Compliance Programs

ISO27001:2013

Our move to to software as a service has driven the need to demonstrate publicly to our customers that we adhere to industry accepted standards for information security. Our goal is to give all our stakeholders confidence that we have world class  IT security policies and procedures across the business. 

ISO 27001 is a globally recognised certification, which means wherever our customers are located they can be assured that CaféX adheres to a consistent set of standards approved worldwide..

Our ISO27001:2013 certificate of compliance is available here

PCI-DSS

To ensure credit card data security we have undergone PCI-DSS compliance

Our PCI Certificate is available here

EU-US Privacy Shield

We operate across the globe and serve customers in the United States and The European Union, CaféX is  certified under The Department of Commerce EU-US Privacy Shield for the EU

GDPR

CaféX Communications are committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. However, we recognise our obligations in updating and expanding this program to meet the demands of the GDPR.

CaféX are dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new Regulation. Our preparation and objectives for GDPR compliance have been summarised in this statement and include the development and implementation of new data protection roles, policies, procedures, controls and measures to ensure maximum and ongoing compliance.

For more information please click here

Requests for information on our GDPR compliance status should be directed to Information Security & Compliance Officer. compliance@cafex.com

HIPPA Through the business asscioate agreement (BAA)

To comply with the requirements of HIPAA in the US, CaféX Communications executes a Business Associate Agreement (BAA) with HIPAA-covered entities in the Health and Medical services industry. The BAA certifies that CaféX Communications protects personal health information (PHI) in accordance with HIPAA guidelines.  In support of the BAA, CaféX protects customer data in the following ways:

  • Data in transit (e.g., the chat between a patient and the medical facility) is encrypted using TLS 1.2 with 128-bit AES encryption

  • Data at rest (e.g., stored chat transcript) is encrypted using 192-bit AES


Note that customers cannot control the security keys being used to encrypt/decrypt data.  This is done to ensure that security keys are not inadvertently exposed/revealed.  Also, the keys used to encrypt the data at rest are broken up into multiple parts and each part is stored in a different location within the Cloud solution.

This method of key storage prevents someone from hacking or accessing a single location and retrieving the key to decrypt an account's data.

SSAE 16 SOC2 Type 1

The successful completion of our SOC 2 ® Type I examination audit provides our clients with the
assurance that the controls and safeguards we employ to protect and secure their data are in line industry
standards and best practices

Our Certificate is available here

Our Type 1 report is available subject to NDA, please contact your account manager or email compliance@cafex.com

We are working towards our Type 2 certification and will be available in May 2019