01
Processing model
Cadence acts as a processor for client operational data inside customer modules and separately manages its own security and audit metadata.
Trust Centre
Security, privacy, and operational assurance.
This page summarises how Cadence approaches data handling, access control, regional privacy obligations, and customer assurance for regulated work.
Data handling
Operational data practices
The Trust Centre is intended as a concise assurance view. More detailed diligence material can be provided during a live review process where appropriate.
02
Access control
User access is role-based. Admin-only functions are separated from standard user access, and repeated failed sign-in attempts trigger account lockout controls.
03
Audit logging
Security-sensitive actions generate append-only audit records designed to avoid personal data, raw document content, and secret values.
04
Retention and deletion
Expired tokens, stale login-attempt records, and aged audit material are cleaned up on a defined schedule. Customer-specific retention is handled through documented procedures.
05
AI use boundary
New AI vendors require review before approval, and personal data must not be sent to public AI tools outside the approved policy boundary.
06
Regional positioning
EU customer data is intended to use an EU-region database project by default, while the same minimisation and review controls are applied for Australian work.
Security & compliance
Built for regulated work.
Cadence is designed for environments where uploaded files, operational credentials, and client records need clear controls from the first day of delivery.
01
In-memory processing
Uploaded documents and generated outputs are processed in memory and are not retained after the task is complete.
02
Encrypted credentials
Operational secrets are encrypted at rest and decrypted in memory only when a module needs them.
03
MFA enforced
Every user account is protected with multi-factor authentication and access is limited by role.
04
Metadata-only audit logs
Audit trails record who did what and when without storing document content, raw transaction data, or secrets.
05
Privacy review before change
New modules and material processing changes are reviewed against privacy obligations before release.
06
EU and Australian privacy support
Cadence is positioned to support EU and Australian work with documented controller-processor boundaries and data minimisation.
Hosting and vendors
Platform infrastructure at a glance
Vendor use is kept deliberately small and reviewed before production customer data is sent to a new service.
Hosting
Fly.io
Website and application hosting are managed on Fly.io, with staging kept separate from production.
Database
Supabase PostgreSQL
Persistent application data is stored in Supabase PostgreSQL, with managed backups and restore testing requirements.
Transactional mail provider
Transactional email is used for account setup, password reset, and MFA flows. Production vendors are reviewed before use.
Source control
GitHub
Source control and deployment workflows are managed through GitHub with separate staging and production branches.
Public material
Available assurance information
Some material is public by default. Additional assurance documents can be shared during customer diligence where appropriate.
Public policy
Privacy Policy
Overview of the information Cadence collects, why it is used, and how privacy requests can be made.
Assurance summary
Trust Centre
Security overview, data handling principles, regional privacy positioning, and infrastructure summary.
On request
Additional diligence material
Where appropriate, further information can be discussed during a customer review process subject to scope and confidentiality.
Questions
Need a closer assurance review?
Send the context for your diligence process and the questions you need answered. We can take the conversation from there.