ha-dr-architecture
Designing high availability and disaster recovery strategies for Salesforce: Trust site monitoring, backup strategies, cross-region considerations, business continuity planning, RTO/RPO target definition, and failover patterns for integrations. Use when designing org resilience architecture, planning for outages, or defining recovery objectives. NOT for data backup mechanics (use salesforce-backup-and-restore). NOT for general security architecture (use security-architecture-review).
Best use case
ha-dr-architecture is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Designing high availability and disaster recovery strategies for Salesforce: Trust site monitoring, backup strategies, cross-region considerations, business continuity planning, RTO/RPO target definition, and failover patterns for integrations. Use when designing org resilience architecture, planning for outages, or defining recovery objectives. NOT for data backup mechanics (use salesforce-backup-and-restore). NOT for general security architecture (use security-architecture-review).
Teams using ha-dr-architecture should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/ha-dr-architecture/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How ha-dr-architecture Compares
| Feature / Agent | ha-dr-architecture | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Designing high availability and disaster recovery strategies for Salesforce: Trust site monitoring, backup strategies, cross-region considerations, business continuity planning, RTO/RPO target definition, and failover patterns for integrations. Use when designing org resilience architecture, planning for outages, or defining recovery objectives. NOT for data backup mechanics (use salesforce-backup-and-restore). NOT for general security architecture (use security-architecture-review).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# HA/DR Architecture
## Overview
Salesforce operates on a shared responsibility model for availability. Salesforce owns infrastructure redundancy, data-center operations, and platform uptime commitments. Customers own data resilience strategy, integration failover design, runbook documentation, and the definition of their own RTO and RPO targets.
Understanding where that boundary falls is the starting point for every HA/DR engagement.
---
## Salesforce's HA Model
Salesforce publishes a 99.9% monthly uptime SLA for production orgs on standard editions. Hyperforce deployments on applicable editions can access multi-region configurations, which improve physical redundancy but do not eliminate the shared responsibility boundary. Within a single instance, Salesforce uses redundant networking, active-active data replication across data centers, and automated failover at the infrastructure level — but customers cannot directly invoke infrastructure failover. Planned maintenance windows are published on the Trust site at least 48 hours in advance.
The Trust site (`trust.salesforce.com`) is the authoritative real-time status source. It provides per-instance status feeds, a public REST status API, and a subscription mechanism for email/SMS/webhook notifications. Any HA/DR plan that does not include automated Trust site monitoring is incomplete.
---
## Trust Site Monitoring
The Trust site exposes a JSON API at `https://api.status.salesforce.com/v1/instances/{instance}/status`. You can poll this endpoint from external monitoring systems, feed it into PagerDuty/OpsGenie, or use the webhook subscription feature to push alerts directly into incident management workflows. Operational runbooks should define the exact instance key(s) the org uses (e.g., `NA152`, `CS9`, or a Hyperforce pod identifier) and confirm these are not subject to silent change during sandbox refreshes.
Monitoring should cover: Production instance status, any sandbox instances used for integration testing, and — if applicable — Experience Cloud or Shield platform components with separate status codes.
---
## Backup Strategies
Salesforce's native Backup and Restore product (separate add-on purchase) provides daily full-org snapshots and record-level restore with selective restore by object, time range, and relationship. It is the only Salesforce-supported mechanism for record-level recovery within the Salesforce product suite.
Third-party tools — including OwnBackup (now Own Company), Veeam Backup for Salesforce, and Odaseva — extend this with more granular scheduling, cross-org restore, file/attachment backup, and compliance-grade audit logging. Selection criteria include retention requirements, file content coverage, restore granularity, and whether a full-org clone or record-level restore is the primary DR use case.
Metadata backup is a separate concern. The recommended approach is source-control-driven metadata management (SFDX, Salesforce CLI) with version history in Git. Metadata recovery from Git is faster and more reliable than attempting metadata export from a degraded org.
---
## RTO and RPO Definition
RTO (Recovery Time Objective) defines the maximum acceptable time from incident declaration to restored business operation. RPO (Recovery Point Objective) defines the maximum acceptable data loss window. Both are business-driven inputs that the architecture must then satisfy — they are not outputs from the platform.
Salesforce's native capabilities bound what is achievable. The daily Backup and Restore snapshot cadence means the platform RPO for record-level data loss is up to 24 hours without supplemental tooling. Third-party backup tools that run hourly or near-real-time can tighten this. For metadata, Git-backed continuous deployment with automated promote-on-merge can bring metadata RPO to near zero. RTO is constrained by restore speed (record counts, org governor limits), runbook execution time, and integration cutover time — not just backup frequency.
Document agreed RTO and RPO values for each major data category: records, metadata, files, integration state, and user authentication configuration.
---
## Hyperforce and Cross-Region Considerations
Hyperforce is Salesforce's next-generation infrastructure built on major public cloud providers (AWS, Azure, GCP). Applicable editions on Hyperforce can request data residency in specific regions. Hyperforce does not by default provide customer-controllable cross-region failover, but it does provide Salesforce-managed geographic redundancy within the infrastructure layer. When a customer's compliance requirements mandate data residency, Hyperforce region selection must be part of the HA/DR design — choosing a region that has a paired failover region on the same cloud provider is preferred where available.
---
## Integration Failover Patterns
Integrations are the most common HA/DR failure point because external systems assume Salesforce availability without circuit breakers.
**Circuit Breaker Pattern**: Middleware or an API gateway tracks Salesforce error rates. When errors exceed a threshold (e.g., 5xx rate > 20% over 60 seconds), the circuit opens and requests fail fast rather than queuing indefinitely. The circuit tests periodically and closes when Salesforce recovers. MuleSoft, Boomi, and major API management platforms have native circuit-breaker support.
**Fallback Queuing via Platform Events**: For outbound integrations calling external systems, Platform Events can serve as a reliable delivery buffer. If the external system is unavailable, events accumulate in the Pub/Sub API queue (up to 72 hours). For inbound integrations where Salesforce itself is unavailable, an external durable queue (AWS SQS, Azure Service Bus, MuleSoft Anypoint MQ) must buffer records until Salesforce recovers. This is the most important architectural control for inbound integration HA.
**Read Replica Pattern**: For reporting and analytics workloads, Salesforce Connect external objects or Data Cloud replication can serve as a read path that survives partial org degradation. This is not a full substitute for org availability but protects business intelligence workloads.
---
## Business Continuity Planning Checklist
- Define RTO and RPO for each data category and integration stream.
- Confirm Trust site monitoring is automated with runbook-integrated alerting.
- Confirm backup tooling covers records, files, and attachments.
- Confirm metadata is version-controlled in Git with automated retrieve.
- Document integration circuit-breaker configurations and test them quarterly.
- Document inbound integration buffer strategies and test drain procedures.
- Identify which Salesforce features have no offline fallback (CPQ quoting, real-time approvals) and design compensating business processes.
- Assign named incident commander role and documented escalation chain.
- Schedule annual DR tabletop exercise with integration partners.
- Validate sandbox refresh procedures do not inadvertently alter production instance monitoring references.
---
## Recommended Workflow
1. **Establish the shared responsibility boundary** — document which HA controls Salesforce owns (infrastructure failover, data-center redundancy, SLA commitments) versus which the customer must build (data backup, integration failover, runbooks, RTO/RPO definition).
2. **Set up Trust site monitoring** — identify the org's instance key(s), configure automated polling or webhook subscription, and wire alerts into the incident management tool. Validate monitoring covers production and critical sandboxes.
3. **Define RTO and RPO by data category** — work with business stakeholders to assign target values for records, metadata, files, integration state, and authentication config. Map each target against current backup tooling capability and document gaps.
4. **Select and validate backup tooling** — confirm native Backup and Restore or a third-party tool is configured, test a record-level restore in a sandbox, and verify file/attachment coverage. Confirm metadata recovery via Git with a restore drill.
5. **Design integration failover patterns** — for each inbound and outbound integration, select a circuit-breaker and/or durable queue strategy. Document the recovery sequence (queue drain order, re-sync verification, idempotency checks).
6. **Write and test the DR runbook** — document the end-to-end recovery procedure from incident declaration through restored operations. Assign owners for each step. Run a tabletop exercise and update the runbook with findings.
7. **Review Hyperforce eligibility and region selection** — confirm whether the org is on Hyperforce, validate data-residency requirements, and ensure the selected region has adequate infrastructure redundancy for the org's compliance obligations.Related Skills
salesforce-files-architecture
Working with Salesforce Files at the data layer — `ContentVersion` (the binary content + version metadata), `ContentDocument` (the parent / shareable handle), `ContentDocumentLink` (the sharing / parent-record join), the 2 GB single-file size limit and the 10 MB feed-attached limit, the deprecated `Attachment` object, the `Document` object (Classic-only), and Files Connect for external file sources. Covers SOQL patterns to enumerate files attached to a record, Apex insert / link patterns, sharing implications of `ShareType` and `Visibility`, and the migration path from the legacy Attachment object. NOT for LWC file upload UI components (see lwc/lwc-file-upload-patterns), NOT for static-resource bundling (see lwc/static-resources).
nonprofit-data-architecture
Use this skill when designing or querying the NPSP data model — constituent 360, household accounts, giving history rollups, and program participation. Trigger keywords: NPSP data model, household account, constituent record, giving rollups, CRLP, program engagement, ServiceDelivery, npo02__ fields. NOT for standard data model design, Nonprofit Cloud (NPC) data model, FSC household groups, or platform data modeling outside the NPSP context.
wealth-management-architecture
Use this skill when designing or reviewing a Salesforce Financial Services Cloud (FSC) wealth management platform — covering advisor workspace configuration, client portal setup, portfolio data integration, Compliant Data Sharing, and FSC feature enablement decisions. NOT for investment product advice, financial planning calculations, or FSC Health Cloud configurations.
subscription-management-architecture
Use when designing or evaluating Salesforce CPQ subscription lifecycle architecture: amendment flow, renewal automation, co-termination design, or billing integration at the contract level. Trigger keywords: amendment architecture, renewal automation, co-termination design, subscription ledger, large-scale amendment, billing schedule, swap pattern, SBQQ__Subscription__c. NOT for billing setup, standard Salesforce contracts without CPQ, or Revenue Cloud advanced order management.
service-cloud-architecture
Use when designing a Service Cloud solution end-to-end: channel strategy (phone, email, chat, messaging, social), routing model (queue-based vs skills-based Omni-Channel), knowledge strategy, entitlement and SLA enforcement, Einstein Bot / Agentforce deflection, and integration points. Triggers: service cloud architecture, case routing design, omni-channel strategy, contact center design, channel strategy, knowledge deflection, service console architecture. NOT for individual feature configuration (use admin/case-management), NOT for Einstein Bot conversation design (use agentforce/einstein-bot-architecture), NOT for telephony CTI implementation details.
security-architecture-review
Use when conducting a dedicated security architecture review of a Salesforce org — assessing sharing model completeness, FLS/CRUD enforcement, Apex security patterns, exposed API surface, Connected App policies, and Shield readiness. Produces a structured findings report with severity ratings (Critical/High/Medium/Low) and a 20+ point review checklist. Triggers: security architecture review, org security posture, sharing model audit, FLS coverage review, Connected App security, Shield assessment, org security health deep-dive, HIPAA or PCI security controls Salesforce. NOT for implementing security fixes (use security/* skills). NOT for the Salesforce Security Health Check UI (use security-health-check skill). NOT for a full WAF review across all pillars (use well-architected-review).
salesforce-shield-architecture
Salesforce Shield as an architectural choice — Platform Encryption + Event Monitoring + Field Audit Trail as three SEPARATELY-LICENSED components, none of which ship in any standard edition. Covers BYOK vs Cache-Only Key Service (CCKM) tradeoffs, probabilistic vs deterministic encryption schemes, the field-type encryption blocklist (Formula, Roll-Up Summary, indexed External ID), Field Audit Trail's 10-year retention model, and why every Shield design starts with a license confirmation. NOT for individual feature setup steps (see security/platform-encryption, security/event-monitoring, security/field-audit-trail), NOT for compliance certification mapping (HIPAA / FedRAMP / PCI specifics).
sales-cloud-architecture
Use when designing or reviewing a Sales Cloud solution architecture covering process automation strategy, integration points, data model decisions, and scalability planning. Triggers: 'design a Sales Cloud architecture for enterprise org', 'Sales Cloud data model and automation strategy', 'how to architect Sales Cloud for high-volume pipeline management'. NOT for individual feature configuration (use admin/opportunity-management or admin/lead-management), NOT for CPQ-specific decisions (use architect/cpq-vs-standard-products-decision), NOT for integration implementation details (use architect/sales-cloud-integration-patterns).
revenue-cloud-architecture
Architecting on Salesforce Revenue Cloud (Revenue Lifecycle Management — RLM, the successor to CPQ-Plus + Billing). Covers the five RLM domains (Product Catalog & Pricing, Transaction Management, Contract Lifecycle Management, Order-to-Cash, Billing), the canonical data model (Product2 / PricebookEntry / Quote / Order / OrderItem / Contract / Asset / BillingSchedule / Invoice / LegalEntity), multi-entity scoping via LegalEntity, the RLM ↔ ERP integration patterns (CDC + MuleSoft preferred over point-to-point trigger callouts), and the disambiguation between native RLM and the legacy `blng__` Salesforce Billing managed package and `SBQQ__` CPQ classic. NOT for declarative CPQ classic config (see omnistudio/cpq-classic-config), NOT for Subscription Management billing patterns predating RLM (see architect/cpq-architecture-patterns).
payer-vs-provider-architecture
Use this skill when designing or evaluating a Health Cloud implementation to determine whether the org serves a payer (health insurer), a provider (care delivery organization), or both — and to derive the correct object model, PSL matrix, and feature activation accordingly. Triggers: 'should we use MemberPlan or ClinicalEncounter', 'payer vs provider Health Cloud', 'which Health Cloud objects does an insurer use', 'setting up a Health Cloud org for a hospital vs a health plan', 'Provider Relationship Management vs clinical provider'. NOT for individual feature implementation within an already-classified payer or provider org, and NOT for Salesforce Health Cloud implementations that are clearly a single deployment type with no cross-sector ambiguity.
order-management-architecture
Use when designing or reviewing a Salesforce Order Management (OMS) solution architecture: fulfillment workflow strategy, split-order routing design, Omnichannel Inventory (OCI) integration, returns process architecture, and multi-location inventory management decisions. Trigger keywords: OMS architecture, split orders, fulfillment routing, OCI, order routing strategy, returns architecture, fulfillment location design. NOT for individual order setup or day-to-day OMS administration (use admin/commerce-order-management), NOT for storefront or checkout flow design, NOT for CPQ quote-to-order workflows.
omnistudio-vs-standard-architecture
Architecture decision framework for choosing between OmniStudio and the standard Salesforce platform (Screen Flow, LWC, Apex) for guided UI and data orchestration use cases. Covers the license gate, the Dynamic Forms → Screen Flow → OmniStudio continuum, Standard Runtime vs Vlocity managed package migration debt, and team skill considerations. NOT for implementation. NOT for OmniScript development or FlexCard configuration.