SFMC security review
Implementation evidence for reviewing Campaign Builder inside Salesforce Marketing Cloud.
Campaign Builder is an SFMC campaign execution layer, so technical review should focus on the controls around account context, Business Unit mapping, entitlements, credential storage, request tracing, and reviewed Marketing Cloud writes.
Review surface
Start with the controls that decide what Campaign Builder can do.
The SFMC integration is not one unrestricted connector. It is a set of authenticated, scoped, entitlement-gated route families for campaign planning, agent work, Factory production, and Marketing Cloud operations.
Authentication path
Protected routes can use first-party cb_auth cookies with CSRF, bearer JWTs, SFMC Canvas signed_request launches, or SFMC mc_token sessions. Each path normalizes account, tenant, workspace, and SFMC context before gated routes run.
Business Unit mapping
SFMC enterprise and business-unit IDs are mapped to Campaign Builder tenant and workspace IDs before local sessions or tenant-owned data access are issued. Unmapped launches do not guess a tenant.
Entitlement surface
Campaign, Content, Email, Journey, Image, Translator, Advisor, Audience, Bruno, content-block, and Factory routes are mounted behind separate entitlement checks.
Credential handling
Account-level SFMC server-to-server and web-app credentials are stored under account-scoped records. Sensitive secrets and refresh tokens are encrypted at rest with AES-256-GCM.
Evaluator sequence
A practical order for security and SFMC admin review.
Follow the same sequence the product depends on: session, mapping, entitlements, connection verification, then reviewed production-bound outputs.
Launch or connect SFMC
Review whether the pilot enters through the installed-package launch flow, OAuth callback, account-level SFMC connection, bearer API token, or first-party Campaign Builder session.
Resolve tenant scope
Confirm enterprise ID, business-unit ID, tenant ID, workspace ID, account ID, and user context are the intended values before any agent, Factory, or Marketing Cloud route is exercised.
Verify allowed capabilities
Check that only entitled agent, tool, and block routes are visible and callable. Missing entitlements should fail before route handlers perform SFMC or tenant-owned work.
Inspect reviewed outputs
Use previews, dry runs, pending action summaries, Factory template checks, and manual Journey activation warnings as evidence before confirming production-bound SFMC writes.
Implementation evidence
What reviewers can inspect before allowing SFMC writes.
A strong pilot leaves evidence that the SFMC connection, route gates, and write boundaries behaved as expected before teams confirm draft production work.
SFMC connection verification
/api/v1/sfmc-connect/test replays stored account credentials against Salesforce Marketing Cloud and returns token context, making the connection reviewable before Content Builder, Journey Builder, Email, Data Extension, or Factory work.
Reviewed write paths
Email copy/update, slot updates, rewrite application, translation application, image insertion, Content Builder publishing, Bruno write-skill execution, and Factory execution are production-bound actions that should be previewed or confirmed.
Request correlation
Protected API behavior is tied to request IDs, centralized error responses, approved outbound SFMC clients, request-aware logging, and redaction rules so failures can be traced without exposing raw secrets.
Tenant-owned data scope
Workspace-scoped collections such as agent context, feedback, logs, image assets, generation requests, knowledge, OpenAI logs, and idempotency keys are separated from account-scoped SFMC credential and mapping records.
Traceability evidence
Reviewers can follow a production-bound action without exposing secrets.
The implementation treats observability as part of the SFMC control surface: request correlation, outbound propagation, redacted API logs, and guard checks make failures reviewable while keeping sensitive Marketing Cloud payloads out of logs.
Request IDs are visible end to end
Campaign Builder accepts an inbound x-request-id or generates one, attaches it to the response, stores it in request context, and includes it in centralized error responses so SFMC evaluation issues can be traced without relying on screenshots alone.
Outbound calls carry correlation
Approved HTTP helpers inject the active request ID into outbound calls, including SFMC-dependent execution paths, so reviewers can connect a Campaign Builder action with downstream Marketing Cloud diagnostics.
API logs redact sensitive fields
API logging stores method, route, status, duration, user, account, tenant, workspace, query, and non-GET body context while redacting keys such as password, token, secret, authorization, cookie, prompt, response, payload, image, and sfmc.
Observability guards protect the contract
The product test guard fails when routes bypass centralized error handling, mutate request-id headers outside requestContext, or use direct axios/fetch calls instead of the approved request-aware HTTP client.
Claim boundaries
Keep the review language precise.
Campaign Builder should be evaluated as software with implemented guardrails for SFMC execution. It should not be presented as unrestricted automation or a replacement for Marketing Cloud approval steps.
This page describes implemented application controls, not a penetration-test report, AppExchange approval, or standalone compliance certification.
Campaign Builder can create reviewed SFMC draft artifacts, but Journey activation and final send approval remain manual Marketing Cloud decisions.
Production-bound writes require authenticated account context, entitlement checks, scoped credentials, and reviewable action evidence.
Global environment Marketing Cloud credentials are not presented as the production source of truth for account-scoped runtime execution.
FAQ
Questions security reviewers usually need answered.
What should a security reviewer ask for first?
Ask for the exact auth path used by the pilot, the resolved enterprise and business-unit mapping, the active tenant and workspace IDs, the enabled entitlements, and SFMC connection verification output.
How are SFMC secrets handled?
Stored account SFMC client secrets and refresh tokens are encrypted at rest. Runtime SFMC operations resolve the account credential block before calling Content Builder, Journey Builder, Email, Data Extension, or Factory routes.
Can Campaign Builder bypass Marketing Cloud review?
No. The supported positioning is reviewed draft execution. Journey activation remains manual in Marketing Cloud, and production-bound write paths are scoped and confirmable rather than hidden unrestricted automation.
Next reading
Pair security review with execution boundaries.
Use the SFMC write-boundaries article, connection readiness guide, pilot plan, and technical FAQ to connect the security evidence to the exact execution workflows being piloted.