Skip to main content

Data & Security FAQs

Is my data secure?

Yes! Enterprise-grade security:

Encryption:

Data at rest: AES-256 encryption Data in transit: TLS 1.3 (minimum TLS 1.2) Database: Encrypted MongoDB Backups: Encrypted S3 storage File uploads: Encrypted (ENTERPRISE)

Infrastructure:

Hetzner hosting (Germany, EU region) Self-hosted MongoDB (Docker container) CDN: Vercel (global, EU edge nodes) Firewall protection Regular security audits Penetration testing (annual)

Access control:

Strong password requirements Two-factor authentication (2FA) — backup codes stored as bcrypt hashes Team invitation tokens: SHA-256 hashed before storage Audit log user agents: captured only for security/auth events (GDPR data minimisation) Admin access logs: operator email stored as SHA-256 hash only Billing PII (contact name, email, phone, VAT/tax numbers) excluded from general queries (database-level select: false — only returned when explicitly requested by billing endpoints) SSO/SAML (ENTERPRISE) (Coming Soon) IP allowlisting (ENTERPRISE) Session management Automatic logout (configurable)

More details: Security Settings →

Where is my data stored?

Data centers:

Primary region: Europe (Germany)

Why Europe? GDPR compliance EU data residency (Hetzner) Low latency for European users Privacy-friendly jurisdiction

Infrastructure:

• Hosting: Hetzner Online GmbH (Germany) • Database: Self-hosted MongoDB (EU) • CDN: Vercel (global with EU edge) • Email: Tarhely.eu (Hungary, EU)

All infrastructure: Located in EU (data residency) GDPR-compliant DPAs signed Regular security audits

Backups:

Daily automated backups 30-day retention (PRO) 90-day retention (ENTERPRISE) Geo-redundant storage (3 regions) Encrypted at rest Regular restore testing

Is CADENSA GDPR compliant?

Yes! Fully GDPR compliant:

Your rights:

Right to Access → Export your data anytime → Settings → Profile → Export Data

Right to Rectification → Edit your data in app → Update profile, time entries

Right to Erasure ("Right to be forgotten") → Delete account permanently → Settings → Profile → Delete Account

Right to Data Portability → Export in JSON/CSV formats → Take your data anywhere

Right to Object → Opt-out of marketing emails → Control notification preferences

Our commitments:

Data Processing Agreement (DPA) available Privacy by design and default Data minimization (collect only needed data) Consent-based processing Breach notification (within 72 hours) EU data storage (Frankfurt) Regular compliance audits

GDPR features:

Settings → Privacy:
• View data we collect
• Export all your data
• Delete your account
• Manage cookie preferences
• Review data processors
• Download DPA

Cookie management:

  • Granular cookie consent (Essential, Functional, Marketing)
  • Site analytics are cookie-free (Plausible — no consent required)
  • Easy opt-out anytime via Cookie Settings
  • Transparent cookie policy with full disclosure
  • Automatic deletion when categories disabled
  • Cookie Preferences Documentation →

Request DPA: support@cadensa.io

What data do you collect?

Data we collect:

Account data:

Email address (required for login) Name (first, last) Password (encrypted, never stored in plain text) Profile picture (optional) Job title, department (optional) Phone number (optional, for 2FA)

Usage data:

Time entries (date, project, duration, description) Projects and tasks (names, budgets, settings) Workspace settings Reports generated Login history (IP, device, location) Billing information (payment method, invoices)

Technical data:

Browser type and version Device type (desktop/mobile) Operating system IP address (for security) Cookies (session, preferences)

Data we DON'T collect:

Browsing history outside CADENSA Keystrokes or screenshots Personal files on your device Data from other apps Unnecessary personal information

View your data:

Settings → Privacy → View Collected Data
• See exactly what we have
• Export anytime (JSON/CSV)
• Delete permanently

Can I delete my account and data?

Yes! Permanent deletion available:

Account deletion process:

1. Settings → Profile → Delete Account
2. Export your data first (recommended)
3. Enter password to confirm
4. Type "DELETE" to confirm
5. Click "Permanently Delete Account"
6. 7-day grace period begins

Grace period (7 days):

Days 1-6:
• Account deactivated (can't login)
• Data preserved
• Can cancel deletion
• Email sent with reactivation link

Day 7:
• Permanent deletion
• All data removed from production
• Backups purged within 30 days
• Irreversible

What gets deleted:

Your account and profile All time entries Personal projects Workspace memberships Settings and preferences Login history Uploaded files

What's retained (legal requirement):

Kept for 90 days (legal compliance):
• Invoice history (accounting law)
• Payment records (tax law)
• Audit logs (security requirement)

After 90 days: Fully deleted

Workspace ownership:

If you own a workspace:
1. Must transfer ownership first
 → Settings → Workspace → Transfer
2. Or delete workspace entirely
3. Then can delete personal account

Who can access my data?

Access control:

Your team (within workspace):

Role-based access:

Admin: Full access to all data Can see all time entries Can edit workspace settings Can manage users

Manager: See team time entries Manage assigned projects Generate team reports Can't see billing

Member: See own time entries See assigned projects Can't see others' entries

Viewer: Read-only access See assigned projects Can't track time

CADENSA employees:

Support team (with your permission): View data to troubleshoot issues Only when you contact support Access logged in audit trail Under strict confidentiality

Developers: No access to production data Can access anonymized analytics Can't identify individual users

Third parties:

We never sell your data No advertising partners No data mining

Limited sharing (required for service): • Stripe: Payment processing only • AWS: Hosting infrastructure • SMTP (own mail server): Email delivery • All under strict DPAs

Data sharing (ENTERPRISE):

Client portal feature (Coming Soon):
• Share specific project reports
• Clients see only their project
• Controlled by you
• Can revoke anytime

What certifications do you have?

Security certifications:

SOC 2 Type II:

Certified since 2025 Annual audits Trust Service Criteria: • Security • Availability • Confidentiality • Processing integrity • Privacy

Request report: support@cadensa.io

GDPR Compliance:

EU data residency Data Processing Agreement (DPA) Privacy by design Right to erasure Data portability Breach notification process

ISO 27001 (in progress):

Expected: Q2 2026
• Information security management
• Regular audits
• Continuous improvement

HIPAA Compliance (ENTERPRISE add-on):

Available for healthcare:
• Business Associate Agreement (BAA)
• PHI encryption
• Audit logs
• Access controls
• Breach notification

Contact: <a data-action="support" href="#">support@cadensa.io</a>

PCI DSS compliance (via Mollie):

Mollie B.V. payment processing (PCI DSS Level 1 certified) No card data stored by CADENSA Secure redirect-based checkout (card details never enter CADENSA servers) EU-based processor (Netherlands) — no US data transfer for payments

What happens if there's a data breach?

Breach response plan:

Detection:

24/7 monitoring:
• Intrusion detection systems
• Log analysis (automated)
• Security alerts
• Anomaly detection

Response (within 1 hour):

1. Isolate affected systems
2. Assess scope of breach
3. Contain and remediate
4. Preserve evidence for investigation

Notification:

Within 72 hours (GDPR requirement):

Email to affected users:
• What data was accessed
• When breach occurred
• What we're doing about it
• Steps you should take

Email includes:
• Breach details
• Affected accounts
• Recommended actions
• Support contact
• Complimentary credit monitoring (if applicable)

Remediation:

1. Fix vulnerability
2. Enhanced monitoring
3. Password reset (if needed)
4. 2FA enforcement
5. Security audit
6. Public disclosure (if required)

To date:

Zero data breaches No unauthorized access incidents No data loss events Strong security track record

How long do you keep my data?

Data retention:

Active accounts:

FREE plan:
• Last 30 days: Full access
• Older data: Read-only
• Forever: Not deleted unless you request

PRO plan:
• Last 1 year: Full access
• Older data: Read-only
• Forever: Not deleted unless you request

ENTERPRISE:
• All data: Forever (unless deleted)
• Custom retention policies available

IP addresses (GDPR Art. 5(1)(e) — storage limitation):

Last login IP address:
• Retained for up to 90 days after last login
• Cleared automatically by weekly cleanup job

Terms acceptance IP & user agent:
• Retained for up to 12 months after acceptance
• Cleared automatically by weekly cleanup job

Account deletion request IP:
• Retained for up to 2 years (audit trail)
• Cleared automatically by weekly cleanup job

Deleted accounts:

Day 0: Account deleted
• 7-day grace period
• Data preserved
• Can reactivate

Day 7: Permanent deletion
• Production data deleted
• Appears in backups for 30 days

Day 37: Full purge
• All backups purged
• Completely unrecoverable

Billing data:

Kept for legal compliance:
• Invoices: 7 years (accounting law)
• Payment records: 7 years (tax law)
• VAT records: 10 years (EU law)

Even after account deletion

VIES validation snapshots (GDPR Art. 5(1)(e)):

EU VAT validation results (company name, address from VIES):
• Cleared after 180 days from validation date
• Cleared automatically by weekly cleanup job
• validatedAt date and valid flag are retained (no PII)

Audit logs (ENTERPRISE):

Retention options:
• 90 days (default)
• 1 year (extended)
• 7 years (compliance)
• Forever (custom)

Backups:

• Daily backups: 30 days (PRO)
• Weekly backups: 90 days (ENTERPRISE)
• Monthly backups: 1 year (ENTERPRISE custom)

Can I request a security audit report?

Yes! Available for ENTERPRISE customers:

Available reports:

SOC 2 Type II Report • Annual audit • Trust Service Criteria • Independent third-party • NDA required

Penetration Test Summary • Annual testing • Executive summary (no vulnerabilities disclosed) • Remediation status

Security Questionnaire Responses • Standard vendor assessment • Customizable to your needs

Data Processing Agreement (DPA) • GDPR compliant • Available to all customers

ISO 27001 Certificate (Q2 2026) • Once certified • Public document

How to request:

1. Email: <a data-action="security" href="#">security@cadensa.io</a>
2. Include:
 • Company name
 • Your role
 • Document needed
 • Purpose (vendor assessment, audit, etc.)
3. NDA required for SOC 2
4. Receive within 2-3 business days

Do you use third-party services?

Yes, trusted partners only:

Infrastructure:

Hetzner Online GmbH • Purpose: Server hosting, MongoDB database • Region: EU (Germany) • DPA: Yes • Certification: ISO 27001, TÜV-audited DPA

Vercel • Purpose: CDN, landing page hosting • Global: EU edge nodes • DPA: Yes • Certification: SOC 2, ISO 27001

Storage (invoice archival):

Wasabi Technologies, LLC • Purpose: Subscription invoice PDF archival • Region: EU (eu-central-2 / Frankfurt, Germany) • Mode: WORM Object Lock COMPLIANCE — 8-year immutable retention • Compliance: Hungarian Accounting Act §169 (8 years mandatory) • DPA: Yes (wasabi.com/legal/data-processing-addendum) • Data: Invoice PDFs only (no operational user data)

Invoicing & tax reporting:

Billingo Technologies Zrt. • Purpose: Electronic invoice issuance + NAV Online Számla 3.0 reporting • Region: EU (Hungary) • DPA: Yes (billingo.hu/adatvedelem) • Data transferred: customer name, billing address, tax/EU VAT number, email, invoice line items and amounts • Retention: 8 years (mandatory under Hungarian Accounting Act §169) • Sub-processors: NAV (Hungarian Tax Authority — mandatory legal reporting)

Payments:

Mollie B.V. • Purpose: Payment processing, subscription management • Region: Netherlands (EU) — Amsterdam • Security: PCI DSS Level 1 certified • DPA: Automatic upon registration (GDPR Art. 28 — EU processor) • Data: Payment mandate reference only (card details never touch CADENSA servers) • No US data transfer for payments

Communications:

Tarhely.eu (EZIT Kft.) • Purpose: SMTP email delivery • Region: EU (Hungary) • DPA: Yes (GDPR compliant) • Data: Email addresses only

Integrations (optional, user-initiated):

Google LLC (Google Calendar) • Purpose: Optional calendar import — user-initiated only • Region: United States (US data processing) • Legal basis: GDPR Art. 6(1)(a) — explicit user consent • Data: OAuth token (AES-256 encrypted), calendar event data during sync only • Consent: Shown before activation; revocable anytime in Settings → Integrations • DPA: Yes (Google Cloud Data Processing Amendment)

Analytics & Feedback:

Plausible Analytics (plausible.io) • Purpose: Privacy-first website analytics (page views, traffic sources) • Region: EU (Estonia — Plausible OÜ) • Legal basis: No consent required — cookie-free, no personal data collected • Data: Aggregated page views only; no user tracking, no cross-site data • DPA: Not required (no personal data processed)

Formbricks (self-hosted: surveys.cadensa.io) • Purpose: NPS and in-app feedback surveys • Region: EU — Hetzner Germany (self-hosted, no US data transfer) • Legal basis: Consent (optional cookie category) • Loaded only after user consent is granted • DPA: Not required (self-hosted, no third-party data processor)

Monitoring:

Sentry (staging environment only) • Purpose: Error tracking in staging/QA • Data: Anonymized error logs • Not used in production • DPA: Yes

All partners:

GDPR compliant Data Processing Agreements (DPA) EU data residency (where possible) Regular security reviews Can be disabled (some features affected)

Next Steps

Privacy Questions?

Response time: 48 hours for privacy requests