Trust & Security

Cadences.work stores employee performance feedback and time-tracking data — content people care about deeply. This page sets out the controls we use to protect it, the third parties involved, and how we respond when something goes wrong. We update it whenever the underlying controls change.

At a glance

Data residency

EU (Ireland)

Application and database hosted in EU regions on Vercel and Supabase.

Encryption

TLS 1.2+ in transit; AES-256 at rest

Inherited from Supabase / Postgres storage layer.

End-user sign-in

Passwordless by default

Magic-link / email OTP via Supabase Auth. SAML / OIDC SSO configurable per tenant.

Admin MFA

Enforced on every admin account

TOTP via Google Authenticator and Google 2-Step Verification on the founder's Google identity, including for services using Google SSO.

Backups

Point-in-time recovery; target RPO 2 min / RTO ~30 min

Backups encrypted and retained 30 days.

AI features

Experimental — disabled by default

All AI features are experimental and require an explicit per-organisation opt-in. Cadences does not train any model on customer data.

ISO 27001

Working toward audit readiness

Operating to ISO 27001 Annex A controls; certificate targeted during 2027 once a customer requires it.

Where customer data lives

Cadences.work runs on Vercel (application and edge network) and Supabase (managed PostgreSQL, authentication, and object storage). Both providers hold SOC 2 Type II and ISO 27001 attestations, and we host customer data exclusively in Ireland (Supabase eu-west-1; Vercel functions in dub1). We do not operate our own datacentres.

For the full list of vendors that touch customer data, see our Sub-processors page. Customers can subscribe to changes — we give 30 days' notice before adding a new sub-processor.

Encryption

All data is encrypted in transit with TLS 1.2 or higher, and at rest with AES-256. API secrets are stored in Vercel and Supabase environment-variable systems and are never committed to source control.

Authentication

End-user sign-in is passwordless by default. Users identify themselves with their work email; Cadences either redirects them to their employer's identity provider where SAML or OIDC SSO is configured for the tenant, or sends a single-use magic-link / email OTP via Supabase Auth. Magic-link tokens are short-lived and bound to one redemption. Session tokens and refresh tokens are rotated automatically by Supabase. Cadences does not store user passwords.

Access control

Multi-factor authentication is enforced on every administrative account on the Cadences side (GitLab, Vercel, Supabase, Postmark, OpenAI, domain registrar, password manager, email). API keys are rotated at least annually and immediately on any suspicion of compromise; access permissions are reviewed quarterly. The first scheduled rotation and review cycle runs in 2026.

AI features

All AI features are experimental and disabled by default. Cadences does not enable AI for any organisation without an explicit opt-in by an administrator of that organisation. When AI is enabled, only the relevant feedback text needed for the requested operation is sent to OpenAI's API; no profile data, identifiers, or full user records are added to the prompt by Cadences. Cadences does not train any model on customer data. Customers can re-disable AI at the organisation level at any time. The retention and use of API submissions by the model provider is governed by the provider's own terms — refer to OpenAI's API data-usage policy for the current position.

Data subject rights

Customers can request export or deletion of personal data by contacting privacy@cadences.work; we respond within 30 days. Self-service equivalents in the application are on the 2026 roadmap. End users whose employer is the Cadences customer should raise rights requests through their employer in the first instance.

Incident response

We follow a documented incident response process and notify affected customers without undue delay, and in any case within 72 hours of confirmation where reasonably possible. For breaches that meet the GDPR or Singapore PDPA notification thresholds, we notify the relevant supervisory authorities within the statutory 72-hour window.

Compliance roadmap

We are working toward ISO 27001 audit readiness through 2026, with certification targeted during 2027 once customer demand justifies the audit spend. Until then we operate to the ISO 27001:2022 Annex A control set; our published policies at /trust/policies describe each control.

Customers under NDA can request: our internal Risk Register, Asset Inventory, MFA audit results, and sub-processor SOC 2 / ISO 27001 reports. Our Transfer Risk Assessments for Singapore and the United States are published openly at /trust/policies.

Contracts

The two agreements every Cadences customer signs. Both are open templates; per-deal commercial terms (plan, seats, fees, term) are captured on a separate Order Form (Annex C of the MSA).

Master Service Agreement (MSA)

The commercial contract used for every Cadences engagement: scope, fees, term, SLA, IP, liability, governing law (Netherlands).

Data Processing Agreement (DPA)

Article 28 GDPR processor agreement with 2021 EU SCCs Module 2. Pairs with the MSA above for any customer processing EU personal data.

Documents

Policies & compliance documents

Our full ISMS — 12 policies, plans, and assessments. Open access.

Sub-processors

The full list of vendors we share customer data with, and what they do.

What we collect, why, lawful bases, retention, and your rights.

Vulnerability disclosure

How to report a security issue. We respond within 2 business days.

Contact

Security issues: security@cadences.work
Privacy / data subject requests: privacy@cadences.work
Sales / vendor questionnaires: hello@cadences.work

Cadences.work is operated by Nozemans Software Pte Ltd, a private company limited by shares incorporated in Singapore.