Negotiating Salesforce Shield: Encryption, Event Monitoring, and Audit Trail on Your Terms
Salesforce often positions its Shield suite as “essential” for companies in regulated industries. On the surface, Shield – which bundles Platform Encryption, Event Monitoring, and Field Audit Trail – does sound like a compliance must-have.
However, many organizations discover that these add-ons come with steep costs and tricky contract terms. Salesforce’s sales tactics can make Shield feel unavoidable, but you should be aware of hidden pitfalls: paying for unneeded users, inconsistent discounts, and surprise price hikes at renewal. The good news is you can negotiate Shield on your terms.
You don’t have to accept Salesforce’s first quote or deploy it everywhere by default. This guide breaks down how Shield works, why it’s so costly, and how to negotiate a fair deal.
You’ll learn to assess what your company truly needs, push back on unnecessary upsells, and avoid getting locked into overpriced features.
Read our Salesforce Security & Compliance Negotiation Guide.
Why Salesforce Shield Matters
Salesforce Shield is a bundle of extra security features: Platform Encryption, Event Monitoring, and Field Audit Trail. Salesforce often pitches Shield as a must-have, especially if you’re in a regulated industry like finance or healthcare. They’ll claim it’s key to meeting encryption standards, audit requirements, and other compliance needs on the platform.
The reality is that Shield, while useful, isn’t automatically necessary across your entire organization. One major concern is the cost: Shield is sold as an expensive add-on, often priced per user or as a percentage of your total Salesforce spend.
In practice, that means Salesforce expects you to pay for Shield for all users in an org, even if only a small subset truly requires those protections. This all-or-nothing pricing can put a huge dent in your budget.
Salesforce reps might suggest you’re taking a compliance risk if you don’t roll out Shield everywhere. Yes, regulations demand strong security controls, but they don’t mandate Salesforce’s solution specifically. You have options and should consider them carefully.
Negotiation action:
Treat Shield as optional and use it sparingly. Don’t buy into the idea that it’s mandatory for every user or org. Insist that Salesforce justify each component’s necessity. By limiting Shield to only where it’s truly needed, you’ll be in a stronger position to negotiate pricing and avoid paying for protection you don’t require.
Breaking Down Shield Components
Here’s a quick look at each Shield component and its potential pitfalls:
- Platform Encryption: Encrypts data at rest at the field level with keys you control. Cost gotcha: It’s sold for your whole org – even if you only need to encrypt a handful of fields, you pay as if everything is encrypted.
- Event Monitoring: Captures detailed logs of user activity and system events (logins, data exports, etc.). Overkill risk: Salesforce usually packages it to cover all users and events.
- Field Audit Trail: Extends field history retention to 10 years (from 18 months). Useful for strict audit compliance, but it comes at a high cost as a premium add-on.
Negotiation action: Purchase only the components you actually require. Ask Salesforce for individual pricing on Encryption, Event Monitoring, or Field Audit Trail rather than accepting the full bundle by default. Unbundling the suite prevents you from spending money on features that don’t provide value to your business.
Salesforce Encryption Costs
Salesforce’s Platform Encryption add-on comes at a premium price. It’s often quoted as roughly 20% of your total license cost (or a significant per-user upcharge). For a large user base, that quickly becomes a hefty annual sum. Salesforce will insist this encryption is vital if you store sensitive info in Salesforce (like personal identifiers or health records). They’ll even suggest you won’t meet compliance without Shield encryption.
Keep in mind: Salesforce already encrypts all data at the server level by default. What the Shield encryption adds is extra – encrypting specific fields with your own keys and giving you more control.
Most regulations do require strong encryption and data protection, but they don’t insist on using Salesforce’s product to achieve it. As long as data is encrypted and access is controlled, you’re generally meeting the spirit of the law.
That means you have alternatives. Some companies encrypt sensitive data outside of Salesforce or use third-party encryption tools to protect it. These approaches may require additional effort, but they can still meet compliance requirements without the hefty price tag.
Negotiation action: Do the math on Shield Encryption versus other options. If a third-party solution or an in-house approach can protect your data for less, bring those numbers into the negotiation. Let Salesforce know you’re prepared to consider alternatives.
This stance can encourage Salesforce to offer a better discount or a more flexible deal on encryption. The goal is to only pay for Shield’s encryption if it truly provides value at a fair cost.
For more insights, read Salesforce Hyperforce and Data Residency: How to Secure Your Data’s Location in the Contract.
Event Monitoring Pricing
The Event Monitoring add-on is often priced around 10% of your total Salesforce spend. Salesforce typically presents it as an organization-wide necessity – monitoring every user and every action. They might even cite worst-case security scenarios to push you toward full coverage.
In reality, most organizations only need to track a few critical things (like large data exports or suspicious logins). Monitoring absolutely everything can be overkill and not worth the high cost.
Also note that, by default, Salesforce retains event log files for approximately 30 days. If you need a longer audit trail, you’ll end up exporting the logs to an external system anyway. And if you don’t have the resources to analyze all that data, paying for comprehensive monitoring may not yield much benefit.
Negotiation action: If Event Monitoring is on the table, start with a pilot. Identify which logs truly help you meet security or compliance goals. Then negotiate the scope and price based on those needs – perhaps monitoring only your most sensitive org or specific event types.
Make sure you can export logs for external analysis or long-term storage without extra fees. By tailoring Event Monitoring to your requirements, you can get Salesforce to scale down the price to match your actual usage.
Field Audit Trail Costs
Field Audit Trail extends Salesforce’s field history retention from the standard 18 months up to 10 years. This means you can keep a long-term record of changes to your data for compliance or auditing purposes.
The issue, again, is cost versus benefit. Field Audit Trail isn’t cheap (often around 10% of your total spend if purchased separately), and it often comes bundled with Shield. However, not every organization truly needs to retain field change history for that long within Salesforce. Many companies export field history data to an external archive; it takes some effort to set up, but it’s far cheaper than paying Salesforce’s premium.
Negotiation action: Scrutinize whether the Field Audit Trail is a “must” for you. If regulators or internal policies don’t demand that Salesforce itself store 7+ years of audit data, you might opt out of this add-on.
If you do need it, consider pushing Salesforce to price it separately and more aggressively (especially if you’re not buying the full Shield bundle). Let them know you’re aware of alternative archiving methods. This will either help you drop an unnecessary cost or drive Salesforce to offer a more reasonable rate.
Negotiating Shield Order Forms
When finalizing the deal for Shield components, be vigilant with the contract terms. Salesforce’s initial quotes for add-ons often lack the discounts you secured on your core licenses – but that’s negotiable.
Begin with pricing consistency. If you got a 30% discount on your core licenses, insist on a comparable discount for Shield. Salesforce might initially offer Shield at full list price (e.g., the full 30% of net spend), but you do not have to accept that. They can and will discount Shield when pushed.
Next, align Shield’s renewal with your main agreement. Always co-term Shield add-ons so they expire and renew together with your primary Salesforce contract.
This prevents Salesforce from raising the add-on price on a separate schedule. Also, eliminate any language that says Shield will renew at “then-current” rates, since that would allow them to raise your costs arbitrarily. Lock in your Shield pricing or at least cap the increase at renewal time.
Negotiation action: Document everything. If Salesforce grants a special Shield price or discount, make sure it’s noted in the order form and tied to your master agreement’s protections (price caps, etc.).
Negotiation Checklist
| Item | Reviewed? (✔/✘) |
|---|---|
| Shield scoped only where required | ☐ |
| Encryption cost benchmarked vs alternatives | ☐ |
| Event Monitoring priced by actual need | ☐ |
| Field Audit Trail unbundled and negotiated | ☐ |
| Shield co-termed with master renewal | ☐ |
| Discounts aligned with main agreement | ☐ |
| Renewal pricing caps applied | ☐ |
Five Best Practices for Shield Negotiations
- Challenge “mandatory” claims: Don’t accept Salesforce’s blanket statements that Shield is required for compliance. Ask them to identify the specific regulation or risk – and consider if you can address it through other means.
- Scope it selectively: Only enable Shield features (encryption, monitoring, audit trail) where necessary. A targeted deployment saves money compared to a full blanket rollout.
- Use third-party benchmarks: Research what it would cost to handle encryption or logging with external tools or in-house solutions. Use those numbers as leverage – Salesforce is more flexible when they know you have alternatives.
- Co-term and cover renewals: Tie Shield’s licensing to your main Salesforce contract so all the negotiated discounts and renewal protections apply.
- Align the discounts: Push for the same (or proportional) discount on Shield that you got on core licenses. You shouldn’t pay full price for extras if your base software were discounted.
FAQs
Q: Is Salesforce Shield mandatory for compliance?
A: No. Regulations require protecting data, but they don’t specifically require buying Salesforce Shield if other measures achieve the same result.
Q: Is encryption included in Salesforce licenses?
A: Basic platform encryption is included (Salesforce encrypts data on its servers), but Shield Platform Encryption is a paid add-on for extra field-level encryption and BYOK, which isn’t part of standard licenses.
Q: Do I need Event Monitoring for all users?
A: Not necessarily. Many companies only monitor their most sensitive Salesforce orgs or high-risk user activities, rather than every single user.
Q: Why is Field Audit Trail so expensive?
A: Because it’s an extra charge to keep data history longer. You can often meet the same needs by exporting data and storing it elsewhere at a much lower cost.
Q: Can I unbundle Shield components?
A: Yes. You can purchase Shield components (Encryption, Event Monitoring, Field Audit Trail)
Read more about our Salesforce Contract Negotiation Service.
