Architecture principle

Your Salesforce data stays in Salesforce. Agently is the operations layer above it.

Agently for Agentforce observes events — not records. Customer data, PII, knowledge content, and embeddings stay in your Salesforce trust boundary, behind Einstein Trust Layer. Agently captures telemetry (agent executions, traces, evaluations, recommendations) and runs the operations, governance, and ROI layer on top. You don’t pay to duplicate your Salesforce.

No record duplication Trust Layer enforced at source Per-agent pricing — not per-GB Federated query for raw data
Four-Layer Architecture

How data moves — and what stays put

Salesforce-native edge · streaming pipe · Agently cloud · federated query

Four-layer architecture
Salesforce-native edge · streaming pipe · Agently cloud · federated query
Customer Salesforce Org acme.my.salesforce.com · Org ID 00D5g0... · Hyperforce US Agentforce Agents · Topics · Actions Reasoning Engine · Atlas / Bedrock Einstein Trust Layer PII masking · prompt defense Toxicity · zero-retention · audit Data Cloud DLOs · DMOs · Vector stores Knowledge index · segments Apex · Flow · Prompt Builder Metadata · governor limits Setup Audit Trail ① Agently Edge — Salesforce-Native Managed Package Apex listeners · Platform Events subscriber · Trust Layer event hook Setup Audit Trail watcher · Apex/Flow analytics · Prompt Builder sync Captures events — never moves records Records, PII, content, embeddings — stay in Salesforce Cases · Accounts · Contacts · Refund records · Knowledge articles Customer PII · prompt content · vector embeddings Agently cloud Multi-tenant · Hyperforce-aligned regions (US / EU / APAC) Time-series store Per-agent metrics ~150MB / org / month Trace store PII redacted at source Sampled spans · 90d retention Eval engine Quality scorecards Hallucination · drift · regression Recommendation engine Reversible actions Confidence + impact scoring ③ Agently Cloud — operations & intelligence layer Operations UI · Approvals · Governance Center · Reports · Ask TeqAgent Multi-tenant · per-agent pricing · SOC 2 · Salesforce Security Review Stores telemetry — never customer records Lightning Experience · Agently UI · AppExchange CIO / Ops / SRE / Governance personas Multi-org switcher · environment chrome cue · role-scoped views ② Salesforce Pub/Sub API events · metrics · span summaries ④ Federated query on user demand · live API call
Telemetry out (events, metrics, spans)
Records stay in Salesforce
Federated query · on-demand
Salesforce primitives
Four Layers Explained

Each layer has one job

Edge collection · secure streaming · cloud intelligence · on-demand data access

1
Salesforce-native edge
Managed package installed in your Salesforce org. Captures events without moving records. Apex listeners, Platform Events subscriber, Trust Layer event hooks.
AppExchange package
Apex triggers
Platform Events
Setup Audit Trail
2
Streaming pipe
Salesforce Pub/Sub API streams events to TeqAgent cloud. Encrypted in transit. Customer-controlled allowlist. Trust Layer's PII masking applies before events leave Salesforce.
Pub/Sub API
CDC events
TLS 1.3
~150 MB / org / mo
3
Agently cloud
Time-series metrics, trace summaries, eval engine, recommendation engine, multi-tenant UI. Stores telemetry — not customer records, not PII, not embeddings.
Multi-tenant
Hyperforce regions
SOC 2 Type II
90d retention
4
Federated query
When a user clicks "View Case" or "View Prompt Template," TeqAgent fetches live from Salesforce APIs. Records stay where they live.
Lightning URLs
Metadata API
Cached & throttled
Permission-scoped
Data Flow Map

What flows where

Telemetry crosses the wire · records, content, and PII never do

Telemetry out vs. stays in Salesforce vs. federated
Every data type mapped to its boundary
↗ Telemetry — flows out to Agently
Agent execution eventsTopic + Action invocation spansLatency · CPU · SOQL countToken usage per providerTrust Layer events (PII masked)Setup Audit Trail entriesEval pass/failCost / unit economicsConfidence scoresSpan IDs · trace IDs
⛨ Stays in Salesforce
Case recordsAccount · Contact · OpportunityRefund records, custom objectsCustomer PII (names, addresses, SSN)Knowledge article contentVector embeddingsApex sourcePrompt Template contentAudit log raw entries
⇆ Federated — on-demand
Click CASE-87341 → Lightning record opensClick prompt diff → Prompt Builder liveClick Apex log → Developer ConsoleClick DMO → Data Cloud lineage
Salesforce Stack

How Agently fits the stack

Agentforce gives you the runtime · Trust Layer protects it · Agently runs the operations

Salesforce
Agentforce
The runtime where your agents execute. Topics, Actions, Reasoning Engine, Apex/Flow integration, Atlas / Bedrock / OpenAI routing. Agently does not replace this. Agently observes it.
Salesforce
Einstein Trust Layer
Runtime protection: PII masking, prompt defense, toxicity, zero-retention with model providers. Agently does not duplicate this. Agently consumes Trust Layer events as observability signal.
Agently
Operations layer
Visibility, evaluation, governance, recommendation, remediation, ROI. Above Agentforce + Trust Layer. The ServiceNow / Datadog / Splunk role — for AI agents specifically.
Pricing Model

Per-agent, not per-GB

Because Agently doesn't store your customer data, you don't pay for storage

Pricing follows the architecture
Predictable — scales with your agent fleet, not with your customer record count or transaction volume. No surprise overages. No GB charges.
Per active Agentforce agent
~$200/agent/mo
Includes all evals, recommendations & traces
Managed services pod
5-person pod retainer
Co-piloted by Agently · AIOps lifecycle
Storage you pay in Agently
$0
Records stay in Salesforce
Technical Evaluators

Frequently asked questions

Nine questions technical evaluators ask before signing

No. We stream telemetry events (metrics, logs, audit trails) but never replicate your customer records. When you click "View Case" in the UI, we make a federated REST query to Salesforce in real time — cached for <600ms, then discarded. No parallel data warehouse, no shadow PII store.
Trust Layer sits between Agentforce and the LLM. It enforces masking, grounding, and audit before any prompt leaves Salesforce. Agently subscribes to Trust Layer audit events via Pub/Sub — we see what was masked, what guardrails fired, what the token count was. We never see the unmasked customer data.
Managed package distributed via AppExchange, currently undergoing Salesforce Security Review. This includes source-code review, RBAC verification, OAuth scope minimization, and 50+ controls across the Salesforce ISV review checklist. Status is visible in Settings → Plan & Billing.
SOC 2 Type II, ISO 27001, GDPR, OWASP LLM Top 10, and NIST AI RMF mapped. HIPAA is available on Healthcare/Life Sciences plans. EU AI Act high-risk system classification is supported. FedRAMP is on the roadmap. See Settings → Policies for current certification status.
Agently is multi-tenant by org. The top-bar tenant switcher lets you move between orgs instantly. Each org has its own scoped data, metrics, audit trail, and permissions. Cross-org analytics roll up at the parent customer level. Sandbox vs Production environments carry visual chrome cues to prevent confusion.
Streaming events use the Pub/Sub API which doesn't count against record-API limits. Federated queries use a small pool, are cached aggressively, and are throttled per org. At peak, Agently allocates less than 5% of your typical API budget.
DSR delete requests are honored within 30 days. Because we don't store your customer records, the deletion scope is small — telemetry metadata, eval results, recommendation history, and audit logs. Settings → Privacy enforces all data deletion controls.
Engineering

Backend challenges — what we're solving

An honest engineering picture of what this hybrid architecture requires

1
Salesforce event-stream coverage
Trust Layer events, Agentforce execution events, Apex Logs, Flow analytics, Setup Audit Trail are exposed via different mechanisms. Some real-time, some polling. Engineering effort: stream normalisation, retry, replay.
2
Multi-org sprawl
A real customer has 5–50 orgs (Prod · Full Sandbox · Partial · Dev · Scratch · multi-BU Production). Identity, scope, analytics, and audit must be tenant-aware end-to-end. Cross-org rollup must respect data isolation.
3
API rate limits
Per-org daily API limits are real. Federated queries must be cached, batched, and throttled. For customers running 1M+ Agentforce calls / day, the API budget is a constraint. Pub/Sub events don't count against the record-API budget.
4
AppExchange security review
3–6 month process: source-code review, RBAC, OAuth scope minimisation, secure coding practice, encryption-at-rest validation. Required to distribute the managed package. Start now.
5
Real-time + batch hybrid
Trust Layer events are real-time; eval runs are batch; cost rollups are batch. Architecture must handle both efficiently — streaming pipeline (Kinesis / Kafka) plus batch jobs (Spark / Snowflake / Databricks).
6
Cross-LLM observability
Agentforce uses Atlas (Salesforce-hosted), Bedrock, and OpenAI via Trust Layer. TeqAgent must correlate the same agent's spans across providers, normalise token counts, costs, and latency, and produce one consistent view.
7
Compliance & data residency
Salesforce Hyperforce supports per-region residency (US / EU / APAC). Agently must match. HIPAA / FedRAMP / GDPR / EU AI Act posture inheritable per tenant. BYOK for highest-tier customers.
8
Identity propagation & permission scoping
User in TeqAgent maps to Salesforce User via SCIM + SAML. Agently roles must respect Salesforce Permission Sets. Federated permission check at action time.
9
Federated query SLA
When user clicks "View Case," we fetch live from Salesforce in <600ms. Cache strategy, prefetch on hover, graceful degradation when Salesforce is rate-limiting. Backpressure handling without blocking the UI.
10
Cost of running Agently itself
Time-series store at ~600 K spans/week per customer. Eval engine compute scales with eval suite size and run frequency. Multi-region deploy costs 3× baseline. Per-tenant unit economics need to clear gross margin targets.
Per Buyer Persona

Why this architecture matters to you

Four buying roles — one architecture answer

CISO
"Where does my data go?"
Records stay in Salesforce, behind Einstein Trust Layer. Agently consumes only telemetry that Trust Layer has already redacted. No data migration, no parallel data store, no shadow PII repository.
CFO
"What does this cost over time?"
Per active Agentforce agent / month. No storage scaling, no per-GB charges, no surprise overage. Cost grows linearly with the size of your AI estate, not with your transaction volume or record count.
CIO
"How fast can we deploy?"
Install the AppExchange managed package — under one day. No data migration project, no parallel infrastructure. Pilot one Cloud, expand to others. Salesforce Security Review certifies the trust boundary.
IT Architect
"How does this fit my stack?"
Federated, not parallel. We complement Data Cloud, Trust Layer, and your existing Splunk/ServiceNow integrations. We don't replace them. Pub/Sub for events, REST for federated query, ServiceNow / Splunk / Slack for outbound.
© 2026 Teqfocus. All Rights Reserved