Articles on: Plans and Privacy


CoffeePals Security

Teams Messages Access

CoffeePals has limited access to the messages within Microsoft Teams. This is a function of the security features that Microsoft implements within their bot SDK.

Private Messages

CoffeePals only has access to direct message data with the CoffeePals bot. This means that our platform does not have access to any of your employees personal messages with one another.

Private Group Messages

CoffeePals bot does not have the permission to be added to personal group conversation. For this reason, CoffeePals cannot be added to a private group and therefore, similar to private messages, does not have access to group conversation data.

Channels and teams

CoffeePals only has access to the channels and teams it has been added to. When it is added to a team or channel, it collects the user data of each user to perform the matching function. It also collects user data when a new user joins that team. Information on the data we collect can be found in our Privacy Policy.

CoffeePals only receives messages in which is is mentioned with an @CoffeePals message or replies to such messages. All other messages in the channel will not be sent to our servers. This is a restriction set in place by Microsoft to help protect your company's team messages.

Physical and Network Security

CoffeePals is hosted on Heroku (owned by Salesforce) which employs strict security measures.

Physical Security

Our database is hosted on AWS through MongoDB Atlas. AWS certifies physical security at all of their data centres. They have comprehensive compliance and control over physical access. AWS is accredited against multiple security industry certifications including ISO27001. More about AWS's physical security can be read here. More about MongoDB Atlas's security can be found here.


Every connection made between Microsoft Teams and CoffeePals is end-to-end encrypted over HTTPS and SSL. We also force HTTPS for the CoffeePals web application. Our customer data is encrypted in transit with HTTPS and at rest with AES256. The data is stored in multiple physical locations in the United States through AWS.

Application Security

CoffeePals is built with security in mind. These are some of our key practices in security.


Users are authentication in the CoffeePals web app without using a password. Users are emailed a secure login link containing a token to authenticate them into the application. Once authenticated, we store their authentication token as a cookie in their browser for 14 days. The login link also expires one hour after being sent to the user. This eliminated the ability for their password to be compromised and makes the security of our authentication process as secure as company email.

Payment Information

CoffeePals does not directly store credit card numbers in our database. We use Stripe for payment processing. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1 which is the most stringent level of certification available in the payments industry. More about Stripe's security can be found here.

Operational Security

These are some of our key operational security practices.

Access Control

Each team member is granted access only to the credentials that they are needed to complete their tasks. We deny by default and only add privileges to those that request and require access.

Our staff uses multi-factor authentication with all the services we use.

Incident Management

We put security issues at the top of our priority list. In compliance with GDPR and regulations, we inform all customers affected by an incident as soon as possible and no longer than 72 hours of detection.

Software Development

Our software gets pushed through multiple environments before making it to production. The software must pass automated tests throughout the process to catch as many issues as possible before reaching production. Every feature that is added requires a pull request and code review that are approved by senior staff.


We log application usage and exceptions as well as track runtime errors and alerts. We investigate and fix any issues as they arise to ensure there are no vulnerabilities in the application.

To see which data we collect, read our Privacy Policy and Terms of Service. If you have specific enquires, please email

Updated on: 10/02/2022

Was this article helpful?

Share your feedback


Thank you!