Security at Cadence
How we protect your planning data. We describe only the controls we actually run today — and we’re explicit about what we don’t yet have.
SOC 2 status: Cadence is not yet SOC 2 certified. A SOC 2 audit is on our roadmap. Until then we operate the controls below and are happy to share a security overview or complete a security questionnaire on request.
Tenant isolation
- Row-level isolation. Each organization’s data is separated by row-level security policies in the database, keyed to your organization membership.
- Defense in depth. Every request is independently scoped to your organization in the application layer, so a single missed check can’t leak data across tenants.
Encryption
- In transit. All traffic is HTTPS, enforced with HSTS (two-year max-age, preload).
- At rest. Data is encrypted at rest by our database provider. Sensitive integration credentials (for example, ERP authentication headers) are additionally encrypted in the application with AES-256-GCM before they are stored.
Access control
- Least-privilege roles. Owner, admin, member, and read-only viewer roles. Write access is gated at the route layer and backstopped by database policies.
- Managed secrets. Application secrets live in our hosting platform’s managed secret storage — never in the application database — and are rotated on a regular schedule.
API keys & webhooks
- Hashed keys. API keys are hashed before storage (we never keep the plaintext) and can be scoped, given an expiry, and revoked. Each key records its last-used time and IP.
- Signed webhooks. Outbound webhooks are signed with HMAC-SHA256 and timestamped for replay protection; inbound billing webhooks (Stripe) are signature-verified.
Application hardening
- SSRF protection. Admin-supplied integration URLs are validated against private and cloud-metadata address ranges, at both save time and fetch time.
- Security headers. HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and a strict Referrer-Policy on every response.
- Validated input. Request bodies are schema-validated before they reach business logic.
AI spend controls
- Hard monthly cap. AI usage is metered and capped server-side before any model call fires, so spend can’t run away. The cap is set by your plan plus any top-ups you choose.
Operations
- Audit log. Privileged actions — vendor-portal impersonation and organization lifecycle changes — are written to an append-only security audit log.
- Backups. The database is backed up automatically every day and can be restored on demand.
- Data region. Customer data is stored in the United States.
- Incident response. We maintain documented playbooks for security and availability incidents.
Reporting a vulnerability
Found a security issue? Email security@plancadence.com and we’ll respond promptly. Please give us a reasonable window to remediate before any public disclosure.
Last reviewed June 2026. This page describes our current controls and is updated as they change.