Security
CoffeePals Prioritizes Security,
SOC2 Type 2 Compliant

CoffeePals is audited for both SOC2 Type 2  and Microsoft 365 compliance certification annually. We partner with cloud vendors meeting SOC2, ISO27001, and PCI-DSS standards.

SOC2 Type 2 BadgeMicrosoft 365 Badge

Teams Messages Access

CoffeePals has limited access to the messages within Microsoft Teams. This is a function of the security features that Microsoft implements within their bot SDK.

  • Private Messages

    CoffeePals only has access to direct message data with the CoffeePals bot. This means that our platform does not have access to any of your employee's personal messages with one another.

  • Private Group Messages

    The CoffeePals bot does not have permission to be added to a personal group conversation. For this reason, CoffeePals cannot be added to a private group and therefore, similar to private messages, does not have access to group conversation data.

  • Channels and teams

    CoffeePals only has access to the channels and teams it has been added to. When it is added to a team or channel, it collects the user data of each user to perform the matching function. It also collects user data when a new user joins that team. Information on the data we collect can be found in our Privacy Policy.

    CoffeePals only receives messages which mention @CoffeePals in them or replies to such messages. All other messages in the channel will not be sent to our servers. This is a restriction set in place by Microsoft to help protect your company's team messages.

Physical and Network Security

CoffeePals is hosted on Heroku (owned by Salesforce) which employs strict security measures.

  • Physical Security

    Our database is hosted on AWS through MongoDB Atlas. AWS certifies physical security at all of its data centres. They have comprehensive compliance and control over physical access. AWS is accredited against multiple security industry certifications including ISO27001. More about AWS's physical security can be read here. More about MongoDB Atlas's security can be found here.

  • Network Security

    Every connection made between Microsoft Teams and CoffeePals is end-to-end encrypted over HTTPS and SSL. We also force HTTPS for the CoffeePals web application. Our customer data is encrypted in transit with HTTPS using TLS 1.2 + and at rest with AES256. The data is stored in multiple physical locations in the United States through AWS.

Application Security

CoffeePals is built with security in mind. These are some of our key practices in security.

  • Authentication

    Users are authenticated in the CoffeePals web app without using a password. Users are emailed a secure login link containing a token to authenticate them into the application. Once authenticated, we store their authentication token as a cookie in their browser for 14 days. The login link also expires one hour after being sent to the user. This eliminated the ability for their password to be compromised and makes the security of our authentication process as secure as company email.

    For our enterprise users, we also provide SSO through Azure.

  • Payment Information

    CoffeePals does not directly store credit card numbers in our database. We use Stripe for payment processing. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1 which is the most stringent level of certification available in the payments industry. More about Stripe's security can be found here.

Operational Security

These are some of our key operational security practices.

  • Access Control

    Each team member is granted access only to the credentials that they are needed to complete their tasks. We deny by default and only add privileges to those that request and require access.

    Our staff uses multi-factor authentication with all the services we use.

  • Change Management

    We have implemented a change management process to ensure that changes in our system are reviewed and tested. All code is reviewed and approved by a manager before being pushed to a branch in our code repository. We also have alerts to inform the team anytime code is pushed to a branch. Production releases require pull requests and sign-off before being merged into production.

    We use automated tests and continuous integration tools to deploy to our pre-production environments. We also run additional manual tests to ensure that any changes made to the software meet the predefined requirements. Code that has been tested and approved by a technical manager, the manager will deploy it to production through an automated system that supports rollbacks

  • Incident Management

    We put security issues at the top of our priority list. In compliance with GDPR and regulations, we inform all customers affected by an incident within 72 hours of detection.

  • Vulnerability Management

    CoffeePals run on AWS and Heroku which provide some out-of-the-box tools to scan for network vulnerabilities. We also run an open-source vulnerability scanner against our production environment quarterly.

    We also have daily, automated checks for published security notices and vulnerabilities in our dependencies.

  • Backups

    CoffeePals automatically backs up data daily in an encrypted manner. Our servers have redundancy to ensure that if the server fails, there is a backup that will take over instantaneously. We also have a disaster recovery program.

  • Software Development

    Our software gets pushed through multiple environments before making it to production. Before we start working on new features, we review the security risks and considerations against OWASP top 10 vulnerabilities. The software must pass automated tests throughout the process to catch as many issues as possible before reaching production. Every feature that is added requires a pull request and code review that is approved by senior staff.

  • Monitoring

    CoffeePals is built on top of AWS and Heroku which provide some monitoring out of the box.

    We log application usage, uptimes and exceptions as well as track runtime errors and alerts. We investigate and fix any issues as they arise to ensure there are no vulnerabilities in the application.

  • Vendor Management

    We choose vendors that we can trust with our data and our customer's data. Vendors are assessed based on our vendor management policy to evaluate risk.

We can share more information about our practices and policies under NDA. To understand how we handle data, read our Privacy Policy and Terms of Service. If you have specific enquiries or vulnerability disclosures, please email [email protected].