← All policies

Security Questionnaire — Pre-filled Responses

Format: CSA CAIQ-Lite v4 question themes (~50 questions across 16 domains), restated in plain language. Audience: customer security/procurement teams during vendor review. Owner: Lauren ten Hoor. Update on every significant control change. Last reviewed: 2026-05-25.

This document pre-answers the questions most commonly asked during vendor security reviews. Where a question is asked verbatim in a customer questionnaire (CAIQ, SIG Lite, custom Google Form), copy the relevant answer with attribution to this document and the date.

A. Audit Assurance & Compliance

A.1 — Do you hold a SOC 2 Type II report or ISO 27001 certificate? Not yet. Cadences.work is working toward ISO 27001 audit readiness through 2026, with certification targeted during 2027. We operate to the ISO/IEC 27001:2022 Annex A control set in advance of audit. Sub-processors used in production (Vercel, Supabase, Postmark, Google, Stripe) are SOC 2 Type II / ISO 27001 certified.

A.2 — Are you willing to share certifications and audit reports under NDA? Yes. Sub-processor reports are available through their respective trust centres. Our internal evidence (TOMs, policies) is shared on request under NDA.

A.3 — Do you undergo independent penetration testing? First annual external penetration test scheduled before our ISO 27001 Stage 2 audit. Continuous dependency scanning is in place via Renovate.

A.4 — Do you maintain a risk register? Yes — internal document, not published. Reviewed quarterly.

B. Application & Interface Security

B.1 — Is the application developed under a Secure SDLC? Yes. All changes go through Git (GitLab) with code review before merge. CI runs lint, type-check, and dependency-vulnerability checks. Static analysis (Semgrep CE) is on the 2026 roadmap. Production deploys are gated on the main branch.

B.2 — Is data input validated and output encoded? Yes. Inputs are validated via Zod schemas at API boundaries. Outputs are rendered through React, which encodes by default. SQL is generated by Prisma using parameterised queries — no string-concatenated SQL is permitted.

B.3 — Are HTTP security headers in place? Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and a Content Security Policy are configured at the edge.

B.4 — Is sensitive data masked in logs? Application logs do not record full user records. Authentication tokens and password hashes are never logged.

C. Business Continuity Management & Operational Resilience

C.1 — Is there a documented BCP / DR plan? Yes. Database point-in-time recovery is enabled with RPO of 2 minutes and RTO of approximately 30 minutes. Backups are encrypted and retained for 30 days. Annual restore drill is documented.

C.2 — What is your historical uptime? Cadences.work runs on Vercel (99.99% SLA edge) and Supabase (99.9% SLA Pro tier). We publish status updates and incident histories.

C.3 — How is critical-system redundancy achieved? Inherited from sub-processors: Vercel multi-region edge; Supabase managed Postgres with automated backups and high availability on the Pro tier (planned upgrade, current tier on request).

D. Change Control & Configuration Management

D.1 — Is infrastructure managed as code? Configuration of the application and Supabase is captured in the Git-managed source tree. Vercel project settings are documented and reviewed.

D.2 — How are production changes approved? Every change is committed to GitLab with an audit trail. As a single-person company, the founder reviews changes against documented criteria; once a second reviewer is engaged (employee, contractor, or external advisor), four-eyes review will be required.

D.3 — Are databases versioned? Schema changes are managed through Prisma migrations.

E. Data Security & Information Lifecycle Management

E.1 — Is customer data encrypted at rest? Yes. AES-256 at the storage layer (Supabase / Postgres).

E.2 — Is customer data encrypted in transit? Yes. TLS 1.2 or higher end-to-end.

E.3 — How is customer data isolated? Logical isolation. All customer data sits in a multi-tenant Postgres database with row-level access enforced by application authorisation logic and Supabase Row-Level Security policies.

E.4 — Where is customer data stored? EU region (Ireland — Supabase eu-west-1). Vercel functions handling customer data are pinned to Dublin (dub1).

E.5 — Is data classified? Yes. Customer Personal Data is classified Confidential and handled under the most restrictive controls. Marketing-website data is classified Public.

E.6 — How is data deleted? Customers can self-serve deletion. On contract termination, all Customer Personal Data is deleted from active systems within 30 days and from backups within 30 further days.

E.7 — Is media sanitised before disposal? Not applicable — no physical media owned by Cadences. Sub-processors handle media sanitisation per their own certifications.

F. Datacenter Security

F.1 — Where are your datacentres? Cadences does not operate datacentres. Sub-processors (Vercel, Supabase) operate in audited Tier-III+ datacentres with SOC 2 / ISO 27001 attestation.

F.2 — How is physical access controlled? Inherited from sub-processors. Reports available on request under NDA.

G. Encryption & Key Management

G.1 — Are encryption keys managed by you or by the cloud provider? By the cloud provider (Supabase / Vercel). No customer-managed keys are offered at this time.

G.2 — Are keys rotated? Yes — sub-processor schedule. API keys held by Cadences are rotated at least annually and immediately on suspicion of compromise. The Supabase Auth JWT signing key (ECDSA P-256 / ES256) is rotated on the same cadence via the Supabase dashboard; existing sessions remain valid until token expiry (~1 hour) and the JWKS endpoint publishes the new public key automatically. See Cryptography Policy §5.2.

H. Governance & Risk Management

H.1 — Do you have an Information Security Policy? Yes — see https://cadences.work/trust/policies. ISP-001 is the parent policy; 11 sub-policies cover Access Control, Acceptable Use, Data Classification, Incident Management, Risk Management, Vendor Management, Business Continuity & DR, Change Management, Cryptography, Endpoint Security, and HR Security.

H.2 — Who is accountable for security? Lauren ten Hoor, Founder and Director of Nozemans Software Pte Ltd. Singapore-registered Data Protection Officer.

H.3 — Is security training conducted? Annual self-paced training using a recognised provider (e.g. KnowBe4, Curricula). Phishing-resistant MFA mandated as a control.

H.4 — Is a risk assessment performed? Yes — annually with quarterly reviews. Risk register maintained internally.

I. Human Resources

I.1 — Are background checks performed? N/A — single-person company. The founder's identity and credentials are verified by ACRA (Singapore corporate registry).

I.2 — Are confidentiality / NDA agreements in place? Any future contractor or employee will sign a confidentiality agreement before access is granted.

I.3 — Is there a documented onboarding / offboarding process? For the single founder, role inception is documented. A formal onboarding/offboarding checklist is in place for any future contractor.

J. Identity & Access Management

J.1 — Is multi-factor authentication enforced for administrators? Yes — MFA enforced on every administrative account (GitLab, Vercel, Supabase, Postmark, OpenAI, domain registrar, email, password manager). Hardware keys are registered on the highest-risk accounts.

J.2 — Is least-privilege enforced? Yes. Single-person org — no peer accounts to over-provision. Future hires will be provisioned by role.

J.3 — Are access permissions reviewed periodically? Yes — quarterly review per the MFA & Admin-Account Audit Checklist.

J.4 — Are end-user passwords used? End-user sign-in is passwordless by default: Supabase Auth issues a single-use magic link / email OTP. Where any password material is retained by Supabase Auth, it is hashed with bcrypt. Cadences does not currently expose an end-user password sign-in form.

J.5 — Is SSO supported for customers? Yes. SAML and OIDC SSO are fully implemented and per-tenant configurable. When a tenant has SSO enabled, users entering their work email on /login are redirected to that tenant's identity provider; authentication, MFA, and conditional-access policies are enforced at the IdP. Tenants without SSO fall back to magic-link / email OTP.

J.6 — How are session tokens issued and validated? Session access tokens are JSON Web Tokens (JWTs) issued by Supabase Auth and signed with an asymmetric ECDSA P-256 (ES256) key. The application verifies the signature of every authenticated request locally against the public JWKS published at ${SUPABASE_URL}/auth/v1/.well-known/jwks.json; verification does not involve a callback to the auth server. Refresh tokens are rotated on each use. Tokens are transported as HttpOnly, Secure, SameSite=Lax cookies. See Access Control Policy §4.4 and Cryptography Policy §4.4.

K. Infrastructure & Virtualization Security

K.1 — How is segregation between tenants achieved? Logical segregation in a single multi-tenant database, enforced by application authorisation and Postgres Row-Level Security.

K.2 — Are systems hardened to a benchmark (CIS, etc.)? Inherited from sub-processors (Vercel, Supabase) which align with CIS / ISO 27001 controls.

L. Interoperability & Portability

L.1 — Can customers export their data? Yes — JSON export of all account-tied data via the application; SQL dump available on request.

L.2 — Are open standards used for export? Yes — JSON and CSV for tabular data.

M. Mobile Security

M.1 — Is there a native mobile app? No. The product is a responsive web application; no native mobile binary is distributed.

N. Security Incident Management

N.1 — Is there a documented IR process? Yes — see Incident Response Runbook.

N.2 — What is the breach notification commitment? Customers are notified without undue delay and in any case within 72 hours of confirmation where reasonably possible. Supervisory authorities are notified within the GDPR / PDPA 72-hour statutory windows where applicable.

N.3 — Have you had a notifiable breach? None to date.

O. Supply Chain Management, Transparency & Accountability

O.1 — Do you publish a sub-processor list? Yes — https://cadences.work/trust/sub-processors. Customers receive 30-day prior notice of any new sub-processor.

O.2 — Are sub-processors flowed-down with equivalent obligations? Yes. Each sub-processor is bound by a DPA with equivalent or stronger obligations, and Cadences remains liable for sub-processor performance.

O.3 — Are sub-processors monitored? Yes — sub-processor certifications reviewed annually; service-status feeds monitored continuously.

P. Threat & Vulnerability Management

P.1 — Is dependency vulnerability scanning in place? Yes — Renovate config in the source repository raises pull requests for outdated and vulnerable dependencies; the CI dependency-vulnerability gate is active.

P.2 — Is there a coordinated disclosure policy? Yes — see SECURITY.md. Acknowledgement within 2 business days, status update within 7.

P.3 — How are critical patches handled? Critical CVEs in production dependencies are patched within 7 days of disclosure (target: 24 hours for actively exploited CVEs).

AI-specific addendum (asked in every modern questionnaire)

AI.1 — What LLM providers do you use, and for what? OpenAI API for feedback summarisation and structured insight generation. All AI features are experimental and disabled by default; they are engaged only when a customer organisation explicitly opts in. (See Sub-processors for current providers.)

AI.2 — Do you train models on customer data? No — Cadences does not train any model on customer data. Provider-side training behaviour is governed by the provider's own terms (refer to OpenAI's API data-usage policy for the current position); Cadences does not represent or warrant the provider's behaviour beyond what those terms state.

AI.3 — Is customer data sent in prompts? Only the relevant feedback text needed for the requested operation. No identifiers (names, email addresses) are added to the prompt by Cadences. If the user pastes identifying text into a feedback field, that field's content will be transmitted as part of the relevant prompt.

AI.4 — Can customers disable AI features? All AI features are experimental and disabled by default. They are only engaged when a customer-organisation administrator explicitly opts in, and can be re-disabled at the organisation level at any time.

AI.5 — Where is AI processing performed? United States (OpenAI). Cadences is on the OpenAI API "tier 1" plan; EU residency for inference is available on Enterprise plans and is on our roadmap as customer demand justifies the upgrade.

AI.6 — How long is AI provider data retained? Governed by the provider's own data-retention terms (refer to OpenAI's API data-usage policy for the current position). Zero-retention and explicit no-training commitments are available on OpenAI Enterprise plans and are not enabled on our current tier 1 plan.

Notes for the responder

  • When a question is not asked here but appears in a customer questionnaire, draft an answer using this document's tone and update this file with the new question + answer for next time.
  • When a question's answer changes (e.g. ISO 27001 obtained, new sub-processor added), update this file as the source of truth. The trust page and DPA reference it.
  • When a customer requires proof rather than a written answer, provide an artifact from docs/compliance/ (the public ISMS) or an extract from the internal Compliance Readiness Plan under NDA.