Security at Cadence

Cadence handles two sensitive things: founder business context and engineer income data. We design assuming both will be valuable to attackers.

Compliance posture

• SOC 2 Type II, audit in progress, target Q3 2026.
• GDPR / UK GDPR, Data Processing Agreement available; SCCs for EU data transfers.
• CCPA, California residents can request access, deletion, opt-out of sale (we don't sell data).
• India DPDP Act, compliance review complete; engineers in India are covered.

Infrastructure

• Hosted on Vercel + Neon (Postgres). Single-region primary, global edge cache for read paths.
• Encryption at rest: AES-256. In transit: TLS 1.3. Database connections use pgBouncer with TLS.
• Secrets in Vercel encrypted env vars; rotated quarterly. No secrets in source.

Access controls

• Production database write access: 2 engineers + founder. All access logged.
• Quarterly access review; access auto-expires for inactive employees.
• Production deploys require approval + automated test suite green.

App-level

• Auth.js sessions are httpOnly + secure + 30-day expiry. Magic-link tokens single-use.
• Passwords are not stored, magic-link only.
• Stripe / Razorpay handle PCI scope; we never see card data.
• Rate limiting on sign-in, signup, and webhook endpoints.
• CSRF protection via Auth.js.

Reporting

Found a vulnerability? Email security@cadence.work. We acknowledge within 24 hours, fix critical issues within 5 business days, and recognize researchers in our changelog.

Sub-processors

See our DPA for the current list. We give 30 days' notice before adding sub-processors.