Security at Cadence.

• In transit: all traffic to and from the platform is encrypted with TLS 1.3. HTTP traffic is automatically redirected to HTTPS. HSTS is enforced with a one-year max-age.
• At rest: all customer data stored in our managed Postgres database is encrypted at rest using AES-256. Backups inherit the same encryption standard.

• Multi-factor authentication is required for all customer accounts. We support TOTP (Google Authenticator, Authy, 1Password) with SMS fallback. Backup codes are available.
• OAuth 2.0 sign-in via Google and Microsoft.
• Account lockout after repeated failed attempts. Suspicious-pattern detection escalates to additional verification.
• SAML SSO and SCIM provisioning for enterprise identity providers (Okta, Azure AD, Google Workspace) are in active development. Available on Enterprise plans when shipped.

• Postgres Row-Level Security enforces tenant isolation at the database layer. Even with elevated database access, users cannot read other tenants' data.
• Production access is limited to the Cadence founder and follows our Access Control Policy. All access changes are logged.
• Quarterly access reviews verify every active production account is still required.

• Every mutation in the platform (create, update, delete) is logged with user ID, action, entity, timestamp, IP address, and user agent.
• Audit logs are tamper-resistant and available to Elite and Enterprise customers on the Audit Log page in the application.
• Security-sensitive events (2FA enable/disable, password change, OAuth grant) are logged separately and surfaced for review.

• Hosting: Vercel (United States). SOC 2 Type II attested. Managed certificates and edge network.
• Database: Supabase Managed Postgres (United States). Daily encrypted backups. Point-in-time recovery for the last 7 days.
• Payments: Stripe (PCI DSS Level 1). We do not store payment card numbers; Stripe tokenizes all card data.
• SMS: Twilio (10DLC registered, SOC 2 Type II attested).
• Email: Resend (SOC 2 Type II in progress).
• AI: Anthropic Claude API. Customer data sent for AI processing is not used to train Anthropic models under our enterprise agreement.

• Dependency scanning via GitHub Dependabot. Critical findings remediated within 7 days; high within 30 days.
• Static analysis (TypeScript strict mode, ESLint security rules) enforced in CI.
• Annual third-party penetration testing planned for Phase 2.
• Security advisories monitored daily for the libraries we use.

A four-phase roadmap. Phase 1 is in flight today; subsequent phases are sequenced over the next 18 to 24 months.

• Phase 1 (active): legal documents drafted with SaaS-experienced counsel, cyber and E&O insurance bound, internal security policies ratified, subprocessor list public, this trust page live.
• Phase 2 (Q3 2026): SOC 2 Type I attestation. Compliance automation platform engagement. CPA firm field work and report. Type II observation period begins immediately after.
• Phase 3 (Q1 2027): SOC 2 Type II audit, HIPAA Business Associate Agreement template, NY DFS 23 NYCRR 500 compliance, NAIC Data Security Model Law, CCPA / CPRA data subject access endpoint, TCPA compliance engine for SMS automation.
• Phase 4 (2027+): Hearsay Social partnership, ISO 27001 certification, annual third-party penetration testing, carrier-specific vendor security questionnaires.

We maintain a documented incident response plan. In the event of a confirmed security incident affecting your data, we will notify affected customers within 72 hours and provide regular updates until resolution. Annual tabletop exercises verify the plan is current and effective.

Our current list of subprocessors is published at renovaagentinc.com/subprocessors. We provide 30-day advance notice of any material changes to this list. To receive change notices, email subscribe@renovaagentinc.com.

If you discover a security vulnerability or have concerns about our security posture, please email us. We respond to confirmed vulnerability reports within 48 hours and work with researchers in good faith. We do not currently offer a bug bounty program but may launch one in the future.

Enterprise prospects can request the following under a mutual NDA by emailing security@renovaagentinc.com:

• SOC 2 attestation report (when available)
• Penetration test summary (when available)
• Cyber liability and E&O certificates of insurance
• Incident response runbook
• Architecture diagrams
• Internal security policies (Information Security, Access Control, Change Management, Incident Response, Data Classification, Vendor Risk, Backup and DR, Business Continuity, SDLC, Encryption, Password and Authentication, Acceptable Use)