Security & Trust

Built with privacy at the center, not bolted on later.

Cadence operates on sensitive workforce data — 1:1 conversations, performance records, HR cases, compensation context. We hold this data with the care it demands. Here's exactly how we think about security, consent, and compliance.

Security Architecture

The fundamentals — without the marketing spin.

This page is for security-conscious buyers, legal teams, and IT professionals who need specifics, not vague reassurances.

🔐

Encryption

All data encrypted at rest (AES-256) and in transit (TLS 1.3). Customer-specific key management is on our Q3 2026 roadmap. AI processing runs over encrypted channels and returns results to isolated tenant environments.

🏗️

Infrastructure

Hosted on Google Cloud Platform (GCP) in us-central1. Production workloads run on Cloud Run (containerized, auto-scaling). Database: Cloud SQL (PostgreSQL) with point-in-time recovery. Redis for caching only — no PII.

🔒

Access Control

Persona-based access control is live in production: self-serve workspaces provision role-scoped views for admins, HR/CHRO, managers, and employees, so each role sees only what it should. Fully custom role definitions remain roadmap.

📋

Audit Logging

Administrative actions and access to sensitive ER records generate audit logs. Export packaging and full AI-output audit coverage are handled case-by-case during beta unless separately verified for a tenant.

🧪

AI Data Handling

Cadence does not train AI models on customer data. AI summaries and coaching process meeting content only for that tenant's outputs and are not used in model training.

🛡️

Vulnerability Management

Dependency scanning on every CI build. Container image scanning before deploy. Security patches applied within 48 hours for critical CVEs. Penetration test cadence: annual. Bug bounty program: coming Q3 2026.

Compliance Posture

Where we stand on each regulation.

Honest, current, with GA gate requirements stated clearly. Last updated: July 2026.

RegulationCadence PostureStatus / Gate
GDPR
EU / EEA employee data
Cadence acts as a data processor for customer workforce data. Consent UX provides transparency and control; it is not the sole lawful basis. EU employee recording requires lawful-basis mapping, DPIA, and non-recording fallback.In Progress
DPIA, lawful basis mapping, DSR workflow, and transfer register required before EU production launch.
CCPA / CPRA
California employee data
Cadence is a service provider / contractor by default. No sale or sharing of workforce data. Employee rights workflow covers access, deletion, and correction requests.Ready
Notice at collection, access/delete/correct workflows, and sensitive personal information review complete.
BIPA
Illinois biometric data
Voiceprint and speaker identification are biometric data under BIPA. Cadence's position: plain audio transcript is allowed under recording consent controls; speaker ID, voice profiling, and voice matching are disabled without specific BIPA approval. No biometric features without written release.Protected
No identity-capable voice features without explicit BIPA-compliant written release and retention policy.
Recording Law
Multi-jurisdiction
Product policy is all-party consent everywhere — stricter than most applicable laws. Jurisdiction resolution happens at session time. Unknown jurisdictions default to recording off.Implemented
Consent receipt chain, visible recording state, stop-on-revoke, and non-recording fallback all in production.
SOC 2 readiness
Security audit readiness
SOC 2 readiness is in progress. Current controls are being prepared against the Trust Services Criteria. Controls documentation is available to enterprise customers under NDA.Readiness in progress
Controls documentation in progress. Auditor engagement pending — no signed engagement letter yet.
Data Retention

Default retention — no surprises.

We believe in stating retention periods clearly. These are defaults; Enterprise customers can configure custom periods within policy bounds.

Data ClassDefault RetentionNotes
Raw audio (if recorded)15 daysAuto-deleted unless legal hold or approved customer extension. Never used for AI training.
Meeting transcript (draft)180 daysDelete or promote to approved summary. Employee can request deletion at any time.
AI coaching outputs365 daysRetention and lane visibility are configured during preview tenant setup. Not used for AI model training.
Consent & policy receipts7 yearsImmutable evidence records. Tamper-evident and access-controlled. Not deletable by tenant admins.
ER case records7 years after case closureLegal hold overrides deletion. Live role-based access separates workspace admin, manager, and employee views; deeper HR, executive, and auditor policy surfaces remain entitlement-scoped.
1:1 notes and agendasDuration of employment + 1 yearEmployee can export their own data at any time via DSAR process.
Survey responses3 yearsRaw responses anonymized at source. Aggregated insights retained longer.

Data subject access requests (DSARs) can be submitted via your HR admin or directly at [email protected]. We respond within 30 days.

Security Roadmap

Where we're going, and when.

Our security maturity roadmap — honest about current state and committed target dates.

Done

Encryption at rest and in transit

AES-256 at rest, TLS 1.3 in transit. In production.

Q3 2026

Customer-specific key management

Additional customer-specific key controls. Targeted Q3 2026.

Done

All-party consent architecture

Fail-closed consent system with immutable receipt chain, revocation hooks, and non-recording fallback. In production.

Roadmap

Access control roadmap

Live role-based access separates workspace admin, manager, and employee views. Deeper HR, executive, and auditor policy surfaces remain entitlement-scoped.

Done

CCPA employee rights workflow

Access, deletion, correction, and export workflows in production. DSAR response SLA: 30 days.

Q3 2026

SOC 2 readiness

Controls documentation in progress. Auditor engagement pending — no signed engagement letter yet.

Q3 2026

GDPR DPIA and EU launch prerequisites

Data Protection Impact Assessment, lawful basis mapping, and EU data residency option in progress.

Q4 2026

Penetration test (annual)

External penetration test by certified third party. Summary report available to Enterprise customers on request.

Q4 2026

Bug bounty program

Responsible disclosure program with CVSSv3-based rewards. Details to be published at cadencehr.ai/security/bounty.

Data Processing Agreement

DPA process for enterprise customers.

Enterprise customers — and any customer with EU employees or GDPR obligations — can request a Data Processing Agreement (DPA). Our standard DPA covers:

  • Processing scope and data categories
  • Sub-processor list with geographic locations
  • Security measures and audit rights
  • Data subject rights obligations
  • Data breach notification procedures (72-hour GDPR timeline)
  • Data transfer mechanisms (SCCs for EU/EEA)
  • Deletion and return of data on contract end
Request a DPA →
Sub-Processors

Current sub-processor list

Sub-ProcessorPurposeLocation
Google Cloud PlatformInfrastructure, storage, databaseUS (us-central1)
AnthropicAI coaching generationUS
CloudflareCDN, DDoS protection, email routingGlobal edge
StripePayment processingUS / EU

Full sub-processor list with notification policy available to customers on request.

Security questions? Talk to us directly.

If you have specific security or compliance requirements, we'd rather have a real conversation than send you a generic PDF. Reach out and we'll schedule time with our engineering and legal team.