Solution: TrustShield Insurance
Work in Progress
This content is currently being reviewed for accuracy and will be updated soon.
Architecture Decisions
Three decisions define the architecture of this solution. Everything else flows from them.
Decision 1: Apex managed sharing for book-of-business isolation. Standard role hierarchy cannot satisfy the split-policy requirement (BR-2). A single policyholder held by two agents under the same hierarchy would expose both agents’ policies to each other under OWD-Private-with-role-hierarchy. Apex managed sharing (programmatic share records on Policy__c and Account) is the correct mechanism. OWD on Policy and Policyholder records is set to Private, and sharing grants are written programmatically when a policy is created or reassigned.
Decision 2: MuleSoft for carrier integration, not native Salesforce callouts. The combination of a SOAP carrier with 1.5-4 second response times, a REST carrier, async document retrieval from DocuWare, a nightly SFTP batch, and the explicit requirement to add a third carrier without re-architecture points to an integration platform. Native Salesforce callouts would scatter the complexity across multiple Apex classes, each with governor limit exposure, no reusable transport layer, and no configurable field mapping for ops staff. MuleSoft Anypoint Platform, although Salesforce-owned, is licensed separately from Sales Cloud and Service Cloud; TrustShield must budget an additional MuleSoft subscription on top of the core Salesforce licenses. At the volumes in this scenario (two production carriers, two to three Anypoint workers, nightly SFTP batch), the MuleSoft line should be sized at roughly $120,000 to $220,000 per year for the Titanium tier that includes Anypoint MQ and Secure Properties. This cost is called out explicitly in the project budget and is the single largest integration line item. The benefit is a structured integration layer with visual DataWeave mapping that ops staff can modify, a message queue for retry logic, and a carrier-agnostic connector pattern.
Decision 3: Experience Cloud with a dedicated permission set license for independent agents. 62 independent agents (1099 contractors) need access distinct from internal staff. Experience Cloud Customer Community Plus licenses give each agent their own authenticated session, enforce profile-level access that hides internal operational records, and map naturally to the Apex sharing grants that drive book-of-business isolation. The license cost is predictable and scales linearly as TrustShield adds agents. Customer Community Plus is the current license name in the Salesforce Experience Cloud pricing catalog; the parent platform rebrand from Community Cloud to Experience Cloud is from 2021 and does not change the underlying SKUs.
System Landscape
%3btext-align:center%3b%7d%23mermaid-0 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-0 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-0 .cluster text%7bfill:%23333%3b%7d%23mermaid-0 .cluster span%7bcolor:%23333%3b%7d%23mermaid-0 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-0 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-0 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-0 .icon-shape%2c%23mermaid-0 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-0 .icon-shape p%2c%23mermaid-0 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-0 .icon-shape .label rect%2c%23mermaid-0 .image-shape .label rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .label-icon%7bdisplay:inline-block%3bheight:1em%3boverflow:visible%3bvertical-align:-0.125em%3b%7d%23mermaid-0 .node .label-icon path%7bfill:currentColor%3bstroke:revert%3bstroke-width:revert%3b%7d%23mermaid-0 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker id='mermaid-0_flowchart-v2-pointEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 0 L 10 5 L 0 10 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-pointStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='4.5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 5 L 10 10 L 10 0 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-circleEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='11' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-circleStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='-1' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-crossEnd' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='12' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-crossStart' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='-1' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'%3e%3cpath d='M530.649%2c86L523.401%2c90.167C516.153%2c94.333%2c501.657%2c102.667%2c486.993%2c110.692C472.33%2c118.718%2c457.501%2c126.436%2c450.086%2c130.295L442.671%2c134.153' id='L_A_SF_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_A_SF_0' data-points='W3sieCI6NTMwLjY0OTIzMDk1NzAzMTIsInkiOjg2fSx7IngiOjQ4Ny4xNjAxNTYyNSwieSI6MTExfSx7IngiOjQzOS4xMjI0MzY1MjM0Mzc1LCJ5IjoxMzZ9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M352.539%2c86L352.539%2c90.167C352.539%2c94.333%2c352.539%2c102.667%2c353.178%2c110.344C353.817%2c118.022%2c355.094%2c125.043%2c355.733%2c128.554L356.372%2c132.065' id='L_B_SF_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_B_SF_0' data-points='W3sieCI6MzUyLjUzOTA2MjUsInkiOjg2fSx7IngiOjM1Mi41MzkwNjI1LCJ5IjoxMTF9LHsieCI6MzU3LjA4NzcwNzUxOTUzMTI1LCJ5IjoxMzZ9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M105.883%2c86L105.883%2c90.167C105.883%2c94.333%2c105.883%2c102.667%2c130.131%2c112.841C154.379%2c123.016%2c202.875%2c135.032%2c227.123%2c141.04L251.371%2c147.048' id='L_C_SF_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_C_SF_0' data-points='W3sieCI6MTA1Ljg4MjgxMjUsInkiOjg2fSx7IngiOjEwNS44ODI4MTI1LCJ5IjoxMTF9LHsieCI6MjU1LjI1MzkwNjI1LCJ5IjoxNDguMDEwMTQ3NDQ4MDE1MTJ9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M373.286%2c214L374.725%2c220.167C376.165%2c226.333%2c379.043%2c238.667%2c378.339%2c250.378C377.634%2c262.09%2c373.347%2c273.179%2c371.203%2c278.724L369.06%2c284.269' id='L_SF_MU_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_SF_MU_0' data-points='W3sieCI6MzczLjI4NjEzMjgxMjUsInkiOjIxNH0seyJ4IjozODEuOTIxODc1LCJ5IjoyNTF9LHsieCI6MzY3LjYxNzA4NDcwMzk0NzM0LCJ5IjoyODh9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M407.752%2c366L416.482%2c372.167C425.212%2c378.333%2c442.672%2c390.667%2c442.92%2c402.624C443.167%2c414.582%2c426.201%2c426.163%2c417.718%2c431.954L409.235%2c437.745' id='L_MU_HZ_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_MU_HZ_0' data-points='W3sieCI6NDA3Ljc1MTY0NDczNjg0MjEsInkiOjM2Nn0seyJ4Ijo0NjAuMTMyODEyNSwieSI6NDAzfSx7IngiOjQwNS45MzE2OTIwMjMwMjYzLCJ5Ijo0NDB9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M259.398%2c359.23L238.317%2c366.525C217.236%2c373.82%2c175.073%2c388.41%2c153.992%2c401.205C132.91%2c414%2c132.91%2c425%2c132.91%2c430.5L132.91%2c436' id='L_MU_SR_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_MU_SR_0' data-points='W3sieCI6MjU5LjM5ODQzNzUsInkiOjM1OS4yMzAyMTc4NzQ2MTA5Nn0seyJ4IjoxMzIuOTEwMTU2MjUsInkiOjQwM30seyJ4IjoxMzIuOTEwMTU2MjUsInkiOjQ0MH1d' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M445.68%2c356.627L469.977%2c364.356C494.275%2c372.085%2c542.87%2c387.542%2c567.167%2c400.771C591.465%2c414%2c591.465%2c425%2c591.465%2c430.5L591.465%2c436' id='L_MU_DW_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_MU_DW_0' data-points='W3sieCI6NDQ1LjY3OTY4NzUsInkiOjM1Ni42MjcxMzk3MDQwNzkxfSx7IngiOjU5MS40NjQ4NDM3NSwieSI6NDAzfSx7IngiOjU5MS40NjQ4NDM3NSwieSI6NDQwfV0=' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M473.113%2c206.322L499.01%2c213.768C524.906%2c221.215%2c576.699%2c236.107%2c601.871%2c249.059C627.043%2c262.011%2c625.594%2c273.023%2c624.87%2c278.528L624.146%2c284.034' id='L_SF_EX_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_SF_EX_0' data-points='W3sieCI6NDczLjExMzI4MTI1LCJ5IjoyMDYuMzIxOTMzNzAwODQwOTN9LHsieCI6NjI4LjQ5MjE4NzUsInkiOjI1MX0seyJ4Ijo2MjMuNjIzNzY2NDQ3MzY4NCwieSI6Mjg4fV0=' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M613.361%2c288L612.549%2c281.833C611.738%2c275.667%2c610.115%2c263.333%2c609.304%2c244.5C608.492%2c225.667%2c608.492%2c200.333%2c608.492%2c177C608.492%2c153.667%2c608.492%2c132.333%2c607.944%2c118.159C607.396%2c103.984%2c606.3%2c96.968%2c605.752%2c93.46L605.203%2c89.952' id='L_EX_A_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_EX_A_0' data-points='W3sieCI6NjEzLjM2MDYwODU1MjYzMTYsInkiOjI4OH0seyJ4Ijo2MDguNDkyMTg3NSwieSI6MjUxfSx7IngiOjYwOC40OTIxODc1LCJ5IjoxNzV9LHsieCI6NjA4LjQ5MjE4NzUsInkiOjExMX0seyJ4Ijo2MDQuNTg1OTM3NSwieSI6ODZ9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M316.185%2c440L311.028%2c433.833C305.871%2c427.667%2c295.557%2c415.333%2c295.418%2c403.499C295.279%2c391.665%2c305.316%2c380.33%2c310.335%2c374.662L315.353%2c368.995' id='L_HZ_MU_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_HZ_MU_0' data-points='W3sieCI6MzE2LjE4NTE4NzA4ODgxNTgsInkiOjQ0MH0seyJ4IjoyODUuMjQyMTg3NSwieSI6NDAzfSx7IngiOjMxOC4wMDUxMzk4MDI2MzE1NiwieSI6MzY2fV0=' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M333.624%2c288L330.634%2c281.833C327.643%2c275.667%2c321.661%2c263.333%2c322.247%2c251.562C322.834%2c239.791%2c329.988%2c228.581%2c333.565%2c222.977L337.142%2c217.372' id='L_MU_SF_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_MU_SF_0' data-points='W3sieCI6MzMzLjYyNDM4MzIyMzY4NDIsInkiOjI4OH0seyJ4IjozMTUuNjc5Njg3NSwieSI6MjUxfSx7IngiOjMzOS4yOTM0MzEzMzIyMzY4LCJ5IjoyMTR9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_A_SF_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_B_SF_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_C_SF_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_SF_MU_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_MU_HZ_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_MU_SR_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_MU_DW_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_SF_EX_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_EX_A_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel' transform='translate(285.2421875%2c 403)'%3e%3cg class='label' data-id='L_HZ_MU_0' transform='translate(-68.7734375%2c -12)'%3e%3cforeignObject width='137.546875' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3cp%3eNightly SFTP batch%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel' transform='translate(316.42513%2c 249.83199)'%3e%3cg class='label' data-id='L_MU_SF_0' transform='translate(-46.2421875%2c -12)'%3e%3cforeignObject width='92.484375' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3cp%3eBatch results%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg class='node default' id='flowchart-A-0' transform='translate(598.4921875%2c 47)'%3e%3crect class='basic label-container' style='' x='-97.1796875' y='-39' width='194.359375' height='78'/%3e%3cg class='label' style='' transform='translate(-67.1796875%2c -24)'%3e%3crect/%3e%3cforeignObject width='134.359375' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 1000px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eIndependent Agent%3cbr /%3eExperience Cloud%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-SF-1' transform='translate(364.18359375%2c 175)'%3e%3crect class='basic label-container' style='' x='-108.9296875' y='-39' width='217.859375' height='78'/%3e%3cg class='label' style='' transform='translate(-78.9296875%2c -24)'%3e%3crect/%3e%3cforeignObject width='157.859375' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 1000px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eSalesforce Core%3cbr /%3eSales %2b Service Cloud%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-B-2' transform='translate(352.5390625%2c 47)'%3e%3crect class='basic label-container' style='' x='-98.7734375' y='-39' width='197.546875' height='78'/%3e%3cg class='label' style='' transform='translate(-68.7734375%2c -24)'%3e%3crect/%3e%3cforeignObject width='137.546875' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 1000px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eInternal CSR / Staff%3cbr /%3eSalesforce UI%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-C-4' transform='translate(105.8828125%2c 47)'%3e%3crect class='basic label-container' style='' x='-97.8828125' y='-39' width='195.765625' height='78'/%3e%3cg class='label' style='' transform='translate(-67.8828125%2c -24)'%3e%3crect/%3e%3cforeignObject width='135.765625' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 1000px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eCompliance Officer%3cbr /%3eSalesforce UI%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-MU-7' transform='translate(352.5390625%2c 327)'%3e%3crect class='basic label-container' style='' x='-93.140625' y='-39' width='186.28125' height='78'/%3e%3cg class='label' style='' transform='translate(-63.140625%2c -24)'%3e%3crect/%3e%3cforeignObject width='126.28125' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 1000px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eMuleSoft%3cbr /%3eAnypoint Platform%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-HZ-9' transform='translate(348.80078125%2c 479)'%3e%3crect class='basic label-container' style='' x='-96.328125' y='-39' width='192.65625' height='78'/%3e%3cg class='label' style='' transform='translate(-66.328125%2c -24)'%3e%3crect/%3e%3cforeignObject width='132.65625' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 1000px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eHorizon P%26amp%3bC%3cbr /%3eSOAP API %2b SFTP%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-SR-11' transform='translate(132.91015625%2c 479)'%3e%3crect class='basic label-container' style='' x='-69.5625' y='-39' width='139.125' height='78'/%3e%3cg class='label' style='' transform='translate(-39.5625%2c -24)'%3e%3crect/%3e%3cforeignObject width='79.125' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 1000px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eSummit Re%3cbr /%3eREST API%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-DW-13' transform='translate(591.46484375%2c 479)'%3e%3crect class='basic label-container' style='' x='-96.3359375' y='-39' width='192.671875' height='78'/%3e%3cg class='label' style='' transform='translate(-66.3359375%2c -24)'%3e%3crect/%3e%3cforeignObject width='132.671875' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 1000px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eDocuWare%3cbr /%3eREST %2b OAuth 2.0%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-EX-15' transform='translate(618.4921875%2c 327)'%3e%3crect class='basic label-container' style='' x='-93.1484375' y='-39' width='186.296875' height='78'/%3e%3cg class='label' style='' transform='translate(-63.1484375%2c -24)'%3e%3crect/%3e%3cforeignObject width='126.296875' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 1000px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eExperience Cloud%3cbr /%3eAgent Portal%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
Data Model
Core Objects
| Object | Type | Key Fields | Notes |
|---|---|---|---|
| Account (Policyholder) | Standard | Name, Address, Phone, Email | OWD: Private. Shared via Apex to writing agents per policy |
| Policy__c | Custom | PolicyNumber, Carrier__c, LineOfBusiness__c, EffectiveDate, ExpiryDate, Status, WritingAgent__c, Premium__c | OWD: Private. Junction to Account via lookup |
| Agent__c | Custom | LicenseNumber, LicenseType, LicenseExpiry, AppointmentStatus_Horizon__c, AppointmentStatus_SummitRe__c, AgencyPrincipal__c | Master record for contractor identity |
| Agency__c | Custom | AgencyName, PrincipalAgent__c | Groups agents for principal-level access |
| Carrier__c | Custom | CarrierName, APIType, EndpointURL, AuthMethod, IsActive | Supports the carrier-abstraction requirement |
| CarrierAppointment__c | Custom | Agent__c, Carrier__c, EffectiveDate, Status, LastConfirmedDate | Junction for agent-carrier appointments |
| Quote__c | Custom | Policy__c, Carrier__c, QuoteStatus, CarrierQuoteRef, RequestPayload, ResponsePayload, ExpiryDate | Holds in-progress or saved quotes |
| FNOL__c | Custom | Policy__c, Account__c, DateOfLoss, LossType, Description, CarrierRefNumber, NotificationTimestamp, HandlingRep__c, CarrierAckStatus | First notice of loss |
| CarrierAPILog__c | Custom | Carrier__c, Operation, RequestPayload, ResponsePayload, HTTPStatus, CarrierRefNumber, InitiatingUser__c, Timestamp | Immutable log: no delete, no update |
| Commission__c | Custom | Agent__c, Period, TotalAmount, PolicyCommissionLines (child) | Source for agent commission statements |
| Document__c | Custom | RelatedRecord__c, RelatedRecordType__c, DocuWareID, DocumentType, RetrievalStatus | Tracks DocuWare documents linked to SF records |
| AgentOnboardingTask__c | Custom | Agent__c, TaskType, Owner, DueDate, CompletedDate, Status | Checklist row for onboarding workflow |
| LicenseAuditLog__c | Custom | Agent__c, FieldChanged, OldValue, NewValue, ChangedBy, ChangeTimestamp | Immutable: enforced via trigger and Restrict Delete |
Split-Policy Sharing Model Detail
The split-policy requirement (BR-2) cannot be solved by sharing rules based on a field value on the Account, because the Account is shared but the policies on it are not: each policy has a distinct writing agent. The model works as follows:
- Account OWD: Private. Policy__c OWD: Private.
- When a Policy is created, an Apex trigger fires and creates an
AccountSharerecord granting theWritingAgent__cuser Read access to the Account, and aPolicy__Sharerecord granting the same user Read/Write access to the Policy. - If a second policy for the same Account is later created with a different writing agent, a second
AccountSharerow is inserted for the new agent, granting them Account Read access only (so they can see the policyholder name and contact info for their own policy context), but noPolicy__Sharefor the first policy. - Each agent therefore sees the Account (read) and only their own Policy records (read/write).
- Global search isolation is achieved because SOSL and search results respect record-level sharing. No additional configuration is required beyond the share rows.
Integration Architecture
Carrier Abstraction Layer
The Carrier__c object acts as a configuration record for each carrier. MuleSoft reads this record to determine the endpoint, authentication method, API type (SOAP vs REST), and active status before each call. Adding a third carrier requires a new Carrier__c record and a MuleSoft configuration artifact. No Apex changes, no redeployment.
Horizon P&C (SOAP)
- MuleSoft hosts a dedicated Anypoint connector for Horizon using the WSDL schema.
- DataWeave transformations in MuleSoft map Salesforce field names to Horizon WSDL field names. Operations staff can modify mappings in Anypoint Studio without a Salesforce deployment.
- Salesforce initiates calls via Platform Events. The agent action (quote, bind, endorsement) fires a Platform Event. MuleSoft subscribes and executes the carrier call, then posts the response back via a second Platform Event consumed by Salesforce.
- This pattern keeps the agent UI non-blocking. The agent sees a spinner until the response arrives via the Platform Event, typically within 4 seconds. Platform Events are asynchronous; the agent UI uses a polling or streaming mechanism (Streaming API/CometD) to display the response when it arrives. This is not a true synchronous request-response. The UI subscribes to the response event channel and updates when the event is received.
- Authentication: username/password + static IP allowlist. MuleSoft Secure Properties stores credentials and handles annual rotation without Salesforce involvement.
- Retry logic: if Horizon is unavailable, MuleSoft queues the request in Anypoint MQ with a 3-retry backoff. After exhausting retries, MuleSoft publishes a failure Platform Event. A Salesforce flow consumes this and creates an Ops_Alert__c record, sending an email to the operations distribution list within 5 minutes (BR-15).
Horizon Nightly SFTP Batch (BR-10)
- MuleSoft polls the SFTP server nightly at 01:00 MT using a scheduled flow.
- The file is parsed, and each row is matched to an existing Policy__c by PolicyNumber.
- Matched records are updated (status, premium). New rows create pending Policy__c records flagged for manual review. Unmatched rows are written to a Reconciliation_Report__c record with the raw row content.
- A summary email is sent to the ops team each morning with counts: updated, created-pending, unmatched.
Summit Re (REST)
- MuleSoft connector for Summit Re REST/JSON API handles quoting and status retrieval.
- Because API binding is not available in Phase 1 (BR-11), when a quote is ready for binding, the Salesforce UI displays a “Proceed to Bind” button that opens the Summit Re web portal URL with pre-filled parameters (policy number, agent ID). A
PendingBind__cstatus record is created in Salesforce to track the outstanding bind. - The status record has an automated reminder to the agent after 48 hours if the bind is not confirmed. Ops staff can manually mark the bind as complete when Summit Re confirms.
DocuWare (REST + OAuth 2.0)
- MuleSoft handles OAuth 2.0 token management for DocuWare, refreshing tokens transparently.
- Document retrieval is fully asynchronous (BR-14). When an agent requests a document, a Platform Event fires. MuleSoft retrieves the document from DocuWare and pushes it to Salesforce Files, then fires a completion event. A Salesforce notification appears for the agent. The agent never waits on a synchronous callout.
- New documents generated in Salesforce (FNOL reports, agent agreements) are pushed to DocuWare via MuleSoft. The returned DocuWare document ID is stored on the
Document__crecord. - DocuWare abstraction: all document interactions route through MuleSoft, not direct Apex callouts. If DocuWare is replaced, only the MuleSoft connector changes. Salesforce sees only the Document__c record and a Salesforce File. There is no direct DocuWare API dependency in Salesforce code.
API Logging (BR-12)
All carrier API calls (request, response, status, carrier reference, initiating user, timestamp) are written to CarrierAPILog__c by MuleSoft after every call. The object has no delete permission for any profile. A Salesforce trigger blocks any DML update on existing rows. Rows older than 24 months are moved to an ArchivedCarrierAPILog Big Object via a scheduled Apex batch, preserving queryability for compliance reporting while keeping the transactional object lean. Records in the Big Object are retained for 7 years, after which a second scheduled job deletes rows past retention.
DOI Access-Log Retention (BR-7)
Colorado DOI examinations can require up to 7 years of user access history. Shield Event Monitoring provides the telemetry but does not, by itself, satisfy long-term retention: the native EventLogFile object retains event data for 30 days by default, and a maximum of 1 year with the Shield Event Log File Storage add-on. A two-tier archive pattern closes the gap:
- Tier 1 (0-365 days, in Salesforce): Shield Event Monitoring writes to EventLogFile. The Salesforce Event Log File Browser AppExchange tool and CRM Analytics apps provide on-demand compliance queries for the recent window.
- Tier 2 (1-7 years, external SIEM or archive): A nightly MuleSoft flow reads new EventLogFile rows via the Analytics API, streams them to TrustShield’s SIEM (Splunk Cloud is the stated platform) and to an S3 Glacier archive with a 7-year lifecycle policy. The SIEM is the primary interactive query surface for DOI audit requests beyond the one-year Salesforce window; the S3 archive is the immutable system of record for the full 7 years.
- Tier 3 (Field history): Field Audit Trail is enabled on Agent__c, Policy__c, and CarrierAppointment__c fields relevant to DOI examination. Field Audit Trail retains field change history for up to 10 years natively, covering the 7-year DOI bar without external archive.
The compliance officer’s DOI-ready report pulls from three sources: CarrierAPILog__c and its Big Object archive for integration-layer access, the SIEM for user access telemetry beyond 1 year, and FieldHistoryArchive for field change history. A single CRM Analytics dashboard with external connectors aggregates all three for the examiner.
Security and Sharing Model
Profile and Permission Set Design
| User Group | License | Profile | Key Restrictions |
|---|---|---|---|
| Independent agents | Experience Cloud Customer Community Plus | Agent - External | No internal ops views, no management dashboards, no other agents’ data |
| Internal agents (captive) | Salesforce (full CRM) | Agent - Internal | Same data scope as external but on core UI |
| Customer service reps | Salesforce | CSR | Read-only on Policy__c and Account; no edit permission via profile |
| Ops and admin | Salesforce | Ops Staff | Full access to Policy, FNOL, integration logs |
| Management | Salesforce | Management | Full access plus reporting dashboards |
| Compliance officer | Salesforce | Compliance | Read-only on all Agent, Policy, FNOL, Log objects; Field Audit Trail enabled |
| Agency principals | Salesforce or Experience Cloud | Agent + Permission Set: Agency Principal | Sees own book + all agents in their agency via sharing group |
| DOI examiner | Salesforce (time-limited) | DOI Examiner (read-only profile) | See below |
Agency Principal Access (BR-3)
Agency principals need visibility across their agency’s agents without seeing outside data. The solution uses a Public Group per Agency, managed by a flow that adds/removes agents as agency membership changes. The principal gets Read access to all records owned by members of their agency group via a Criteria-Based Sharing Rule on Policy__c (Agency__c = principal's agency) granting Read access to the principal’s user record.
DOI Examiner Provisioning (BR-33)
A custom Lightning flow, triggered by the compliance officer, creates a new Salesforce user with the DOI Examiner profile, sets the user’s IsActive = true, and creates an automated scheduled job to set IsActive = false on the expiry date entered by the compliance officer. User creation and deactivation events are written to a DOIExaminerAccess__c audit object. The compliance officer can deactivate early at any time. This satisfies the time-limited, auto-expiring, auditable access requirement without third-party tooling.
Immutable Audit Logs (BR-31)
Two mechanisms enforce immutability. First, the LicenseAuditLog__c and CarrierAPILog__c objects have no Update or Delete permissions on any profile, including System Administrator, enforced at the profile level and backed by an Apex trigger that throws a DmlException on any attempted update. Second, Field Audit Trail (available with Shield or as an add-on) is enabled on the Agent__c license and appointment fields, providing platform-level, tamper-evident history that satisfies DOI examination standards.
License-Expiry Block on Quote Submission (BR-32)
MuleSoft checks the LicenseStatus__c field on the Agent__c record before forwarding any carrier API call. If the status is Expired or Pending Renewal, MuleSoft rejects the call and returns a structured error. Salesforce receives this via Platform Event and displays a blocking message in the agent UI. A ComplianceAlert__c record is created and the compliance officer receives an email notification. The check is in MuleSoft (not only in the UI) so it cannot be bypassed through the API layer.
Migration Strategy
TrustShield has 6 years of policy history in AMS360 and 8 years of documents in DocuWare. The migration is a two-phase effort.
Phase 1: Pilot Data (Months 1-4)
Load a representative slice of active policies (current policy year) and their associated agents to validate the sharing model before full migration. Use Salesforce Data Loader or the Bulk API 2.0 for Policy__c and Account records. Apex sharing triggers fire during load. Validate that share rows are correct before proceeding.
Phase 2: Full Historical Load (Months 4-10)
- AMS360 to Salesforce: Export all policy and policyholder records from AMS360 as CSV. Transform using a mapping sheet agreed with TrustShield ops. Load via Bulk API 2.0. Historical commissions loaded to Commission__c for the previous 3 years (IRS requirement for 1099 contractors).
- DocuWare: Documents stay in DocuWare in place. The Document__c object in Salesforce stores the DocuWare document ID and metadata. MuleSoft retrieves documents on demand. No bulk migration of document binaries into Salesforce is needed or recommended given the contract renewal uncertainty.
- Agent records: Migrated from spreadsheets. The SI partner runs a data quality sprint to standardize license numbers and expiry dates before load.
Reconciliation
A post-migration reconciliation process compares AMS360 policy counts to Salesforce policy counts by agent, by line of business, and by carrier. Discrepancies are flagged in a reconciliation report reviewed by TrustShield ops before cutover.
Reporting Approach
| Report or Dashboard | Audience | Source | Notes |
|---|---|---|---|
| Agent production dashboard | Individual agents | Policy__c filtered by OwnerId | Personalized via Experience Cloud dynamic dashboard |
| Agency production report | Agency principals | Policy__c scoped to agency’s agents | Shared via Public Group sharing |
| Open FNOL daily report | Claims director | FNOL__c, grouped by CarrierAckStatus | Scheduled delivery at 07:00 daily |
| FNOLs over 24 hours without carrier ref | Claims director | FNOL__c, filter on CarrierRefNumber is null and CreatedDate older than 24h | Part of same dashboard as above |
| DOI compliance report (BR-30) | Compliance officer | Policy__c + Agent__c + LicenseAuditLog__c | Report type spanning Policy and Agent; exportable CSV/PDF via standard report export |
| Agent license expiry | Compliance officer, agency principals | Agent__c, filter LicenseExpiry within 60 days | Scheduled report + automated flow alert |
| Integration failure log | Ops | CarrierAPILog__c, filter HTTPStatus not 200 | Ops team monitors daily |
Management dashboards (production by carrier, premium volume trend, claims frequency) are built on the same objects. Agents do not have access to these report folders.
Requirements Addressed
| Req | Requirement Summary | Solution Element |
|---|---|---|
| BR-1 | Agent sees only own policyholders and policies | OWD Private on Account and Policy__c; Apex sharing grants only to writing agent |
| BR-2 | Split-policy: two agents on same policyholder, neither sees the other’s policy | AccountShare Read for each writing agent; PolicyShare only for the specific writing agent |
| BR-3 | Agency principals see full agency book | Public Group per agency; criteria-based sharing rule grants principal Read on agency policies |
| BR-4 | CSRs read-only on all policyholders/policies | CSR profile with no Edit on Account or Policy__c; View All Records on those objects |
| BR-5 | Ops and management see all records; agents blocked from management dashboards | Ops/Management profiles with View All Data; report folders restricted by role |
| BR-6 | Compliance officer read-only on all agent and audit records | Compliance profile; Field Audit Trail enabled; DOIExaminerAccess__c object |
| BR-7 | All record access logged for DOI, 7-year retention | Three-tier pattern: Shield Event Monitoring (Tier 1, 0-365 days in Salesforce) → nightly MuleSoft export to Splunk SIEM (Tier 2, 1-7 years queryable) → S3 Glacier archive with 7-year lifecycle (Tier 3, immutable system of record). Field Audit Trail on Agent, Policy, and Appointment records covers field change history for up to 10 years. CarrierAPILog__c + Big Object archive covers integration-layer access. |
| BR-8 | Horizon SOAP integration: quote, bind, endorse, status | MuleSoft Anypoint connector; Platform Events for async dispatch; retry via Anypoint MQ |
| BR-9 | Field mapping configurable without code deployment | DataWeave in MuleSoft; ops-editable mapping in Anypoint |
| BR-10 | Nightly SFTP batch from Horizon: process and reconcile | MuleSoft scheduled SFTP poller; Reconciliation_Report__c for unmatched rows |
| BR-11 | Summit Re REST: quotes; manual bind handoff | MuleSoft REST connector; PendingBind__c record; portal URL handoff in UI |
| BR-12 | All carrier API calls logged 7 years | CarrierAPILog__c written by MuleSoft; no delete/update permissions; batched to ArchivedCarrierAPILog Big Object at 24 months; purged from Big Object at 7 years |
| BR-13 | DocuWare integration: retrieve and push documents | MuleSoft connector for DocuWare REST + OAuth 2.0; Document__c stores DocuWare ID |
| BR-14 | DocuWare retrieval async | Platform Event → MuleSoft → Salesforce Files → completion notification |
| BR-15 | Fallback and retry for Horizon outage; ops alert within 5 minutes | Anypoint MQ retry queue; failure Platform Event → Ops_Alert__c → email flow |
| BR-16 | Third carrier addable without re-architecture | Carrier__c configuration record; MuleSoft reads carrier config at runtime |
| BR-17 | Agent quote-to-bind workflow in Salesforce | Quote__c LWC with carrier-specific action buttons; Horizon SOAP flow; Summit Re portal handoff |
| BR-18 | Personalized agent home page | Experience Cloud dynamic dashboard scoped to logged-in user |
| BR-19 | Agent onboarding in 7 days with tracked checklist | AgentOnboardingTask__c; Salesforce Flow orchestration; DocuSign for e-signature; MuleSoft for DocuWare storage |
| BR-20 | License expiry alert at 60 days; auto-suspend on expiry | Scheduled Flow on Agent__c.LicenseExpiry; MuleSoft license check blocks API calls on expired status |
| BR-21 | Agent commission statements by month/year, PDF download | Commission__c + CommissionLine__c objects; Visualforce or LWC PDF render; scoped by OwnerId |
| BR-22 | Independent agents on Experience Cloud, distinct access | Customer Community Plus license; Agent - External profile; no internal views exposed |
| BR-23 | Structured FNOL data capture | FNOL__c with required fields; linked to Policy__c and Account |
| BR-24 | Carrier-specific FNOL notification | Flow on FNOL__c creation; Horizon: SOAP via MuleSoft; Summit Re: email via Salesforce Email Action |
| BR-25 | FNOL captures carrier ref, first-contact timestamp, rep name | Required fields on FNOL__c; populated by CSR or auto-populated from carrier response |
| BR-26 | Claims director daily FNOL report | Scheduled Salesforce report delivered at 07:00; includes overdue filter |
| BR-27 | Policyholder email confirmation within 1 hour of FNOL | Flow on FNOL__c: email template sent immediately on creation. Design trade-off: if the carrier reference number arrives asynchronously (after the FNOL is submitted), the initial confirmation email cannot include it. The solution sends an immediate confirmation without the carrier ref, then triggers a second email via Flow when the CarrierRefNumber field is populated. This satisfies the 1-hour SLA while acknowledging the async nature of carrier acknowledgment. |
| BR-28 | Agent record carries license and appointment data | Agent__c fields: LicenseNumber, LicenseType, LicenseExpiry, AppointmentStatus per carrier |
| BR-29 | Appointment records per agent-carrier | CarrierAppointment__c object; Horizon appointments loaded via CSV import; Summit Re manual entry |
| BR-30 | DOI-ready compliance report exportable CSV/PDF | Joined report across Policy__c and Agent__c; standard Salesforce export; scheduled run available |
| BR-31 | Immutable audit log for license and appointment changes | LicenseAuditLog__c; no delete/update on any profile; Apex trigger enforcement; Field Audit Trail |
| BR-32 | Block quote submission if agent license expired | MuleSoft pre-call check on Agent__c.LicenseStatus; reject with compliance alert if expired |
| BR-33 | Time-limited DOI examiner user provisioning | Compliance officer flow creates user with expiry-date scheduled deactivation; DOIExaminerAccess__c audit object |
Risk Assessment
Risk 1: Apex sharing trigger performance under bulk load. The split-policy sharing model depends on Apex triggers inserting share rows on Policy creation. During the historical data migration (potentially tens of thousands of records), the trigger will fire repeatedly and may hit CPU or DML limits under bulk load. Mitigation: make the trigger bulk-safe from the start, use Database.SaveResult arrays rather than individual inserts, and run the migration during off-hours with Data Loader chunk size limited to 200 rows per batch to stay within governor limits.
Risk 2: MuleSoft sizing for the Horizon SOAP response window. At 1.5-4 seconds per call, agents initiating quotes during peak hours could generate concurrent MuleSoft worker threads that exhaust the Anypoint worker allocation. Mitigation: size the Anypoint plan for at least 2 workers in production (not the default shared worker), and implement a Platform Event queue that smooths spikes rather than firing synchronous callouts directly.
Risk 3: DocuWare contract expiry creating a migration gap. The contract renewal decision is in 14 months and the project runs 18 months. If TrustShield does not renew, they need a document management replacement with an 8-year archive migration, mid-project. Mitigation: the architecture already abstracts DocuWare behind MuleSoft. The SI partner should document the MuleSoft connector swap procedure as a Runbook during Phase 1, so it is ready to execute if the contract is not renewed. Budget contingency for document migration should be flagged to the CEO now.
Risk 4: No in-house Salesforce developer post-go-live. The architecture relies on Apex triggers (sharing model, audit log enforcement) and MuleSoft flows. A single admin cannot maintain Apex or MuleSoft without developer support. Mitigation: negotiate a managed services retainer with the SI partner for Apex and MuleSoft support in Year 1. Identify and document the top 10 Apex-touching processes so the admin knows when to escalate. Target moving as many flows as possible to declarative Flows to reduce Apex surface area.
Always verify against official Salesforce documentation
This content is study material for CTA exam preparation. Content compiled and presented with AI assistance. Not affiliated with Salesforce.
Personal study notes for the Salesforce CTA exam. Content compiled from VJ's study notes, official Salesforce documentation, community sources, and online publicly available content, then organized and presented with AI assistance. Not affiliated with Salesforce. © 2025–2026 VJ Srivastava.