Security & Compliance
Cadensa is committed to data security and compliance with international security standards. This page details our technical security measures, compliance certifications, and incident response procedures.
Trust & Compliance
EU Hosted
Data stored within the EU
GDPR Compliant
EU 2016/679 Β· fully certified
Germany, EU
ISO 27001 Β· EU datacenter
π Security Overview
Cadensa provides enterprise-grade security across all service tiers. Protecting your data is our highest priority.
AES-256 at rest, TLS 1.3 in transit
Hetzner (Germany EU), daily backups
GDPR, SOC 2 (roadmap Q2 2026)
1. Data Encryption
Encryption at Rest
All data is stored with AES-256 encryption in our databases and backup systems.
- β’ AES-256-GCM: Industry-standard encryption algorithm
- β’ Encrypted database: MongoDB with encrypted volumes
- β’ Encrypted backups: Daily automated backups with encrypted storage
- β’ Key management: Secure key storage (secrets management)
Encryption in Transit
All network communication is protected with TLS 1.3 encryption.
- β’ TLS 1.3: Latest TLS protocol version
- β’ HTTPS: All web traffic over HTTPS only
- β’ WebSocket: Encrypted real-time connections (WSS)
- β’ Third-party APIs: Stripe (all TLS 1.2+)
Password Protection
Passwords are stored using bcrypt hashing algorithm (12 rounds).
- β’ Bcrypt (12 rounds): Secure hashing with salt
- β’ Password requirements: Min. 8 chars, upper/lower, number, special char
- β’ Strength validation: Real-time password strength indicator
2. Access Control
Role-Based Access Control (RBAC)
Granular permission management based on roles and permissions.
- β’ Roles: OWNER, ADMIN, MANAGER, MEMBER, VIEWER
- β’ Permissions: Granular permissions per resource (projects, tasks, time entries, reports, billing)
- β’ Workspace-level permissions: Each workspace with separate permissions
Two-Factor Authentication (2FA)
Optional 2FA available on all tiers (TOTP-based).
- β’ TOTP (RFC 6238): Google Authenticator, Authy, 1Password compatible
- β’ Backup codes: 10 one-time recovery codes
- β’ Enforced 2FA: ENTERPRISE tier option
Session Management
Secure session management with JWT tokens and device tracking.
- β’ JWT tokens: 7-day validity
- β’ Device tracking: List and terminate active sessions
- β’ Automatic logout: After inactivity period
- β’ Login history: Track successful and failed login attempts
SSO & SAML (ENTERPRISE)
Single Sign-On integration for ENTERPRISE tier customers.
- β’ SAML 2.0: Compatible with Okta, Azure AD, Google Workspace
- β’ LDAP: Active Directory integration
- β’ Centralized access: Single login for multiple applications
IP Allowlisting (ENTERPRISE)
Restrict access to specific IP addresses.
- β’ Access only from whitelisted IP addresses
- β’ CIDR notation support
- β’ Workspace-level IP restrictions
3. Infrastructure Security
Hosting & Data Center
Hosted on Hetzner Online GmbH dedicated servers (Germany, EU).
- β’ Location: Germany (EU), GDPR compliant
- β’ ISO 27001: Hetzner datacenter certified
- β’ Physical security: 24/7 monitoring, biometric access
- β’ Power supply: Redundant UPS and generators
Backups
Daily automated backups with encrypted, geo-redundant S3 storage and 90-day retention.
- β’ Frequency: Daily full backup (2:00 AM CET)
- β’ Retention: 90 days (ENTERPRISE: 1 year)
- β’ Encryption: AES-256-GCM symmetric encryption before upload
- β’ Storage: Wasabi S3 (eu-central-2, Frankfurt) β GDPR-compliant, EU data center
- β’ Integrity: SHA-256 checksum for every backup file
- β’ Recovery time: RTO < 4 hours, RPO < 24 hours
Server Hardening
Regular security updates and server hardening.
- β’ OS updates: Weekly automated security patches
- β’ Firewall: Only necessary ports open (443, 80)
- β’ Fail2ban: Brute-force protection
- β’ Minimal surface: Only necessary services running
Network Security
Multi-layer network protection with firewalls and DDoS mitigation.
- β’ DDoS protection: Hetzner automatic DDoS mitigation
- β’ Rate limiting: API rate limits on all endpoints
- β’ WAF: Web Application Firewall (Cloudflare Pro)
4. Application Security
Security Headers
HTTP security headers in all responses (Helmet middleware).
- β’ Strict-Transport-Security (HSTS): Force HTTPS for 1 year
- β’ X-Content-Type-Options: Prevent MIME sniffing
- β’ X-Frame-Options: Clickjacking protection
- β’ Content-Security-Policy (CSP): XSS protection, resource loading rules
- β’ X-XSS-Protection: Enable browser XSS filter
Input Validation
Strict input validation on all API endpoints.
- β’ Joi validation: Schema-based validation
- β’ Sanitization: HTML/SQL injection protection
- β’ Type checking: TypeScript type safety
Audit Logging
Detailed audit logs for all critical operations.
- β’ Login/logout events (successful and failed)
- β’ Data modifications (create, update, delete)
- β’ Role changes
- β’ Security events (2FA, password change)
- β’ Retention: 2 years (ENTERPRISE), 90 days (FREE/PRO)
Dependency Scanning
Regular npm audit and dependency updates.
- β’ npm audit: Weekly automated security audit
- β’ Dependabot: Automated PRs for security updates
- β’ Critical CVEs fixed immediately (< 24 hours)
5. Compliance Certifications
β GDPR (EU 2016/679)
Full compliance with EU GDPR regulation.
- β’ Transparent data processing information
- β’ Data subject rights support (Article 15-22)
- β’ DPA template for ENTERPRISE customers (Article 28)
- β’ Data breach notification (< 72 hours)
- β’ Data stored within EU
π SOC 2 Type II
Roadmap: Q2 2026 (audit in progress)
- β’ Current status: SOC 2 audit preparation
- β’ Planned certification: 2026 Q2 (6-9 month audit)
- β’ Available for ENTERPRISE tier customers
π ISO 27001
Roadmap: 2026 Q3-Q4
- β’ Current status: Gap analysis completed
- β’ Planned certification: 2026 Q4
β PCI DSS Level 1
Stripe payment processor (PCI DSS Level 1 certified).
- β’ Card data never touches Cadensa servers
- β’ Stripe tokenization
- β’ 3D Secure (SCA) support
6. Incident Response
Data Breach Notification Obligation
Under GDPR Article 33, we report all data breaches within 72 hours to the supervisory authority (NAIH) and affected data controllers.
Incident Response Team
- β’ Availability: 24/7 on-call team
- β’ Response time: < 1 hour (critical incidents)
- β’ Escalation: Automatic escalation matrix
Incident Reporting Process
- Detection: Automated monitoring + user report
- Categorization: Severity assessment (S0-S4)
- Containment: Incident containment and mitigation
- Notification: Notify affected parties (< 24 hours)
- Investigation: Root cause analysis
- Recovery: Service restoration
- Post-mortem: Documentation and lessons learned
Communication Channels
- β’ Security incidents:
- β’ Data breaches:
- β’ Status page: status.cadensa.io
7. Vulnerability Disclosure Program
π Responsible Disclosure Policy
We welcome security researchers who responsibly disclose vulnerabilities. Please send your report to .
Reporting Process
- Send a detailed report to
- Wait for acknowledgment (< 24 hours)
- Collaborate during the fix
- Coordinate public disclosure
Out of Scope
- β’ Social engineering attacks
- β’ Physical attacks
- β’ DDoS
- β’ Spam or phishing
Fix SLAs
- β’ Critical: 24 hours
- β’ High: 7 days
- β’ Medium: 30 days
- β’ Low: 90 days
Bug Bounty Program
Roadmap: 2026 Q3 (on HackerOne or Bugcrowd platform)
8. Contact & Questions
Security questions:
Privacy questions:
Compliance questions:
Response time: 24 hours (business days)
Axeri Labs Bt. (CADENSA)
2120 Dunakeszi, BrassΓ³i utca 7., Hungary
Company registration: 13-06-060656
Tax number: 22531300-2-13