Data Vault APEX API

Updated on March 20, 2023

Data Vault is the feature of Cloud Compliance that helps to check the “Proof of De-identification”. After the De-identification of any record, Cloud Compliance stores some data in encrypted format in org so if the user wants to check whether the record is already de-identified or not, can use the Data Vault feature. In some use cases, Data Vault features need to be invoked by an external system so Cloud Compliance offers an APEX API interface.

This document explains how to invoke “Proof of De-identification” via APEX API using a JSON-based callout. The API will return “Proof of De-identification” with some standard and custom fields. Here user can decide on fields that should be stored in the org(in an encrypted format) as a “Proof of De-identification”.

The method that is available for this APEX API is as follows:- – 

1.  To execute “Proof of De-identification” APEX API: 

System.debug('**Result' + PCCC_DM.DeIdentifyRestService.getDataVaultInfo('Contact', 'FirstName', 'Aniket', 'Contact Mapping'));

2. This method accepts four parameters – 

  • Object Name – The object Name of the record for that the user wants to check “Proof of De-identification”.
  • Field Name –  Name of the field which will work as a filter to search a de-identified record in the Data Vault.
  • Field Value – The actual field value that the user wants to search by.
  • Mapping Name -The mapping name that was used to de-identify the record.


Prerequisites –

1. Create an appropriate de-identification mapping with the “Add to Data Vault” fields as true for some fields to de-identify records.

Refer to the link to create mapping – RTBF/ De-identification Mappings.

Solution Steps

1. To add fields in Data Vault(Proof of De-identification), the user needs to make sure that the ‘Add to Data Vault’ checkbox is checked while adding fields in De-identification mappings for any object.

Note – 

  • Users can add both the ‘’Erase’ and ‘Obfuscate’ fields in Data Vault as proof of de-identification.
  • Users can add as many fields in Data Vault but can search the “Proof of De-identification” by a single field only.

2. Once the mapping is ready as per the business use case and with the choice of Data Vault fields, the user can de-identify records and further can check “Proof of De-identification” using the Data Vault feature.

3. The APEX script for execution will be as follows –

System.debug('**Result' + PCCC_DM.DeIdentifyRestService.getDataVaultInfo('Contact', 'Email', 'abazley65@exblog.nn', 'Contact De-id Mapping NN'));

4. Open the Salesforce Developer Console. Prepare the PCCC_DM.DeIdentifyRestService.getDataVaultInfo method and pass the parameters to the method and click on execute.

5. This API returns all the fields and their values that are stored in the org as a “Proof of De-identification”. Also, it will return some standard fields like Created Date, Created By, Last Modified Date, Record Id, and Source Id.