Data Vault REST API

Updated on March 20, 2023

Data Vault is the feature of Cloud Compliance that helps to check the “Proof of De-identification”. After the De-identification of any record, Cloud Compliance stores some data in encrypted format in org so if the user wants to check whether the record is already de-identified or not, can use the Data Vault feature. In some use cases, Data Vault features need to be invoked by an external system so Cloud Compliance offers a REST API interface.

This document explains how to invoke “Proof of De-identification” via REST API using a JSON-based callout. The API will return “Proof of De-identification” with some standard and custom fields. Here users can decide on fields that should be stored in the org(in an encrypted format) as a “Proof of De-identification”.

The REST APIs that are developed for this requirement are as follows – 

1.  POST Request: 



Request Body 

"objectName": "Contact",
"fieldName": "Firstname",
"fieldValue": "Aniket",
"deidentificationMappingName": "Contact De-identification Mapping"

 2. Parameters to pass – 

  • Object Name – Object Name of the record for which the user wants to check “Proof of De-identification”.
  • Field Name –  Name of the field which will work as a filter to search a de-identified record in the Data Vault.
  • Field Value – The actual field value that the user wants to search by.
  • Mapping Name -The mapping name that was used to de-identify the record.

Prerequisites –

1. Create an appropriate de-identification mapping with the “Add to Data Vault” field as true for some fields to de-identify records.

For more details please refer – RTBF/ De-identification Mappings.

Solution Steps

1. To add fields in Data Vault(Proof of De-identification), the user needs to make sure that the ‘Add to Data Vault’ checkbox is checked while adding fields in De-identification mappings for any object.

Note –

  • Users can add both the “Erase” and “Obfuscate” fields in the Data Vault as proof of de-identification.
  • Users can add as many fields in the Data Vault but can search the “Proof of De-identification” by a single field only. We recommend adding a field which will have a unique value.

2. Once the mapping is ready as per the business use case and with the choice of Data Vault fields, the user can de-identify records and further can check “Proof of De-identification” using the Data Vault feature.

3. To check the “Proof of De-identification”, navigate to a REST tool such as Salesforce developer workbench, Postman, Insomnia, etc. (This example uses Salesforce Developer Workbench

4. Navigate to the ‘REST Explorer’  from the Utility tab  within the workbench and select the “POST” method

5. For the “POST” method, enter Cloud Compliance’s REST call URL


6. Pass the values of Object Name, Field Name, Field Value, and Mapping Name with the following JSON format in the request body 

"objectName": "Contact",
"fieldName": "Email",
"fieldValue": "abazley65@exblog.nn",
"deidentificationMappingName": "Contact Deidentification Mapping"

7. Click the “Execute” button to invoke the REST API

8. The REST API returns a case id and a success message(hasError: false).

9. The detailed raw response is as follows – 

Raw Response

HTTP / 1.1 200 OK
Date: Tue, 01 Dec 2020 07: 35: 35 GMT
Strict - Transport - Security: max - age = 31536002;
Public - Key - Pins - Report - Only: pin - sha256 = "9n0izTnSRF+W4W4JTq51avSXkWhQB8duS2bxVLfzXsY=";
pin - sha256 = "5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w=";
pin - sha256 = "njN4rRG+22dNXAi+yb8e3UMypgzPUPHlv4+foULwl1g=";
max - age = 86400;
report - uri = "<a target="
_blank " href="
https: //" rel="noreferrer noopener">;
p > Expect - CT: max - age = 86400, report - uri = "<a target="
_blank " href="
https: //" rel="noreferrer noopener">
X - Content - Type - Options: nosniff
X - XSS - Protection: 1;
mode = block
X - Robots - Tag: none
X - B3 - TraceId: f21b7714c7dc1ea2
X - B3 - SpanId: f21b7714c7dc1ea2
X - B3 - Sampled: 0
Cache - Control: no - cache, must - revalidate, max - age = 0, no - store, private
Set - Cookie: BrowserId = zSVJoTOnEeuSd3fDGfODPQ;
domain = . < a target = "_blank"
href = ""
rel = "noreferrer noopener" > < /a>; path=/;
expires = Wed, 01 - Dec - 2021 07: 35: 35 GMT;
Max - Age = 31536000
Content - Type: application / octetstream
Transfer - Encoding: chunked {
"msg": "Record found",
"Crypto-type": "Encryption",
"showDecryptedData": [{
"Email": "<a target="
_blank " href="
mailto: ABAZLEY65 @EXBLOG.NN " rel="
noreferrer noopener ">ABAZLEY65@EXBLOG.NN</a>",
"Home Phone": "256-605-0559",
"Last Name": "BAZLEY",
"First Name": "ALEX",
"SystemModstamp": "2020-12-01 13:05:21",
"Created by": "Niketan Newale",
"CreatedbyId": "005f4000004gB8CAAU",
"Last modified Date": "2020-12-01 13:05:21",
"Created Date": "2020-12-01 13:05:21",
"Source id": "003f400001aGCasAAG",
"Record id": "a005G00000alUVqQAM"
"hasError": false