Internal Strategy Document
A brutally honest, feature-by-feature assessment of what Salesforce gives us for free, what we still have to build, and whether the platform dependency is worth the strategic tradeoff. This document exists to answer one question: does Salesforce earn its position in our architecture, or should we be planning to remove it?
Salesforce is not just a nice-to-have in our architecture — it is providing roughly $3M+ in platform capabilities that we would otherwise need to build, certify, and maintain ourselves. FedRAMP High alone would cost us 12–18 months and $1M+ before we serve a single customer. The audit infrastructure, encryption, role-based security, mobile app, reporting engine, and workflow automation are not things we should be building — they are table stakes that Salesforce has already certified for government use.
That said, our core IP — the policy reasoning engine, ontology modeling, decision explainability, and impact analysis — is 100% ours and runs identically regardless of platform. The Salesforce dependency is in the compliance and platform infrastructure layer, not in the intelligence layer. This is the right kind of dependency.
The strategic recommendation: Keep Salesforce as the primary deployment target for the next 2–3 years. It accelerates sales, eliminates compliance objections, and lets us focus engineering on our actual differentiator. Build toward a standalone "LexiPoint Core" offering in the client's FedRAMP cloud (AWS/Azure GovCloud) for agencies that genuinely cannot use Salesforce — but do not rush it. The standalone offering will require rebuilding 23 platform capabilities that Salesforce currently provides for free.
Capability Scorecard
What We Inherit vs. What We Build
Across 42 distinct capabilities required for a government-grade policy intelligence platform, here's the breakdown.
Feature-by-Feature Assessment
The Complete Matrix
Every capability required for government-grade policy intelligence, classified by whether we build it, inherit it from Salesforce, or extend the platform. The "Standalone Effort" column shows what it costs us if Salesforce is removed.
| Capability | LexiPoint on Salesforce | LexiPoint Core (Standalone) | Standalone Effort |
|---|---|---|---|
| ◆ Core Policy Intelligence (Our IP — Build on Both) | |||
| Policy Reasoning Engine Rule evaluation with thresholds, weights, dependencies |
We Build Apex-native engine running in customer's org | We Build Same engine, deployed as microservice in client's cloud | Same |
| Ontology Modeling Visual rule management, no-code policy updates |
We Build Lightning component for policy admins | We Build Web UI — need to build our own admin interface | +UI Cost |
| Decision Explainability Statute-backed, rule-by-rule decision trace |
We Build Rendered in Lightning on case records | We Build Same logic, own rendering layer | Same |
| Impact Analysis / What-If Model policy changes before deployment |
We Build Custom LWC with scenario engine | We Build Same engine, own front-end | Same |
| AI Policy Goal Generator Natural language to rule scaffolding |
We Build LLM integration via Apex callout | We Build Direct API integration to LLM provider | Same |
| Eligibility Determination SNAP, Medicaid, licensing, grants |
We Build Domain rule packs deployed as metadata | We Build Same rule packs, different deployment format | Same |
| Decision Audit Log Immutable, regulator-ready decision records |
We Build Custom objects in Salesforce (inherits backup/DR) | We Build Own database + immutability guarantees | +Storage |
| Rule Versioning Track policy changes over time |
We Build Custom version tracking in Salesforce objects | We Build Same logic, own storage | Same |
| Batch Processing Process thousands of applications |
Extend Apex Batch + Queueable, governed by SF limits | We Build Own job queue, no governor limits | +Infra |
| ◆ Security & Compliance Infrastructure | |||
| FedRAMP Authorization ATO for federal workloads |
Inherit FedRAMP High P-ATO (JAB, since 2020). Done. | We Build 12–18 months, $800K–$1.2M, dedicated compliance team | 18 mo / $1M+ |
| Data Encryption (at rest) AES-256, FIPS 140-2 |
Inherit Standard + Shield Platform Encryption with BYOK | We Build AWS KMS/Azure Key Vault + FIPS modules | 3–4 mo |
| Data Encryption (in transit) TLS 1.2/1.3, mandatory HTTPS |
Inherit Enforced by platform | We Build Standard — use cloud provider TLS termination | Trivial |
| Field-Level Security Granular field-by-field access control |
Inherit Native FLS per profile/permission set | We Build Custom RBAC with field-level granularity | 4–6 mo |
| Role Hierarchy & Sharing 5-tier sharing model with OWDs |
Inherit Full role hierarchy, sharing rules, manual sharing | We Build Own sharing model — significant complexity | 4–6 mo |
| Authentication (SSO/SAML) SAML 2.0, OIDC, federation |
Inherit Native SAML/OIDC with any IdP | We Build Integrate Auth0/Okta/Keycloak | 2–3 mo |
| Multi-Factor Authentication 7 methods, mandatory since April 2024 |
Inherit Built-in: Authenticator, TOTP, FIDO2, biometrics | We Build Integrate MFA provider or build TOTP/WebAuthn | 2–3 mo |
| Setup Audit Trail 180-day config change log |
Inherit Automatic — every admin change logged | We Build Own admin action logging system | 2–3 mo |
| Event Monitoring 50+ event types, 10-year retention |
Inherit Shield Event Monitoring (add-on license) | We Build Own event pipeline (CloudWatch/Datadog/ELK) | 3–5 mo |
| Login History & Access Logs IP, user agent, success/failure tracking |
Inherit Standard — every login tracked | We Build Own login audit infrastructure | 1–2 mo |
| Data Residency (U.S.) Mandatory U.S. storage, isolated from commercial |
Inherit Gov Cloud = U.S. only, AWS GovCloud | Inherit Deploy to client's own AWS GovCloud / Azure Gov | Config |
| Section 508 / WCAG 2.2 AA Accessibility compliance |
Inherit Lightning Design System is WCAG compliant | We Build Own accessibility testing + VPAT | Ongoing |
| ITAR / CMMC Support Defense contractor requirements |
Inherit Gov Cloud Plus designed for ITAR/CMMC | We Build Own classification, access control, documentation | 6–12 mo |
| ◆ Platform Infrastructure | |||
| User Management Create, deactivate, assign permissions |
Inherit Full user lifecycle in Setup | We Build Own user admin + provisioning | 2–3 mo |
| Workflow Automation Visual flows, triggers, decision trees |
Inherit Salesforce Flows — visual, powerful, no code | We Build Own workflow engine or integrate third-party | 4–6 mo |
| Reports & Dashboards Multi-format, real-time, scheduled |
Inherit Full BI suite included — zero build cost | We Build Integrate Metabase/Superset or build custom | 3–5 mo |
| Mobile Application iOS/Android with offline sync |
Inherit Salesforce Mobile App — native, offline, secured | We Build Responsive web or native app (PWA minimum) | 4–8 mo |
| API Layer REST, SOAP, Bulk, Streaming, GraphQL |
Inherit 6 API types included | We Build REST API + webhook/event infrastructure | 2–4 mo |
| Platform Events / Pub-Sub Real-time event-driven integration |
Inherit Native Platform Events | We Build Own event bus (SNS/SQS, Event Grid, Kafka) | 2–3 mo |
| Backup & Disaster Recovery Multi-region, automated failover |
Inherit Infrastructure-level DR on AWS GovCloud | We Build Own backup strategy + multi-AZ/multi-region | 2–3 mo |
| Sandbox / Dev Environments 4 sandbox types, change sets, DevOps Center |
Inherit Full sandbox lifecycle included | We Build Own environment provisioning (Terraform/CDK) | 2–3 mo |
| ◆ Customer-Facing UX | |||
| Caseworker Interface Decision view embedded in case records |
Extend LWC on Salesforce case layout — zero retraining | We Build Full web application UI | 4–6 mo |
| Admin / Policy Staff Interface Rule management, ontology editor |
Extend Custom Lightning app within Salesforce | We Build Full admin web application | 3–5 mo |
| Applicant-Facing Explanations Human-readable denial/approval letters |
We Build Template engine + data from our objects | We Build Same — platform-independent | Same |
| Notifications & Alerts Email, in-app, escalation routing |
Extend Salesforce email + custom notifications | We Build Own notification service (SES, SendGrid) | 1–2 mo |
| Case Routing & Assignment Auto-assign based on rules/workload |
Extend Salesforce assignment rules + Omni-Channel | We Build Own routing engine | 2–3 mo |
| ◆ Ongoing Operations & Maintenance | |||
| Continuous Compliance Monitoring FedRAMP continuous monitoring, POA&M |
Inherit Salesforce maintains ATO — we inherit | We Build Own 3PAO assessments, monthly POA&M, annual audit | $200K+/yr |
| Infrastructure Management Servers, scaling, patching, uptime |
Inherit Fully managed — 99.9%+ SLA | We Build Own DevOps team, SRE, on-call rotation | 2–3 FTEs |
| Security Patching CVE response, zero-day mitigation |
Inherit Salesforce patches for us | We Build Own vulnerability management program | Ongoing |
| Uptime & SLA Government-grade availability |
Inherit Salesforce Trust — contractual SLA | We Build Own monitoring, alerting, status page | 1–2 mo |
Strategic Assessment
Why Salesforce Earns Its Seat
The honest case for keeping Salesforce central to our architecture — and the risks if we don't.
Not every agency has Salesforce. Federal civilian agencies, state HHS departments, and smaller regulatory bodies often run on custom case management systems, legacy mainframes, or lightweight COTS platforms. A standalone LexiPoint deployed to their own AWS GovCloud or Azure Government environment captures this market. But it requires us to rebuild everything in the "Inherit" column — auth, audit, encryption, reporting, workflows, mobile, accessibility, and compliance certification.
Recommended timeline: Begin standalone architecture in Year 2, target limited GA in Year 3, full parity in Year 4. Deploy initially as a headless API service (rules engine + explainability) with a lightweight admin UI, and let the customer's existing case management system handle the caseworker UX.
Years 1–2: LexiPoint on Salesforce is the product. All engineering goes here. Ride Salesforce's compliance, security, and distribution. Win customers. Prove the market.
Year 2–3: Begin LexiPoint Core as a headless API. Core reasoning engine is already platform-independent. Build the compliance wrapper (FedRAMP, auth, audit) for AWS/Azure GovCloud deployment. Target 3–5 non-Salesforce agencies as design partners.
Year 3–4: Full standalone offering with admin UI, caseworker interface, reporting, and mobile. At this point, evaluate whether to continue Salesforce investment or sunset it based on revenue mix.
Cost Reality Check
What It Actually Costs to Replace Salesforce
If we removed Salesforce from the architecture tomorrow, here's the investment required to reach feature parity for government customers.
| Category | Capabilities to Build | Estimated Cost | Timeline |
|---|---|---|---|
| FedRAMP Certification | 3PAO assessment, SSP documentation, continuous monitoring setup, POA&M process | $800K–$1.2M | 12–18 months |
| Security Infrastructure | Auth (SSO/MFA), encryption (at rest + in transit + BYOK), field-level security, role hierarchy, sharing model | $400K–$600K | 6–9 months |
| Audit & Compliance | Event logging, admin audit trail, field history, 508/WCAG compliance, VPAT | $300K–$450K | 4–6 months |
| Platform Services | Workflow engine, reports/dashboards, API layer, event bus, user management, notification service | $500K–$800K | 6–10 months |
| Application UX | Caseworker interface, admin interface, mobile access (PWA minimum) | $400K–$600K | 5–8 months |
| Infrastructure & Ops | Multi-AZ deployment, backup/DR, monitoring, SLA tooling, sandbox provisioning | $200K–$350K | 3–5 months |
| Ongoing Compliance (Annual) | FedRAMP continuous monitoring, 3PAO annual assessment, security patching, vulnerability management | $200K–$350K/yr | Perpetual |
| Total Year 1 | $2.8M–$4.2M | 18–24 months |
Salesforce is providing roughly $3M in Year 1 value through platform capabilities, compliance certification, and operational infrastructure that we would otherwise build and maintain ourselves. Our core intellectual property — the policy reasoning engine, ontology modeling, decision explainability, and impact analysis — is 100% platform-independent. It runs on Salesforce today. It will run on AWS GovCloud tomorrow. The intelligence layer is ours.
The question was never "is Salesforce our product?" It isn't. Salesforce is our delivery vehicle — and right now, it's the fastest, cheapest, most compliant delivery vehicle available for government policy intelligence. We should ride it hard for 2–3 years while building the standalone offering in parallel.
Trying to take Salesforce out of key accounts today would mean asking customers to wait 18+ months while we build what they already have. That's not a competitive move — that's a gift to our competitors.