Salesforce - Paubox (Secure Emails)

Owned by Ushank
Last updated: Apr 15, 2024 by Sheni Singhal
3 min read

Cloud Maven’s “Secure Data Transports” has seamless integration with PauBox. Paubox offers a comprehensive set of features and services to make key management and encryption of PHI easy to manage and easier to audit, including the Key Management Service (KMS). Master keys in KMS can encrypt/decrypt data encryption keys used to encrypt customer PHI. Data encryption keys are protected by customer master keys stored in KMS, creating a highly auditable key hierarchy as API calls to KMS are logged.

Workflow Diagram

  1. SF user will compose an email using a custom screen inside salesforce. The user will click on the “Send” button, which will trigger the email and an email record inside salesforce attached to the entity.

  2. The system will invoke an HTTPS Rest API requests to PauBox to send the email. Data in-transit will be encrypted using TLS 1.3 or TLS 1.3+ protocol, and data at rest is encrypted using the AES 256 encryption.

  3. The patient/customer will receive the encrypted email. If the patient/customer is using a browser(email client) that supports TLS 1.3 or TLS 1.3+, the customer will see the email; otherwise, they will see a hyperlink inside the email, which will take the user PauBox hosted secure page.

  4. The patient/customer email server will send the delivery status back to the PauBox.

  5. Salesforce will pull the delivery data(~12 seconds) using API over the HTTPS connection and email messageId in the salesforce(This Id will be used for threading the patient/customer response).

Cloud Maven, Inc doesn’t store or transmit data using our servers. We don’t have access to the client’s data in transit or rest.

Data at rest outside salesforce is encrypted using AES 256 encryption. Data in the salesforce can be encrypted using the salesforce shield product.

How Paubox Works

Paubox offers 4 secure message authentication options:

  1. Seamless: When sending to recipients who support TLS 1.2+, emails are delivered as seamlessly as regular emails. Requiring zero steps to read the encrypted email. This will reflect 97% - 99% of your email volume, depending on.

  2. Secure Link: When sending to recipients who DO NOT support TLS 1.2+ emails will require just 1 click to read. Redirecting to the Secure Message Center.

  3. Secure Login: When sending to recipients who DO NOT support TLS 1.2+ emails will require 1 click to read. Redirecting to the Secure Message Center. This "View Message" link is only suitable for one-time use. After it is clicked on a second time, another email with a new "View Message" link is sent to the ordinal recipient. 

  4. MFA: When sending to recipients who DO NOT support TLS 1.2+ a phone number must be entered the first time they receive a message from this sender. They will then be sent a 6-digit code via SMS to access the message within the Secure Message Center. 

*The authentication options #2 , #3 and  #4 can all be forced for any email of your choice using the Email API. Regardless if the recipient supports a high enough level of encryption or not. 

Documents Provided by PauBox

Schema Diagram

All data will be stored inside the salesforce. “Secure EmailMessage” can be linked to any object.