I like that story because people sometimes suggest that the Cloud is not suitable for highly sensitive, private information like medical records. They suggest that compliance with regulatory environments will be difficult to achieve. I’m not saying it’s easy, but compliance is absolutely achievable in the Cloud.

DMR: If you offer all of these features easily accessible to a global audience of developers, how do you make sure that the developers don’t harm the brand of salesforce.com by doing something that’s not allowed, unsafe, or violate operational conditions? What happens if they found the killer application and basically bring down your system because there are so many requests you suddenly have to handle? And what if that killer application happens to be your planned future core business?

Peter: You put your finger on the key thing: How do we make it possible for someone to create independent intellectual property while running it in a shared environment? The only cost to the developer is a transparent fee we pay a third party provider of security services to validate the basic security of an app and ensure that it’s not doing anything inappropriate that would create pathways into our platform that would be hazardous to anything else that’s going on. Not only is this audit function vital to us, it’s so vital that we have it done by an independent party so that no one will ever have to wonder if our zeal for growth is making us do something careless. 

The second thing is that our platform has been architected with the understanding that people were going to be creating custom logic that has to run in a shared environment. People ask us why we created our own programming language, which we called Force.com code. If it looks just like Java and it works just like Java, why didn’t we simply create a facility in which developers could run Java in our environment? The answer is this: If we had taken the standard off-the-shelf Java Virtual Machine and embedded that in the Force.com environment, we would then have found ourselves forced to build walls around that to prevent it from ever degrading the shared facility. If someone did something incredibly processor intensive, we would have to add all sorts of protective mechanisms around it. So instead, we implemented a Java family language in the multi-tenant environment so that if you try to do something that’s going to place unreasonable burdens on shared resources, the system is able to give you a well-behaved exception mechanism that says, “I’m sorry, I can’t let you do that.”