Data center and network security

We ensure the confidentiality and integrity of your data with industry best practices. Challo hosts service data in AWS data centers that have been certified as ISO 27001 and PCI/DSS Service Provider Level 1 compliant.

If you have questions for the Challo security team, or need to contact them regarding security alerts and events, send an email to:

Physical security

FacilitiesChallo hosts service data in AWS data centers that have been certified as ISO 27001and PCI/DSS Service Provider Level 1 compliance.
AWS infrastructure services includes back-up power, HVAC systems, and fire suppression equipment to help protect servers and your data.
On-site securityAWS on-site security includes a number of features such as security guards, fencing, security video feeds, intrusion detection technology and other security measures.

Learn more about AWS physical security.
MonitoringAll production network systems, networked devices and circuits are constantly monitored and logically administered by CafeX staff.
Physical security, power and internet connectivity are monitored by AWS.
LocationChallo leverages AWS data centers in the East Coast of the United States of America.
Media protectionChallo use availability zones to provide resilience and takes automated snapshots to backup any data. Only authorized people have access to backups.
Physical protectionAccess privileges are assigned based on the business need. All users are positively identified and authenticated prior to gaining access to systems, services, or data. Access to systems, services, or information is determined in accordance with the business requirements of an individual’s role and responsibilities.

Network security

Dedicated security TeamThe Challo security team is globally distributed to respond to security alerts and events.
ProtectionThe CafeX network is protected through the use of key AWS security services, regular audits, and network intelligence technologies that monitors and blocks malicious traffic and network attacks.
All deployments are strictly tested through independent development, staging and quality assurance environments. CafeX has telemetry in place to monitor the production environment and use “EFK stack” for logging. CafeX monitors logs and reviews them frequently.
ArchitectureThe CafeX network security architecture consists of multiple AWS security availability zones.
Risk assessmentPart of CafeX’s ISO27001 management system are policies for risk treatment methodology and business continuity. The business continuity plans are tested regularly and frequent vulnerability scans are scheduled and reports analyzed for any new vulnerabilities in the Challo service.
Network vulnerability scanningNetwork security scanning gives CafeX deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-party penetration testsChallo has an extensive internal scanning and testing program. Each year CafeX employs third-party security experts to perform a broad penetration test across the Challo production network.
Intrusion detection and preventionService ingress and egress points are instrumented and monitored to detect anomalous behaviour. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds, and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
Threat intelligence programCafeX participates in several threat intelligence sharing programs. CafeX monitors threats posted to these threat intelligence networks and take action based on risk and exposure.
Logical accessAccess to the Challo production network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored. The CafeX access control policy highlights many requirements on employees including password complexities and use of MFA.
Security incident responseCafeX has a continual improvement & corrective action procedure policy that details secure incident management. In case of a security alert events are escalated to Challo teams providing operations, network engineering and security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Personnel security

Personnel on-boardingAs part of the employee background screening process policy, CafeX performs several background checks that include: SS# and identity, address, employment, credit, criminal activity, and a driving license/DMV check.
Identification and authenticationAll on-boarding and access requests are fed through the CafeX helpdesk system.
They follow an approval process and all privileged access is reviewed. All access privileges are assigned based on the business need.
Access to systems are granted by the business owner or the system owner (or appointed delegate) and is approved using the helpdesk system.
Security awareness and trainingAll CafeX employees and contractors are complete security awareness training from a security training platform. Training is refreshed annual. In addition, role specific training is also performed, such as OWASP Top 10 for CafeX developers.


Encryption in transitCommunications between you and Challo servers are encrypted using industry best-practices protocols, such as HTTPS and Transport Layer Security (TLS), over public networks. TLS is also supported for encryption of emails.
Encryption at restCustomers of Challo benefit from the protections of encryption at rest for their data. Service Data is encrypted at rest in AWS using AES 256 key encryption.
Tenant specific encryptionChallo uses keys that are specific to a tenant to encrypt data. It is not possible for one tenant to decrypt the data of another tenant.

Availability and continuity

UptimeChallo maintains a publicly available system status page that includes system availability details, scheduled maintenance, service incident history, and relevant security events.

See: Challo Status or 
MaintenanceAs part of ISO27001 CafeX has policies, including info sec operations manual and secure development policy that describe the patching and maintenance of CafeX software.
RedundancyCafeX employs service clustering and network redundancies to eliminate single points of failure. The Challo strict back-up regime and Enhanced Disaster Recovery service allow us to deliver a high level of service availability, as Service Data is replicated across availability zones.
Disaster recoveryThe CafeX Disaster Recovery (DR) program ensures that Challo services remain available or are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.
Enhanced disaster recoveryThe Enhanced Disaster Recovery package adds contractual objectives for Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These are supported through Challo’s capability to prioritize operations of Enhanced Disaster Recovery customers during any declared disaster event. *Only available with Advanced Security Add-on
Scalable serviceCafeX monitors network systems; if values exceed predetermined thresholds the architecture scales to meet the increase in demand, to ensure the quality of service is maintained across tenancies.

Application security

CafeX takes steps to develop securely and test against security threats to ensure the safety of Challo customer data. In addition, CafeX employs third-party security experts to perform detailed penetration.

Secure development (SDLC)

Security trainingAt least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, and Challo security controls.
Quality assuranceThe CafeX Quality Assurance (QA) department reviews and tests the Challo code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Separate environmentsTesting and staging environments are logically separated from the production environment.
No actual service data is used in the development of test environments.

Application vulnerabilities

Dynamic vulnerability ScanningCafeX uses qualified third-party tooling to continuously dynamically scan the Challo core applications against the OWASP Top 10 security risks. CafeX monitor these results actively and has a dedicated team to remediate any discovered issues.
Static code analysisThe source code repositories of Challo are scanned for security issues using CafeX’s integrated static analysis tooling.
System integrityAny threats, such as library vulnerabilities, vulnerability reports, threat reports or support reports reviewed immediately for appropriate corrective priority and action.

Product security features

Challo makes it seamless for customers to manage access and sharing policies with authentication and single-sign on (SSO) options. All communications with Challo servers are encrypted using industry-standard protocols, such as HTTPS, over public networks, meaning the traffic between you and Challo is secure.

Authentication security

Authentication optionsFor Challo, you have the choice of registering and logging in using the Challo Authentication Service or SSO for end-user authentication.
Single sign-on (SSO)Single sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials for your Challo instance.
Multi-factor authentication (MFA)Customers that need to retain control over password policies and MFA requirements can use one of the SSO providers.
The Challo Authentication Service does not support MFA.
Secure credential storageChallo follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.
Tenant segregationCustomers can bring their own storage, that is only used for their data.
Data that Challo stores uses different encryption keys such that it cannot be decrypted, or modified, by another tenant.

Additional product security features

Role-based access controlsAccess to data within Challo applications is governed by role-based access control (RBAC), and can be configured to define granular access privileges. Challo has various permission levels for users.
Transmission securityAll communications with the Challo UI and API are encrypted using industry standard HTTPS/TLS over public networks. This ensures that all traffic between you and Challo is secure during transit. For email, the Challo product also leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
Data retentionData retention applies to the content authored using Challo and actions taken using the Challo application. Challo does not retain data from other applications, beyond references to identify content.
DiscoveryDiscovery apples to the content that is authored using Challo. Challo does not facilitate discovery across different application boundaries, or inside of the content that people bring into Challo.
AuditingChallo track activity is available to tenant administrators for 12–months by default. See: Gathering audit logs.

Compliance certification and memberships

CafeX implements security best practices to meet industry-based compliance and the most stringent requirements.

Security compliance

ISO 27001We at CafeX know that it takes a lot of trust to put your data in the Cloud. As a customer, you need to know that the partners you share this information with have the secure treatment of such information as their top priority. We also understand that we have customers in many different regions, who in turn deal with many different standards and frameworks for the proper treatment of sensitive information. With this in mind, we pursue globally respected industry benchmark standards put forth by the International Organization for Standardization in the form of ISO 27001.

The certificate is available for download, see: CafeX ISO 27001 certificate

Privacy certifications

EU-US Privacy ShieldCafeX are compliant with the US-EU and Swiss – US Privacy Shield frameworks. We operate across the globe and serve customers in the United States and The European Union.  CafeX compliance confirms that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States.
Privacy policySee: CafeX privacy policy, for information about privacy, terms and cookie usage.

Industry-based compliance

Using Challo in a PCI environmentTo ensure credit card data security we have undergone PCI-DSS compliance by completing the Attestation of Compliance for Self-Assessment Questionnaire A.  As part of our security management system we have a Payment Card Security Policies (1.2 – 2021-01-07) which is reviewed at least annually to attest to credit card security requirements as required by the Payment Card Industry Data Security Standard (PCI DSS) Program.
HIPAA Through the business associate agreement (BAA)To comply with the requirements of HIPAA in the US, CafeX Communications executes a Business Associate Agreement (BAA) with HIPAA-covered entities in the healthcare and medical services industry. We sign a HIPAA Business Associate Agreement (BAA) with our healthcare customers, meaning we are responsible for keeping your patient information secure and reporting security breaches involving personal healthcare information.  HIPAA tenants “bring their own storage” and CafeX do not have access to identifiable health information. We protect and encrypt all data.
CafeX understands and has controls in place (implemented with our ISO27001 certification) to meet the standards required by HIPAA surrounding confidentiality, integrity, and availability of all data, including controls surrounding the CafeX workforce.

See also: