CoffeePals has limited access to the messages within Microsoft Teams. This is a function of the security features that Microsoft implements within their bot SDK.
CoffeePals only has access to direct message data with the CoffeePals bot. This means that our platform does not have access to any of your employees personal messages with one another.
CoffeePals bot does not have the permission to be added to personal group conversation. For this reason, CoffeePals cannot be added to a private group and therefore, similar to private messages, does not have access to group conversation data.
CoffeePals only receives messages in which is is mentioned with an @CoffeePals message or replies to such messages. All other messages in the channel will not be sent to our servers. This is a restriction set in place by Microsoft to help protect your company's team messages.
CoffeePals is hosted on Heroku (owned by Salesforce) which employs strict security measures.
Our database is hosted on AWS through MongoDB Atlas. AWS certifies physical security at all of their data centres. They have comprehensive compliance and control over physical access. AWS is accredited against multiple security industry certifications including ISO27001. More about AWS's physical security can be read here. More about MongoDB Atlas's security can be found here.
Every connection made between Microsoft Teams and CoffeePals is end-to-end encrypted over HTTPS and SSL. We also force HTTPS for the CoffeePals web application. Our customer data is encrypted in transit with HTTPS and at rest with AES256. The data is stored in multiple physical locations in the United States through AWS.
CoffeePals is built with security in mind. These are some of our key practices in security.
Users are authentication in the CoffeePals web app without using a password. Users are emailed a secure login link containing a token to authenticate them into the application. Once authenticated, we store their authentication token as a cookie in their browser for 14 days. The login link also expires one hour after being sent to the user. This eliminated the ability for their password to be compromised and makes the security of our authentication process as secure as company email.
CoffeePals does not directly store credit card numbers in our database. We use Stripe for payment processing. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1 which is the most stringent level of certification available in the payments industry. More about Stripe's security can be found here.
These are some of our key operational security practices.
Each team member is granted access only to the credentials that they are needed to complete their tasks. We deny by default and only add privileges to those that request and require access.
Our staff uses multi-factor authentication with all the services we use.
We put security issues at the top of our priority list. In compliance with GDPR and regulations, we inform all customers affected by an incident as soon as possible and no longer than 72 hours of detection.
Our software gets pushed through multiple environments before making it to production. The software must pass automated tests throughout the process to catch as many issues as possible before reaching production. Every feature that is added requires a pull request and code review that are approved by senior staff.
We log application usage and exceptions as well as track runtime errors and alerts. We investigate and fix any issues as they arise to ensure there are no vulnerabilities in the application.