- How managed packages work architecturally — what a namespace is, how code isolation works, and what ISVs can and cannot access in your org
- The difference between 1GP and 2GP packages and what it means for upgrade stability
- What Salesforce's AppExchange Security Review checks — and what it doesn't
- The hidden architectural costs of AppExchange packages that never appear in the sales pitch
- A framework for evaluating AppExchange apps before installation in an enterprise org
AppExchange from an Architecture Perspective
The AppExchange is often discussed in commercial terms — which apps are available, what do they cost, what reviews say. For architects and CTOs, the more important discussion is architectural: what does an AppExchange managed package actually do to your org when you install it, and what are the long-term implications of having it there?
A managed package installs Apex classes, triggers, objects, fields, flows, Lightning components, and configuration into your org. Once installed, some of this cannot be removed without uninstalling the entire package. The package runs in your org's execution context, consumes your Governor Limits, occupies your custom object and field counts, and can (with appropriate permissions) access your data. This is a significant architectural commitment, and it should be evaluated as one.
You can uninstall an AppExchange package, but uninstallation only succeeds if there are no dependencies — no custom fields that reference the package's objects, no flows using the package's components, no reports using the package's fields. In practice, after 2 years of using an AppExchange app, most orgs have built significant dependencies on it. Uninstallation becomes effectively impossible. Evaluate AppExchange apps as long-term architectural commitments, not easily reversible trials.
Managed Packages: How Namespaces Work
Every AppExchange managed package has a namespace prefix — a short, unique identifier (typically 3–15 characters) that the ISV registers with Salesforce. All metadata within the package is prefixed with this namespace. An object called Contract__c in a package with namespace acme appears in your org as acme__Contract__c. All Apex classes are acme.ClassName. This namespace isolation is how Salesforce ensures that package metadata doesn't collide with your org's custom metadata.
The practical implication: when you query or reference package objects from your own code, you must use the fully namespace-qualified name. In managed subscriber contexts (your code calling package objects), the SOQL and Apex must include the namespace.
-- Querying a managed package object from subscriber org SOQL
-- Package namespace: 'acme', Object: Contract__c
SELECT Id, acme__ContractValue__c, acme__StartDate__c
FROM acme__Contract__c
WHERE acme__Status__c = 'Active'
ORDER BY acme__StartDate__c DESC
-- In Apex, referencing a package class
acme.ContractCalculator calc = new acme.ContractCalculator();
Decimal value = calc.calculateTotalValue(contractId);
-- You cannot see the source of acme.ContractCalculator
-- (it's compiled and protected in the managed package)Protected vs Public Package Components
ISVs can mark individual package components as "protected" or "public" (globally accessible). Protected components are hidden from subscriber org code — you can use a protected object in SOQL if it's exposed via a package API, but you cannot extend or override it. Global (public) components can be referenced and subclassed by subscriber org code. This distinction determines how extensible and customisable a package is — check the package's documentation for which components are global.
1GP vs 2GP: What It Means for Buyers
First-Generation Packages (1GP) are the original AppExchange packaging model. They're built in a specific "packaging org" and have significant constraints on upgrade flexibility: once a field or object is in a 1GP managed package, it cannot be removed in future versions. ISVs cannot change field data types in 1GP packages. This rigidity means that mature 1GP packages often carry years of legacy schema that can't be cleaned up.
Second-Generation Packages (2GP) are built using the DX model with Git-based source control. They offer cleaner version management, better dependency tracking, and more flexibility in schema evolution. ISVs who have migrated to 2GP can more reliably release clean updates without accumulating the schema debt that 1GP forces.
As a buyer: when evaluating a managed package, ask whether the ISV is on 1GP or 2GP. A 1GP package that has been in market since 2012 is likely carrying significant schema overhead that has architectural implications for your org. A 2GP package has a cleaner evolution path. This isn't a disqualifier, but it's a factor in long-term maintenance assessment.
Look at the AppExchange listing's version history. A package that releases updates infrequently (less than 4× per year for an active product) may not be keeping pace with Salesforce's three annual releases. Packages that fall behind can break when Salesforce releases a critical platform update. A package with a consistent release cadence and transparent release notes signals an ISV that actively maintains their platform compatibility.
Security Review: What Salesforce Actually Checks
All paid AppExchange listings must pass a Salesforce security review before publication. The review checks for: Apex code vulnerabilities (SOQL injection, XSS, CSRF), adherence to sharing model (code that bypasses org sharing rules without justification), access to sensitive data without appropriate encryption, and hardcoded credentials or endpoints. The review is thorough by security standards for a platform-level review.
What the security review does NOT check: whether the package's data handling complies with GDPR or other privacy regulations, whether the ISV's backend systems (if the package calls external services) are secure, or whether the package's performance characteristics are appropriate for your data volumes. The security review is a baseline — it's not a comprehensive due diligence replacement.
Many AppExchange packages call external ISV-hosted services. Customer data from your Salesforce org may be sent to the ISV's servers for processing — analytics, AI features, compliance tracking. This data transfer may not be immediately obvious from the app listing. Before installing any package that processes sensitive customer data, review the ISV's data processing agreement (DPA) and assess whether the transfer is compliant with your data governance policies and GDPR/regional regulations.
The Hidden Costs of AppExchange Apps
Beyond the licence fee, AppExchange packages carry hidden architectural costs that accumulate over time. Custom object and field consumption: most packages install custom objects and fields that count toward your org's limits. A large package might consume 20–30 custom objects. For orgs approaching the 200 custom object limit, this is a real constraint.
Governor Limit budget consumption: package Apex code executes in the same Governor Limit context as your own code. A package that runs complex automation on Account records consumes CPU time, SOQL queries, and DML statements from the same transaction budget your custom Apex has. This is rarely disclosed in sales conversations and surfaces as unexplained Governor Limit breaches after installation.
API call consumption: packages that make outbound API calls (to the ISV's own backend) consume your org's Callout limits. Packages that receive data from Salesforce APIs consume your org's API call budget if they use REST/SOAP rather than CDC or Streaming.
Build vs Buy: The Enterprise Architect's Framework
The build vs buy decision for Salesforce functionality is not just a cost calculation. Architectural factors that favour buying (AppExchange): the capability is not strategic differentiation (billing management, e-signature, document generation — commodity functionality), time-to-value is critical, and the vendor has deep Salesforce expertise and a strong release cadence.
Architectural factors that favour building: the capability is a source of competitive advantage, the data model of available packages doesn't fit your requirements without significant customisation, the package's Governor Limit consumption profile conflicts with your existing automation, or your data governance requirements preclude data leaving your Salesforce org to an ISV backend.
Evaluating an AppExchange App Before Installation
A structured evaluation process for enterprise architects. Step 1: Install in a full copy sandbox, not production. Document every object, field, and Apex class added to the sandbox after installation. This is your installation inventory.
Step 2: Run performance tests with your org's representative data volumes. Trigger the package's automation on batches of 200 records and monitor Governor Limit consumption in the debug log.
Step 3: Review the package's Apex triggers on objects you customise. Do they conflict with your existing automation? Do they use without sharing in ways that bypass your security model?
Step 4: Review the ISV's DPA and data processing documentation for any external API calls the package makes. Confirm compliance with your data governance policies.
Step 5: Document the uninstallation path. What dependencies would need to be removed to uninstall the package cleanly? This is the measure of how locked-in you become over time.
Build a simple scorecard for every AppExchange evaluation: custom object count consumed, custom field count, Apex trigger count on your key objects, external callout destinations, DPA status, version cadence (updates per year), and user reviews from orgs similar to yours in size and industry. Score each dimension and include the scorecard in your architecture decision record. Future architects who inherit your org will thank you for the documented rationale.
Key Takeaways
- Installing a managed package is an architectural commitment — package metadata occupies your custom object limits, runs Apex in your Governor Limit context, and may be irreversible if dependencies form
- Namespace isolation prevents naming collisions between package and subscriber org metadata — all package objects and classes must be referenced with the namespace prefix
- 2GP packages offer cleaner schema evolution than 1GP — check which generation an ISV is on when evaluating long-term maintainability
- Salesforce's security review covers code-level security but not GDPR compliance, external data processing agreements, or performance at your data volumes
- Hidden costs include custom object/field limit consumption, Governor Limit budget sharing, and API call consumption — none of which appear in licence pricing conversations
- Always install in a full copy sandbox first, run performance tests, review Apex triggers on your key objects, and check the ISV's DPA before production installation
- Document the uninstallation path at evaluation time — after 2 years of use, it will be too late to uninstall cleanly without a major project
Checkpoint: Test Your Understanding
1. An AppExchange package has the namespace "acme". What is the correct SOQL syntax to query a custom object called "Contract__c" from that package?
2. What does Salesforce's AppExchange Security Review NOT cover?
3. Why is the uninstallation path for an AppExchange package important to evaluate before installation?
Discussion & Feedback