If you have questions for the CafeX security team, or need to contact them regarding security alerts and events, please send an email to: compliance@cafex.com.
Data center and network security
CafeX ensures the confidentiality and integrity of data by utilising an industry standard data center environment within Amazon's AWS. CafeX is hosted in AWS data centers with globally recognised security standards and compliance certifications.
Physical security
| Facilities | CafeX is hosted in Amazons AWS data centers. These AWS data centers come with a robust set of global security standards and compliance certifications including SOC1/2/3, ISO27001, PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2 and NIST 800-171. More information on Amazon's AWS security infrastructure can be found at https://aws.amazon.com/security/ |
| Monitoring | All production network systems, networked devices and circuits are constantly monitored and logically administered by CafeX personnel. CafeX proactively monitors information security events and alerts that provide situational awareness through the detection, containment, and remediation of any suspected or actual security incidents. Underlying physical security, power and internet connectivity infrastructure etc are actively monitored by AWS |
| Location | CafeX leverages AWS data centers in the East Coast of the United States of America. |
| Media protection | CafeX leverages AWS availability zones to provide resilience in the event of any AWS data center disaster. Continuous snapshots and backups are maintained to support system failovers. CafeX deploys a multi-layer security strategy, covering everything from data encryption to user access controls. CafeX has rigorous Access control polices that employ Role-Based Access Control (RBAC) and a minimum-rights authorization approach. Access to Snapshots/Backups are subject to these rigid procedures, while granting only the minimum necessary administrative access to enable the service. |
| Physical protection | Access privileges are assigned based on the business need. All users are positively identified and authenticated prior to gaining access to systems, services, or data. Access to systems, services, or information are determined in accordance with the business requirements of an individual’s role and responsibilities. System access requests are logged, monitored and actively reviewed. |
Network security
| Dedicated security Team | The CafeX security team are globally dispersed in order to respond to any security alerts or occurrences. |
| Protection | The CafeX network is safeguarded with a suite of AWS security services, routine audits, and network intelligence technologies that track and obstruct malicious activity and network attacks. All deployments follow strict testing procedures through independent development, staging and quality assurance environments. CafeX has telemetry in place to monitor the production environment and use a full EFK stack for logging and monitoring. CafeX monitors and reviews logs frequently. |
| Architecture | The CafeX network security architecture consists of multiple AWS security availability zones. |
| Risk assessment | CafeXs ISO27001 management system provides policies and procedures for risk treatment methodology and business continuity. Any risks registered are appropriately reviewed by the Security Management Team. Business continuity plans are reviewed and tested regularly for effectiveness, completeness of system polices and risk controls associated. Vulnerability scanning is performed regularly at various appropriate levels. Reports are analyzed, reviewed and actioned appropriately as part of the continual improvement and risk assessment processes. |
| Network vulnerability scanning | CafeX performs various distributed vulnerability scans that return deep insights for quick identification of out-of-compliance or potentially vulnerable systems. CafeX utilises extensive AWS security tools to scan, report and action any highlighted CVE’s. E.g Security Hub, Inspector, GuardDuty, Config etc. |
| Third-party penetration tests | CafeX engages external penetration testing exports to perform a broad penetration tests across the CafeX production application and network. Any remedial actions identified as a result of vulnerability testing are logged, planned and actioned based on risk, priority and severity. |
| Intrusion detection and prevention | Service ingress and egress points are instrumented and monitored to detect anomalous behaviour. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds, and use regularly updated signatures based on new threats. This includes 24/7 system monitoring. |
| Threat intelligence program | CafeX participates in several threat intelligence sharing programs. CafeX monitors threats posted to these threat intelligence networks and takes action based on risk and exposure. |
| Logical access | Access to the CafeX production network is restricted by an explicit need-to-know basis, utilizes least privilege and is frequently audited and monitored. The CafeX access control policy highlights many requirements on employees including password complexities and compulsory use of MFA. |
| Security incident response | CafeX has a continual improvement & corrective action procedure policy that details security incident management. In case of a security alert events are escalated to appropriate CafeX teams providing operations, network engineering and security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths. |
Personnel security
| Personnel on-boarding | As part of the employee background screening process policy, CafeX performs several background checks that include: SS# and identity, address, employment, credit, criminal activity, and a driving license/DMV check. |
| Identification and authentication | All on-boarding and access requests are fed through the CafeX ticketing system. This then follows an approval process and all privileged access requests are reviewed and approved. All access privileges are assigned based on the business need. Access to systems are granted by the business owner or the system owner (or appointed delegate) and is approved and documented using the ticketing system. |
| Security awareness and training | All CafeX employees and contractors complete up to date security awareness training from an independent specialised security training platform. Security awareness training is compulsory and refreshed annually. Additional role specific security training is allocated based on role. e.g. Secure Application Development: OWASP Top 10 Security Awareness for CafeX developers. |
Encryption
| Encryption in transit | Communications between you and CafeX servers are encrypted using industry best-practices protocols, such as HTTPS and Transport Layer Security (TLS >1.2), over public networks. TLS is also supported for encryption of any email communications. |
| Encryption at rest | Customers of CafeX benefit from the protections of encryption at rest for their data. Service Data is encrypted at rest in AWS using AES 256 key encryption. |
| Tenant specific encryption | CafeX uses encryption keys that are specific to each tenant to encrypt any customer data stored. This means it is not possible for one tenant to decrypt data from another tenant. |
Availability and continuity
| Uptime | CafeX maintains a publicly available system status page that includes system availability details, scheduled maintenance notices, service incident history and any ongoing security incident detail. See: CafeX Status or https://status.cafex.com |
| Maintenance | As part of the ISO27001 Information Security Management System, CafeX maintains processes relating to the “Info Sec Operations Manual” and the “Secure Development Policy”. These policies define processes for change management including patching and maintenance releases. |
| Redundancy | CafeX employs service clustering and network infrastructure redundancies to eliminate single points of failure. CafeX follows strict snapshot/back-up policies and procedures combined with Disaster Recovery services allowing us to deliver a high level of service availability with data being replicated across availability zones. |
| Disaster recovery | CafeX Disaster Recovery (DR) program ensures that CafeX services remain available and easily recoverable in the case of disasters. This is accomplished through the building of robust technical environmental checkpoints and by the frequent testing of our Disaster Recovery plans. |
| Scalable service | CafeX monitors network systems; if values exceed predetermined thresholds the architecture scales to meet the increase in demand, to ensure the quality of service is maintained across tenancies. |
Application security
CafeX takes steps to ensure the safety of its customers' data by ensuring secure development practices and focused testing around known security threats. To further enhance security, CafeX engages third-party security experts to conduct thorough penetration tests.
Secure development (SDLC)
| Security training | All engineers participate regularly in development focused training on secure coding strategies including OWASP Top 10 security risks, common attack vectors and resulting implemented security controls. |
| Quality assurance | The CafeX Quality Assurance (QA) department reviews and tests the CafeX code base to ensure its quality, stability and integrity. CafeX have dedicated security engineers to identify, test, and triage any security vulnerabilities present in the code. |
| Separate environments | CafeX has separate test/development and staging environments which are used prior to production pushes for the testing of any updates, patches and/or configuration changes. No production service data is used in any of these development/test environments. |
Application vulnerabilities
| Dynamic vulnerability Scanning | CafeX uses qualified third-party tooling to continuously dynamically scan the CafeX core applications against the OWASP Top 10 security risks. CafeX monitors these results actively and has a dedicated team to remediate any discovered issues. |
| Static code analysis | The source code repositories of CafeX are scanned for security issues using CafeX’s integrated static analysis tooling. |
| System integrity | Any threats, such as library vulnerabilities, vulnerability reports, threat reports are reviewed immediately for appropriate corrective priority and action plan. |
Product security features
CafeX makes it seamless for customers to manage access and sharing policies with authentication and single-sign on (SSO) options. All communications with CafeX servers are encrypted using industry-standard protocols, such as HTTPS, over public networks, meaning the traffic between you and CafeX is secure.
Authentication security
| Authentication options | CafeX gives you the choice of registering and logging in using the CafeX Authentication Service or via your own Single Sign-On (SSO) for end user authentication. |
| Single sign-on (SSO) | Single sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials for your CafeX instance. |
| Multi-factor authentication (MFA) | CafeX SSO login options enable you to retain control over your password policies and your MFA requirements. The CafeX Authentication Service does not support MFA. |
| Secure credential storage | CafeX adheres to strict secure credential storage best practices by never storing passwords in a human-readable format, but instead as a result of a secure, salted, one-way hash. |
| Tenant segregation | Customers can bring their own storage, that is only used for their data. CafeX stores data using different encryption keys to ensure that it cannot be decrypted or modified by another tenant. |
Additional product security features
| Role-based access controls | Individual user access to CafeX systems, services or information are determined in accordance with business requirements of the individual’s role and responsibilities (RBAC). Access to CafeX systems are granted on a ‘least-privilege’ basis by the business/system owners and where required follows an approval process. |
| Transmission security | All communications with the CafeX UI and API are encrypted using industry standard HTTPS/TLS over public networks. This ensures that all traffic between you and CafeX is secure during transit. For email, CafeX leverages opportunistic TLS by default. Transport Layer Security (TLS >1.2) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. |
| Data retention | Strict data retention policies are in place that apply to the content authored using CafeX and actions taken using the CafeX application. CafeX does not retain data from other applications, beyond references to identify content. |
| Discovery | Discovery applies to the content that is authored using CafeX. CafeX does not facilitate discovery across different application boundaries, or inside of the content that people bring into CafeX. |
| Auditing | CafeX activity is available to tenant administrators for 12–months by default. See: Gathering audit logs. |
Compliance certification and memberships
CafeX implements security best practices to meet industry-based compliance and the most stringent requirements.
Security compliance
| ISO 27001 | We at CafeX know that it takes a lot of trust to put your data in the Cloud. As a customer, you need to know that the partners you share this information with have the secure treatment of such information as their top priority. We also understand that we have customers in many different regions, who in turn deal with many different standards and frameworks for the proper treatment of sensitive information. With this in mind, we pursue globally respected industry benchmark standards put forth by the International Organization for Standardization in the form of ISO 27001. The certificate is available for download, see: CafeX ISO 27001 certificate |
Privacy certifications
| EU-US Privacy Shield | CafeX are compliant with the US-EU and Swiss – US Privacy Shield frameworks. We operate across the globe and serve customers in the United States and The European Union. CafeX compliance confirms that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States. |
| Privacy policy | See: CafeX privacy policy, for information about privacy, terms and cookie usage. |
Industry-based compliance
| Using CafeX in a PCI environment | To ensure credit card data security we have undergone PCI-DSS compliance by completing the Attestation of Compliance for Self-Assessment Questionnaire A. As part of our security management system we have a Payment Card Security Policies (1.2 – 2021-01-07) which is reviewed at least annually to attest to credit card security requirements as required by the Payment Card Industry Data Security Standard (PCI DSS) Program. |
| HIPAA Through the business associate agreement (BAA) | To comply with the requirements of HIPAA in the US, CafeX Communications executes a Business Associate Agreement (BAA) with HIPAA-covered entities in the healthcare and medical services industry. We sign a HIPAA Business Associate Agreement (BAA) with our healthcare customers, meaning we are responsible for keeping your patient information secure and reporting security breaches involving personal healthcare information. HIPAA tenants “bring their own storage” and CafeX do not have access to identifiable health information. We protect and encrypt all data. CafeX understands and has controls in place (implemented with our ISO27001 certification) to meet the standards required by HIPAA surrounding confidentiality, integrity, and availability of all data, including controls surrounding the CafeX workforce. |
See also: