Policies & Compliance Documents

We publish our information security policies, plans, and compliance documents openly. They reflect the controls we operate today and the commitments we make to customers under our Data Processing Agreement.

A small number of operational documents — the live Risk Register, Asset Inventory, and post-incident records — remain available under NDA on request, since they contain implementation-specific detail and reconnaissance value. For those, contact security@cadences.work.

Policies

Information Security Policy

Parent policy. Establishes the framework, objectives, roles, and the family of sub-policies for the Cadences ISMS.

ISP-001

Access Control Policy

Authentication, authorisation, MFA, account lifecycle, and periodic access review.

ACP-001

Acceptable Use Policy

Personnel rules for Company systems, devices, AI tools, source code, and data handling.

AUP-001

Data Classification & Handling Policy

Four classification levels, handling rules per level, and special treatment of Customer Personal Data.

DCP-001

Incident Management Policy

Incident definition, severity, roles, notification commitments, and post-incident review.

IRP-001

Risk Management Policy

Risk identification, assessment methodology (5×5), treatment options, and review cadence.

RMP-001

Vendor / Supplier Management Policy

Sub-processor selection, due diligence, contracting, ongoing monitoring, and termination.

VMP-001

Change Management Policy

Categories of change, lifecycle (proposal → CI → review → deploy → verify), emergency changes, and audit trail.

CMP-001

Cryptography Policy

Cryptographic standards (TLS, AES, hashing, asymmetric, RNG), key management, and rotation.

CRP-001

Endpoint Security Policy

Workstation and mobile-device baseline, BYOD considerations, loss/theft response, and disposal.

EPP-001

HR Security Policy

Personnel-security obligations adapted to a one-person organisation, with future-personnel procedures.

HRP-001

Plans

Business Continuity & Disaster Recovery Plan

Recovery objectives (RPO/RTO), backup strategy, restore procedures, and continuity scenarios including founder unavailability.

BCP-001

Assessments & Templates

Transfer Risk Assessment — Singapore

Documented assessment of EEA→Singapore data transfers under the 2021 EU SCCs and EDPB Recommendations 01/2020.

Transfer Risk Assessment — United States

Documented assessment of onward transfers to US-based sub-processors under the EU-US Data Privacy Framework and 2021 SCCs.

Master Service Agreement — Template

The commercial contract that governs every Cadences customer engagement: Service definition, fees and invoicing, term, SLA, IP, liability, governing law. Pairs with the DPA below; per-deal commercial details go on a separate Order Form (Annex C of the template).

Data Processing Agreement — Template

Template DPA incorporating the 2021 EU SCCs Module 2 (Controller → Processor), used for new customer engagements. Sits on top of the Master Service Agreement above.

Operational Documents

Incident Response Runbook

Operational steps to handle a security or privacy incident, complementary to the Incident Management Policy.

Security Questionnaire — Pre-filled Responses

Pre-answered version of the standard CSA CAIQ-Lite questionnaire for procurement and vendor-review use.

How to use these documents

  • For routine procurement / vendor-review use: cite the relevant policy by document ID and link to its public URL.
  • For audit evidence: the same policies can be exported under our watermarked branding under a mutual NDA — email security@cadences.work.
  • For contractual incorporation: the Data Processing Agreement template references this set; on signing the DPA, the Annex II Technical and Organisational Measures point at the live versions on this page.

Versioning

Each document carries a Document ID and version in its header. We update the version on material changes and announce material updates via our Sub-processor change-notification list (subscribe by emailing privacy@cadences.work).