CafeX security datasheet

Data center and network security

We ensure the confidentiality and integrity of your data with industry best practices. CafeX hosts service data in AWS data centers that have been certified as ISO 27001 and PCI/DSS Service Provider Level 1 compliant.

Our security team is on call 24/7 to respond to security alerts and events.

Physical security

FacilitiesCafeX hosts service data in AWS data centers that have been certified as ISO 27001and PCI/DSS Service Provider Level 1 compliance.
AWS infrastructure services includes back-up power, HVAC systems, and fire suppression equipment to help protect servers and your data.
On-site securityAWS on-site security includes a number of features such as security guards, fencing, security video feeds, intrusion detection technology and other security measures.
Learn more about AWS physical security.
MonitoringAll production network systems, networked devices and circuits are constantly monitored and logically administered by CafeX staff.
Physical security, power and internet connectivity are monitored by AWS.
LocationCafeX leverages AWS data centers in the East Coast of the United States of America.

Network security

Dedicated security TeamThe CafeX security team is globally distributed and on call 24/7 to respond to security alerts and events.
ProtectionOur network is protected through the use of key AWS security services, regular audits, and network intelligence technologies that monitors and blocks malicious traffic and network attacks.
ArchitectureOur network security architecture consists of multiple AWS security availability zones.
Network vulnerability scanningNetwork security scanning gives CafeX deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-party penetration testsCafeX has an extensive internal scanning and testing programme. Each year CafeX employs third-party security experts to perform a broad penetration test across the CafeX production network.
Intrusion detection and preventionService ingress and egress points are instrumented and monitored to detect anomalous behaviour. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds, and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
Threat intelligence programCafeX participates in several threat intelligence sharing programs. CafeX monitors threats posted to these threat intelligence networks and take action based on risk and exposure.
Logical accessAccess to the CafeX production network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored.
Security incident responseIn case of a security alert  events are escalated to our 24/7 teams providing operations, network engineering and security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Encryption

Encryption in transitCommunications between you and CafeX servers are encrypted using industry best-practices protocols, such as HTTPS and Transport Layer Security (TLS), over public networks. TLS is also supported for encryption of emails.
Encryption at restCustomers of CafeX benefit from the protections of encryption at rest for their data. Service Data is encrypted at rest in AWS using AES 256 key encryption.
Tenant specific encryptionCafeX uses keys that are specific to a tenant to encrypt data. It is not possible for one tenant to decrypt the data of another tenant.

Availability and continuity

UptimeCafeX maintains a publicly available system status page that includes system availability details, scheduled maintenance, service incident history, and relevant security events.
See: CafeX status page
RedundancyCafeX employs service clustering and network redundancies to eliminate single points of failure. Our strict back-up regime and our Enhanced Disaster Recovery service allow us to deliver a high level of service availability, as Service Data is replicated across availability zones.
Disaster recoveryThe CafeX Disaster Recovery (DR) programme ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.
Enhanced disaster recoveryThe Enhanced Disaster Recovery package adds contractual objectives for Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These are supported through our capability to prioritize operations of Enhanced Disaster Recovery customers during any declared disaster event. *Only available with Advanced Security Add-on
Scalable serviceCafeX monitors network systems; if values exceed predetermined thresholds the architecture scales to meet the increase in demand, to ensure the quality of service is maintained across tenancies.

Application security

CafeX takes steps to develop securely and test against security threats to ensure the safety of our customer data. In addition, CafeX employs third-party security experts to perform detailed penetration.

Secure development (SDLC)

Security trainingAt least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, and CafeX security controls.
Quality assuranceOur Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Separate environmentsTesting and staging environments are logically separated from the production environment.
No actual service data is used in the development of test environments.

Application vulnerabilities

Dynamic vulnerability ScanningCafeX uses qualified third-party tooling to continuously dynamically scan our core applications against the OWASP Top 10 security risks. CafeX monitor these results actively and has a dedicated team to remediate any discovered issues.
Static code analysisThe source code repositories of CafeX are scanned for security issues using our integrated static analysis tooling.

Product security features

CafeX makes it seamless for customers to manage access and sharing policies with authentication and single-sign on (SSO) options. All communications with CafeX servers are encrypted using industry-standard protocols, such as HTTPS, over public networks, meaning the traffic between you and CafeX is secure.

Authentication security

Authentication optionsFor CafeX, you have the choice of registering and logging in using the CafeX Authentication Service or SSO for end-user authentication.
Single sign-on (SSO)Single sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials for your CafeX instance.
Secure credential storageCafeX follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.
API security and authenticationThe CafeX API is TLS only. You can authorize against the API using either basic authentication with your username and password, or with a username and API token. OAuth authentication is also supported.
Tenant segregationCustomers can bring their own storage, that is only used for their data.
Data that CafeX stores uses different encryption keys such that it cannot be decrypted, or modified, by another tenant.

Additional product security features

Role-based access controlsAccess to data within CafeX applications is governed by role-based access control (RBAC), and can be configured to define granular access privileges. CafeX has various permission levels for users.
Transmission securityAll communications with the CafeX UI and API are encrypted using industry standard HTTPS/TLS over public networks. This ensures that all traffic between you and CafeX is secure during transit. For email, our product also leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.

Compliance certification and memberships

CafeX implements security best practices to meet industry-based compliance and the most stringent requirements.

Security compliance

ISO 27001:2013CafeX is ISO 27001:2013 certified. The certificate is available for download, see: CafeX ISO 27001:2013 certificate

Privacy certifications

TRUSTe® privacy certification programsCafeX has certified compliance with the US-EU and Swiss – US Privacy Shield frameworks.
This demonstrates that our privacy programs, policies, and practices meet the requirements of EU-US Privacy Shield and Swiss-US Privacy Shield.
Department of Commerce list of self-certified Privacy Shield
Our certifications confirm that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States.
Privacy policySee: CafeX privacy policy, for information about privacy, terms and cookie usage.

Industry-based compliance

Using CafeX in a PCI environmentTo ensure credit card data security, we have undergone PCI-DSS compliance. 
See: CafeX PCI Certificate

See also: CafeX Legal and Compliance.