Salesforce communicates directly with the GRAX application in Heroku via a RESTful API. All data is encrypted in transit. GRAX enforces IP restriction by whitelisting Salesforce server IP addresses that talk directly to the Heroku servers. No other IP addresses are given access to these servers. Within these whitelisted servers, three additional security layers are used to protect the interaction with GRAX: basic auth, JSON Web Tokens (JWTs), and tokenized headers.
Updated about a year ago