We understand that security is top of mind for you. We're committed to data security and privacy processes in order to ensure CoffeePals keeps any and all customer information secure and protected.
CoffeePals undergoes an annual SOC2 Type 2 audit to ensure compliance. Additionally, we are audited annually by Microsoft as part of the Microsoft 365 App Compliance Program.
We've selected cloud vendors that are SOC2 Type I, Type II, ISO27001 and PCI-DSS compliant. We operate an information security and risk management program.
CoffeePals has limited access to the messages within Microsoft Teams. This is a function of the security features that Microsoft implements within their bot SDK.
CoffeePals only has access to direct message data with the CoffeePals bot. This means that our platform does not have access to any of your employee's personal messages with one another.
The CoffeePals bot does not have permission to be added to a personal group conversation. For this reason, CoffeePals cannot be added to a private group and therefore, similar to private messages, does not have access to group conversation data.
CoffeePals only receives messages which mention @CoffeePals in them or replies to such messages. All other messages in the channel will not be sent to our servers. This is a restriction set in place by Microsoft to help protect your company's team messages.
CoffeePals is hosted on Heroku (owned by Salesforce) which employs strict security measures.
Our database is hosted on AWS through MongoDB Atlas. AWS certifies physical security at all of its data centres. They have comprehensive compliance and control over physical access. AWS is accredited against multiple security industry certifications including ISO27001. More about AWS's physical security can be read here. More about MongoDB Atlas's security can be found here.
Every connection made between Microsoft Teams and CoffeePals is end-to-end encrypted over HTTPS and SSL. We also force HTTPS for the CoffeePals web application. Our customer data is encrypted in transit with HTTPS using TLS 1.2 + and at rest with AES256. The data is stored in multiple physical locations in the United States through AWS.
CoffeePals is built with security in mind. These are some of our key practices in security.
Users are authenticated in the CoffeePals web app without using a password. Users are emailed a secure login link containing a token to authenticate them into the application. Once authenticated, we store their authentication token as a cookie in their browser for 14 days. The login link also expires one hour after being sent to the user. This eliminated the ability for their password to be compromised and makes the security of our authentication process as secure as company email.
For our enterprise users, we also provide SSO through Azure.
CoffeePals does not directly store credit card numbers in our database. We use Stripe for payment processing. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1 which is the most stringent level of certification available in the payments industry. More about Stripe's security can be found here.
These are some of our key operational security practices.
Each team member is granted access only to the credentials that they are needed to complete their tasks. We deny by default and only add privileges to those that request and require access.
Our staff uses multi-factor authentication with all the services we use.
We have implemented a change management process to ensure that changes in our system are reviewed and tested. All code is reviewed and approved by a manager before being pushed to a branch in our code repository. We also have alerts to inform the team anytime code is pushed to a branch. Production releases require pull requests and sign-off before being merged into production.
We use automated tests and continuous integration tools to deploy to our pre-production environments. We also run additional manual tests to ensure that any changes made to the software meet the predefined requirements. Code that has been tested and approved by a technical manager, the manager will deploy it to production through an automated system that supports rollbacks
We put security issues at the top of our priority list. In compliance with GDPR and regulations, we inform all customers affected by an incident within 72 hours of detection.
CoffeePals run on AWS and Heroku which provide some out-of-the-box tools to scan for network vulnerabilities. We also run an open-source vulnerability scanner against our production environment quarterly.
We also have daily, automated checks for published security notices and vulnerabilities in our dependencies.
CoffeePals automatically backs up data daily in an encrypted manner. Our servers have redundancy to ensure that if the server fails, there is a backup that will take over instantaneously. We also have a disaster recovery program.
Our software gets pushed through multiple environments before making it to production. Before we start working on new features, we review the security risks and considerations against OWASP top 10 vulnerabilities. The software must pass automated tests throughout the process to catch as many issues as possible before reaching production. Every feature that is added requires a pull request and code review that is approved by senior staff.
CoffeePals is built on top of AWS and Heroku which provide some monitoring out of the box.
We log application usage, uptimes and exceptions as well as track runtime errors and alerts. We investigate and fix any issues as they arise to ensure there are no vulnerabilities in the application.
We choose vendors that we can trust with our data and our customer's data. Vendors are assessed based on our vendor management policy to evaluate risk.