Introduction

Getting started

Walkthrough Guides

CafeX Apps

Workflows

Using CafeX Collaborate App

Reporting

Managing CafeX

Integrating CafeX

Security

Security

CafeX security datasheet

Modified on Tue, 26 Mar 2024 at 12:58 PM

If you have questions for the CafeX security team, or need to contact them regarding security alerts and events, please send an email to: compliance@cafex.com.


Data center and network security


CafeX ensures the confidentiality and integrity of data by utilising an industry standard data center environment within Amazon's AWS. CafeX is hosted in AWS data centers with globally recognised security standards and compliance certifications.


Physical security


FacilitiesCafeX is hosted in Amazon AWS data centers. These AWS data centers come with a robust set of global security standards and compliance certifications including SOC1/2/3, ISO 27001, PCI-DSS, HIPPA/HITECH, FedRAMP, GDPR, FIPS 140-2 and NIST 800-171.
More information on Amazon's AWS security infrastructure can be found at https://aws.amazon.com/security
MonitoringAll production network systems, networked devices and circuits are constantly monitored and logically administered by CafeX personnel.

CafeX proactively monitors information security events and alerts that provide situational awareness through the detection, containment, and remediation of any suspected or actual security incidents.

Underlying physical security, power and internet connectivity infrastructure etc are actively monitored by AWS
LocationCafeX leverages AWS data centers in the East Coast of the United States of America.
Media protectionCafeX leverages AWS availability zones to provide resilience in the event of any AWS data center disaster. Continuous snapshots and backups are maintained to support system failovers.

CafeX deploys a multi-layer security strategy, covering everything from data encryption to user access controls. CafeX has rigorous Access control polices that employ Role-Based Access Control (RBAC) and a minimum-rights authorization approach. Access to Snapshots/Backups are subject to these rigid procedures, while granting only the minimum necessary administrative access to enable the service.
Physical protectionAccess privileges are assigned based on the business need.

All users are positively identified and authenticated prior to gaining access to systems, services, or data. Access to systems, services, or information are determined in accordance with the business requirements of an individual’s role and responsibilities. System access requests are logged, monitored and actively reviewed.


Network security


Dedicated Security TeamThe CafeX security team are globally dispersed in order to respond to any security alerts or occurrences.
ProtectionThe CafeX network is safeguarded with a suite of AWS security services, routine audits, and network intelligence technologies that track and obstruct malicious activity and network attacks.

All deployments follow strict testing procedures through independent development, staging and quality assurance environments.

CafeX has telemetry in place to monitor the production environment and use a full EFK stack for logging and monitoring. CafeX monitors and reviews logs frequently.
ArchitectureThe CafeX network security architecture consists of multiple AWS security availability zones.
Risk assessmentCafeX's ISO27001 management system provides policies and procedures for risk treatment methodology and business continuity. Any risks registered are appropriately reviewed by the Security Management Team.

Business continuity plans are reviewed and tested regularly for effectiveness, completeness of system polices and risk controls associated.

Vulnerability scanning is performed regularly at various appropriate levels. Reports are analyzed, reviewed and actioned appropriately as part of the continual improvement and risk assessment processes.
Network vulnerability scanningCafeX performs various distributed vulnerability scans that return deep insights for quick identification of out-of-compliance or potentially vulnerable systems.

CafeX utilises extensive AWS security tools to scan, report and action any highlighted CVEs, e.g. Security Hub, Inspector, GuardDuty, Config etc.
Third-party penetration testsCafeX engages external penetration testing experts to perform broad penetration tests across the CafeX production application and network.

Any remedial actions identified as a result of vulnerability testing are logged, planned and actioned based on risk, priority and severity.
Intrusion detection and preventionService ingress and egress points are instrumented and monitored to detect anomalous behaviour. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds, and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
Threat intelligence programCafeX participates in several threat intelligence sharing programs. CafeX monitors threats posted to these threat intelligence networks and takes action based on risk and exposure.
Logical accessAccess to the CafeX production network is restricted by an explicit need-to-know basis, utilizes least privilege and is frequently audited and monitored. The CafeX access control policy highlights many requirements on employees including password complexities and compulsory use of MFA.
Security incident responseCafeX has a continual improvement & corrective action procedure policy that details security incident management. In case of a security alert events are escalated to appropriate CafeX teams providing operations, network engineering and security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.


Personnel security


Personnel on-boardingAs part of the employee background screening process policy, CafeX performs several background checks that include: SS# and identity, address, employment, credit, criminal activity, and a driving license/DMV check.
Identification and authenticationAll on-boarding and access requests are fed through the CafeX ticketing system. This then follows an approval process and all privileged access requests are reviewed and approved. All access privileges are assigned based on the business need.

Access to systems are granted by the business owner or the system owner (or appointed delegate) and is approved and documented using the ticketing system.
Security awareness and trainingAll CafeX employees and contractors complete up to date security awareness training from an independent specialised security training platform. Security awareness training is compulsory and refreshed annually.

Additional role specific security training is allocated based on role, e.g. Secure Application Development: OWASP Top 10 Security Awareness for CafeX developers.


Encryption


Encryption in transitCommunications between you and CafeX servers are encrypted using industry best-practices protocols, such as HTTPS and Transport Layer Security (TLS >1.2), over public networks. TLS is also supported for encryption of any email communications.
Encryption at restCustomers of CafeX benefit from the protections of encryption at rest for their data. Service Data is encrypted at rest in AWS using AES 256 key encryption.
Tenant specific encryptionCafeX uses encryption keys that are specific to each tenant to encrypt any customer data stored.  This means it is not possible for one tenant to decrypt data from another tenant.


Availability and continuity


UptimeCafeX maintains a publicly available system status page that includes system availability details, scheduled maintenance notices, service incident history and any ongoing security incident detail.

See: CafeX Status or https://status.cafex.com
MaintenanceAs part of the ISO27001 Information Security Management System, CafeX maintains processes relating to the “Info Sec Operations Manual” and the “Secure Development Policy”.  These policies define processes for change management including patching and maintenance releases.
RedundancyCafeX employs service clustering and network infrastructure redundancies to eliminate single points of failure.
CafeX follows strict snapshot/back-up policies and procedures combined with Disaster Recovery services allowing us to deliver a high level of service availability with data being replicated across availability zones.
Disaster RecoveryCafeX Disaster Recovery (DR) program ensures that CafeX services remain available and easily recoverable in the case of disasters. This is accomplished through the building of robust technical environmental checkpoints and by the frequent testing of our Disaster Recovery plans.
Scalable serviceCafeX monitors network systems; if values exceed predetermined thresholds the architecture scales to meet the increase in demand, to ensure the quality of service is maintained across tenancies.


Application security

CafeX takes steps to ensure the safety of its customers' data by ensuring secure development practices and focused testing around known security threats. To further enhance security, CafeX engages third-party security experts to conduct thorough penetration tests.


Secure development (SDLC)


Security trainingAll engineers participate regularly in development focused training on secure coding strategies including OWASP Top 10 security risks, common attack vectors and resulting implemented security controls.
Quality assuranceThe CafeX Quality Assurance (QA) department reviews and tests the CafeX code base to ensure its quality, stability and integrity. CafeX have dedicated security engineers to identify, test, and triage any security vulnerabilities present in the code.
Separate environmentsCafeX has separate test/development and staging environments which are used prior to production pushes for the testing of any updates, patches and/or configuration changes.
No production service data is used in any of these development/test environments.



Application vulnerabilities


Dynamic vulnerability scanningCafeX uses qualified third-party tooling to continuously dynamically scan the CafeX core applications against the OWASP Top 10 security risks. CafeX monitors these results actively and has a dedicated team to remediate any discovered issues.
Static code analysisThe source code repositories of CafeX are scanned for security issues using CafeX’s integrated static analysis tooling.
System integrity
Any threats, such as library vulnerabilities, vulnerability reports, threat reports are reviewed immediately for appropriate corrective priority and action plan.



Product security features

CafeX makes it seamless for customers to manage access and sharing policies with authentication and single-sign on (SSO) options. All communications with CafeX servers are encrypted using industry-standard protocols, such as HTTPS, over public networks, meaning the traffic between you and CafeX is secure.


Authentication security


Authentication optionsCafeX gives you the choice of registering and logging in using the CafeX Authentication Service or via your own Single Sign-On (SSO) for end user authentication.
Single sign-on (SSO)Single sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials for your CafeX instance.
Multi-factor authentication (MFA)CafeX SSO login options enable you to retain control over your password policies and your MFA requirements.

The CafeX Authentication Service does not support MFA.
Secure credential storageCafeX adheres to strict secure credential storage best practices by never storing passwords in a human-readable format, but instead as a result of a secure, salted, one-way hash.
Tenant segregationCustomers can bring their own storage, that is only used for their data.
CafeX stores data using different encryption keys to ensure that it cannot be decrypted or modified by another tenant.



Additional product security features


Role-based access controlsIndividual user access to CafeX systems, services or information are determined in accordance with business requirements of the individual’s role and responsibilities (RBAC).
Access to CafeX systems are granted on a ‘least-privilege’ basis by the business/system owners and where required follows an approval process.
Transmission securityAll communications with the CafeX UI and API are encrypted using industry standard HTTPS/TLS over public networks. This ensures that all traffic between you and CafeX is secure during transit.

For email, CafeX leverages opportunistic TLS by default. Transport Layer Security (TLS >1.2) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
Data retentionStrict data retention policies are in place that apply to the content authored using CafeX and actions taken using the CafeX application. CafeX does not retain data from other applications, beyond references to identify content.
DiscoveryDiscovery applies to the content that is authored using CafeX. CafeX does not facilitate discovery across different application boundaries, or inside of the content that people bring into CafeX.
AuditingCafeX activity is available to tenant administrators for 12–months by default.  See: Gathering audit logs.



Compliance certification and memberships


CafeX implements security best practices to meet industry-based compliance and the most stringent requirements.


Security compliance


ISO 27001We at CafeX know that it takes a lot of trust to put your data in the Cloud. As a customer, you need to know that the partners you share this information with have the secure treatment of such information as their top priority. We also understand that we have customers in many different regions, who in turn deal with many different standards and frameworks for the proper treatment of sensitive information. With this in mind, we pursue globally respected industry benchmark standards put forth by the International Organization for Standardization in the form of ISO 27001.

The certificate is available for download, see: CafeX ISO 27001 certificate



Privacy certifications

 


EU-US Privacy ShieldCafeX Communications comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  

CafeX Communications have certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

For further details about the Data Privacy Framework (DPF) program, and to view our certification please visit https://www.dataprivacyframework.gov/


Privacy PolicySee: CafeX privacy policy, for information about privacy, terms and cookie usage.



Industry-based compliance


Using CafeX in a PCI environmentTo ensure credit card data security we have undergone PCI-DSS compliance by completing the Attestation of Compliance for Self-Assessment Questionnaire A.  As part of our security management system we have a Payment Card Security Policies (1.2 – 2021-01-07) which is reviewed at least annually to attest to credit card security requirements as required by the Payment Card Industry Data Security Standard (PCI DSS) Program.
HIPAA Through the business associate agreement (BAA)To comply with the requirements of HIPAA in the US, CafeX Communications executes a Business Associate Agreement (BAA) with HIPAA-covered entities in the healthcare and medical services industry. We sign a HIPAA Business Associate Agreement (BAA) with our healthcare customers, meaning we are responsible for keeping your patient information secure and reporting security breaches involving personal healthcare information. HIPAA tenants “bring their own storage” and CafeX do not have access to identifiable health information. We protect and encrypt all data.
CafeX understands and has controls in place (implemented with our ISO27001 certification) to meet the standards required by HIPAA surrounding confidentiality, integrity, and availability of all data, including controls surrounding the CafeX workforce.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article