negotiation required by Salesforce.

This compounding mechanism makes Shield one of the fastest-growing cost elements in a Salesforce estate over time. For long-term financial modelling, organisations should calculate Shield cost not as a fixed percentage of today's Salesforce spend, but as a percentage of projected Salesforce spend three to five years out, after uplift. The difference between the first-year and fifth-year Shield cost in a $3 million Salesforce deployment with 8% annual uplift and 20% Shield is approximately $80,000 per year — simply from the compounding effect.

When negotiating Shield, push to cap both the Shield percentage rate and the Salesforce spend base on which it is calculated, or to fix the Shield cost in absolute dollar terms for the contract duration rather than tying it to a percentage of an escalating base. Salesforce will resist fixed-dollar Shield pricing because it reduces their upside from Salesforce estate growth, but it is achievable in competitive negotiation situations.

Negotiating Salesforce Shield: Key Tactics

The most effective Shield negotiation strategies that we apply in client engagements are: conducting a compliance-led scoping exercise before any negotiation begins to establish which specific Shield components are genuinely required; challenging any proposal for the full bundle with a component-level analysis showing which elements have a documented compliance mandate; negotiating org-scope limitations to exclude low-risk user populations from the pricing base; requesting a pilot of Event Monitoring on a limited org before committing to enterprise-wide licensing; and tying the annual Shield renewal directly to the base Salesforce renewal date to ensure both are negotiated simultaneously rather than on separate cycles.

An additional tactic that is frequently overlooked is leveraging competitive alternatives during the Shield negotiation. While there is no direct like-for-like alternative to Shield Platform Encryption within the Salesforce ecosystem, independent SIEM tools, third-party data archival solutions, and identity governance platforms can address some of the compliance use cases that Event Monitoring and Field Audit Trail target. Presenting a credible alternative architecture to Salesforce during the negotiation creates commercial pressure that a compliance-requirement argument alone does not achieve.

Timing the Shield negotiation to align with a base Salesforce renewal — rather than allowing it to run on a separate cycle — is essential. When both agreements are on the table simultaneously, the total deal size creates more leverage, and concessions made on Shield can be balanced against commitments on the core licence. Shield renewals that occur independently of the base agreement have less leverage and typically produce worse commercial outcomes.

Common Shield Licensing Mistakes

The most frequent and costly Shield licensing errors we encounter in client reviews are: accepting the full bundle without validating which components are required; applying Shield to the entire enterprise when only a subset of orgs or users require the compliance controls; failing to negotiate the percentage rate rather than treating it as a fixed tariff; allowing Shield to renew on a different cycle from the base Salesforce agreement; and not modelling the compounding cost impact of percentage-based Shield pricing against projected Salesforce spend growth.

A secondary category of error is over-indexing on Shield as the compliance solution when the underlying compliance requirement can be addressed through Salesforce's standard platform capabilities. Before committing to Shield, organisations should evaluate whether existing data classification, field-level security, login history, and standard audit trail capabilities satisfy the specific regulatory requirement. In many cases — particularly for general GDPR Article 32 security obligations — standard Salesforce controls are adequate and Shield represents unnecessary spend.

Conclusion: Shield Is Negotiable, and Scope Matters

Salesforce Shield is a genuinely valuable compliance toolkit for organisations with specific regulatory requirements. Platform Encryption provides real protection for regulated data at rest. Event Monitoring delivers forensic capability that no amount of perimeter security can replicate. Field Audit Trail satisfies long-retention statutory obligations. These are legitimate enterprise needs and the Shield pricing, while significant, reflects real compliance infrastructure.

However, Shield is routinely oversold — to organisations that do not require all components, at rates that have not been negotiated, applied to user populations and org scopes that exceed the genuine compliance requirement. The discipline of separating genuine compliance need from commercial sales pressure, and of negotiating Shield as a structured procurement decision rather than a default renewal, consistently produces materially better commercial outcomes.

Redress Compliance provides buyer-side Shield assessment and negotiation advisory. We begin every engagement with a compliance-led scoping analysis, not a cost model, because the right starting question is what your organisation actually needs — not what Salesforce is proposing to sell.