Encryption everywhere
TLS for every connection. Documents are stored in Cloudflare R2 with encryption at rest and accessed only through short-lived presigned URLs.
Security
Cadence holds contracts, certificates, and signatures — the practices below are how we keep them safe.
TLS for every connection. Documents are stored in Cloudflare R2 with encryption at rest and accessed only through short-lived presigned URLs.
Every query is scoped to your organization. Access rules are enforced server-side and covered by dedicated tenant-isolation tests.
Auth tokens live in httpOnly cookies with CSRF protection — never in browser storage. Refresh tokens rotate on every use, and repeated failures trigger account lockout.
Role-based permissions per organization. Item-level access limits regular users to what they own, approve, or created.
Logins, admin actions, impersonation sessions, approvals, and signatures are all logged with actor, timestamp, and IP.
Completed signing rounds are hashed and sealed with an X.509 certificate. Evidence packages capture consent, access proof, and signer metadata.
Per-client rate limits on authentication and tokenized approval links. Opaque tokens are stored only as SHA-256 hashes.
Automated database backups, versioned object storage, and a tested disaster-recovery runbook.
Found a vulnerability? Email security@latchworksystems.comand we’ll respond within two business days. Please don’t test against production tenants you don’t own.
Track every renewal, approval, and signature in one place. Free 14-day trial, no credit card required.
Start free trial