A transparent look at how FieldPulse handles your Salesforce data — our architecture, permissions, and the promises we make to the people who install us.
These are not marketing claims — they are architectural facts. The rest of this page shows exactly how each one is enforced.
FieldPulse has no backend, no cloud, no database. Every calculation runs in your browser on your machine.
No analytics SDK, no event tracking, no error reporting. We don't know when, where, or how you use it.
FieldPulse never asks for or stores your username or password. It uses your existing Salesforce session.
Only SELECT and COUNT queries. Architecturally incapable of modifying records, fields, or metadata.
Every byte of Salesforce data touched by FieldPulse follows this exact path. Notice what's missing: a FieldPulse server.
FieldPulse has only two trust zones: your device and your Salesforce org. Nothing else. Most extensions introduce a third — "the vendor cloud". We deliberately don't.
FieldPulse never asks for Salesforce credentials. It borrows the session your browser already established at login.
Your org's login policy still applies in full. FieldPulse piggybacks on the session it was given — nothing more.
Chrome extensions declare their permissions upfront in manifest.json. Here is each one FieldPulse requests, exactly why, and what it does not let us do.
| Permission | Why FieldPulse needs it | What it does NOT allow |
|---|---|---|
activeTab |
Detect when you're on a Salesforce record page and inject the overlay only into that tab. | Cannot access other tabs, history, or bookmarks. |
storage |
Save your preferences and cache field analytics locally. | Cannot sync to any cloud. Storage stays on this device. |
sidePanel |
Render the analytics dashboard in Chrome's native side panel. | Cannot open panels outside FieldPulse's own UI. |
scripting |
Inject the overlay script into Salesforce pages on navigation. | Cannot inject into non-Salesforce sites — host permissions restrict it. |
alarms |
Run a background timer to refresh stale cache entries every 30 minutes. | Cannot schedule network calls outside Salesforce. Only internal cache refresh. |
cookies |
Read the Salesforce sid session cookie to authenticate REST API calls. |
Scoped to Salesforce domains only. Cannot read cookies from other sites. |
The extension can only execute on four domain patterns. Outside these, FieldPulse is dormant.
The extension enforces a strict CSP — meaning only scripts bundled inside the extension package can run.
No inline scripts. No remote CDNs. No eval(). This prevents injected or tampered code from executing even if a vulnerability were ever discovered.
FieldPulse caches analytics locally to make repeat visits instant. All cache lives on your device. You can clear it at any time.
| Storage Layer | What it contains | Retention | Location |
|---|---|---|---|
| Session Storage | Most recent analytics result for the current browsing session | Until tab closes | Chrome session memory |
| IndexedDB | Field metadata, fill rates, edit-frequency counts | 1 hour – 7 days (by type) | Chrome profile, this device |
| Local Storage | Preferences (fp_settings) and recent records list |
Until uninstall / cleared | Chrome profile, this device |
Uninstalling FieldPulse from Chrome deletes all three storage layers. The "Clear Cache" button performs the same wipe on demand. We have no way to recover the data because we never had a copy.
Sometimes the strongest trust signal is a clear list of things an extension cannot and will not do — backed by architecture, not just policy.
*.salesforce.com.Every claim on this page is independently verifiable. Here's how to audit FieldPulse in about ten minutes.
Go to chrome://extensions, find FieldPulse, click "Details". Review "Permissions" and "Site access". The full set matches the permission table above.
Enable Developer mode on chrome://extensions, click "Inspect views: service worker". Open manifest.json — the permissions, host_permissions, and content_security_policy blocks are the source of truth.
Open DevTools → Network tab while using FieldPulse. Filter by Fetch/XHR. Every request's domain should show only your Salesforce domains. Any other destination is a bug — report it.
Chrome extensions ship as unminified JavaScript. On Windows, the folder lives under %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\. Open every file — no bundlers, no hidden build steps.
We chose not to minify, bundle, or obfuscate the extension. The entire codebase is approximately 2,300 lines of plain JavaScript — readable in an afternoon by a developer comfortable with vanilla JS.
If you discover a vulnerability, privacy issue, or behavior that contradicts anything on this page, email us directly — before filing a public issue. We aim to acknowledge within 2 business days and fix (or mitigate) within 14 days.
11-page branded PDF — share with your IT team or security review board.
Email: srbagal.ceo@gmail.com
Subject line: "FieldPulse Security"
Include: extension version, Chrome version, steps to reproduce, and (if relevant) a screenshot of DevTools showing the unexpected behavior.