Data processing agreement (DPA)

This DPA is incorporated into the Cadence terms of service when your organization processes personal data through the platform. Enterprise customers can request a counter-signed PDF at legal@cadence.work.

1. Roles

You (the customer) are the data controller. Cadence is the data processor. We process data only on your documented instructions, which are: provide the platform service, run matching, bill, message, and support.

2. Sub-processors

Current sub-processors:

• Vercel (hosting), Neon (Postgres), Resend (email), Stripe / Razorpay (payments), Daily.co (video), Pusher (real-time), Anthropic (interview grading), PostHog (analytics), Sentry (errors), Vercel Blob (file storage).

We notify enterprise customers 30 days before adding a new sub-processor.

3. Security measures

• Encryption at rest (AES-256) and in transit (TLS 1.3).
• Access on principle of least privilege; quarterly access review.
• Annual penetration test by independent firm.
• Bug bounty program: security@cadence.work.
• SOC 2 Type II audit in progress (target Q3 2026).

4. Breach notification

We notify affected customers within 72 hours of confirmed material breach.

5. Data subject rights

We support access, rectification, erasure, portability, restriction, and objection requests. Forward such requests to privacy@cadence.work.

6. International transfers

Standard Contractual Clauses (EU 2021) apply for transfers from EU/UK to the US. Indian PIPL and Singapore PDPA are followed where applicable.

7. Term & deletion

This DPA stays in effect for the duration of the service. Within 60 days of termination, all customer personal data is deleted from production systems and within 12 months from backups.