Security at Cadence

How we protect your planning data. We describe only the controls we actually run today — and we’re explicit about what we don’t yet have.

SOC 2 status: Cadence is not yet SOC 2 certified. A SOC 2 audit is on our roadmap. Until then we operate the controls below and are happy to share a security overview or complete a security questionnaire on request.

Tenant isolation

  • Row-level isolation. Each organization’s data is separated by row-level security policies in the database, keyed to your organization membership.
  • Defense in depth. Every request is independently scoped to your organization in the application layer, so a single missed check can’t leak data across tenants.

Encryption

  • In transit. All traffic is HTTPS, enforced with HSTS (two-year max-age, preload).
  • At rest. Data is encrypted at rest by our database provider. Sensitive integration credentials (for example, ERP authentication headers) are additionally encrypted in the application with AES-256-GCM before they are stored.

Access control

  • Least-privilege roles. Owner, admin, member, and read-only viewer roles. Write access is gated at the route layer and backstopped by database policies.
  • Managed secrets. Application secrets live in our hosting platform’s managed secret storage — never in the application database — and are rotated on a regular schedule.

API keys & webhooks

  • Hashed keys. API keys are hashed before storage (we never keep the plaintext) and can be scoped, given an expiry, and revoked. Each key records its last-used time and IP.
  • Signed webhooks. Outbound webhooks are signed with HMAC-SHA256 and timestamped for replay protection; inbound billing webhooks (Stripe) are signature-verified.

Application hardening

  • SSRF protection. Admin-supplied integration URLs are validated against private and cloud-metadata address ranges, at both save time and fetch time.
  • Security headers. HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and a strict Referrer-Policy on every response.
  • Validated input. Request bodies are schema-validated before they reach business logic.

AI spend controls

  • Hard monthly cap. AI usage is metered and capped server-side before any model call fires, so spend can’t run away. The cap is set by your plan plus any top-ups you choose.

Operations

  • Audit log. Privileged actions — vendor-portal impersonation and organization lifecycle changes — are written to an append-only security audit log.
  • Backups. The database is backed up automatically every day and can be restored on demand.
  • Data region. Customer data is stored in the United States.
  • Incident response. We maintain documented playbooks for security and availability incidents.

Reporting a vulnerability

Found a security issue? Email security@plancadence.com and we’ll respond promptly. Please give us a reasonable window to remediate before any public disclosure.

Last reviewed June 2026. This page describes our current controls and is updated as they change.

© 2026 Cadence Labs, Inc.cadence