Security Settings
Overviewβ
CADENSA provides enterprise-grade security features to protect your data. Configure two-factor authentication, manage sessions, set up SSO (ENTERPRISE) (Coming Soon), and review audit logs.
Security features:
- Two-Factor Authentication (2FA)
- π Single Sign-On (SSO) - ENTERPRISE (Coming Soon)
- Audit Logs - ENTERPRISE
- π‘οΈ IP Allowlisting - ENTERPRISE
- Session Management
- β‘ Security Alerts
Two-Factor Authentication (2FA)β
Enable 2FAβ
Add extra security to your account.
(Covered in detail in Profile Settings)
Quick setup:
- Settings β Security β 2FA
- Choose method (Authenticator app recommended)
- Scan QR code with app
- Verify 6-digit code
- Save backup codes
- 2FA enabled
2FA methods:
- Authenticator App (Recommended) - Google Authenticator, Authy, 1Password
- SMS - Text message to phone number
- Email - Code sent to email (least secure)
Enforce 2FA (ENTERPRISE)β
Require 2FA for all workspace members.
How to enforce:
- Navigate to Workspace Settings β Security
- Click "Enforce 2FA"
- Set grace period
- Notify team members
- Enable enforcement
2FA enforcement settings:
βββββββββββββββββββββββββββββββββββββββββββ
β Two-Factor Authentication Policy β
β (ENTERPRISE Workspace Setting) β
βββββββββββββββββββββββββββββββββββββββββββ€
β β
β β Require 2FA for all members β
β β
β Enforcement Level: β
β β Mandatory (block access) β
β β Recommended (warning only) β
β β
β Grace Period: β
β [7 days βΌ] β
β β
β Users without 2FA: 3 β
β β’ John Doe (Owner) β
β β’ Sarah Johnson (Manager) β
β β’ Mike Chen (Member) 
[Remind] β
β β’ Lisa Park (Member) [Remind] β
β β’ Tom Wilson (Viewer) [Remind] β
β β
β Notification: β
β β Email users without 2FA β
β β Show banner on login β
β β
β Allowed Methods: β
β β Authenticator app β
β β SMS β
β β Email (not recommended) β
β β
β [Send Reminder] [Enable Enforcement] β
βββββββββββββββββββββββββββββββββββββββββββ
Grace period enforcement:
Day 1: Enable enforcement
- Email sent to users without 2FA
- Banner shown on login
- "You have 7 days to enable 2FA"
Days 2-6: Reminders
- Daily reminder banner
- Email reminder at Day 4
Day 7: Enforcement begins
- Users without 2FA blocked
- Must enable 2FA to access account
- Can still receive password reset emails
Single Sign-On (SSO)β
SSO (SAML 2.0) and LDAP / Active Directory integration are planned for a future release. This section describes the planned functionality. SSO is not yet available in CADENSA β see the Roadmap for the expected timeline.
SAML 2.0 Integration (ENTERPRISE)β
Enterprise SSO for centralized authentication.
Supported providers:
- Microsoft Azure AD / Entra ID
- Okta
- Google Workspace
- OneLogin
- Auth0
- Ping Identity
- ADFS
- Custom SAML 2.0 providers
Setup process:
Step 1: Request SSO
1. Contact CADENSA support: <a data-action="support" href="#">support@cadensa.io</a>
2. Provide:
- Identity Provider (IdP) name
- SAML metadata URL or XML file
- Technical contact info
3. Support creates SSO configuration
4. You receive CADENSA SAML details
Step 2: Configure IdP
Add CADENSA to your Identity Provider:
Service Provider Details:
- Entity ID: https://app.cadensa.io/saml/metadata
- ACS URL: https://app.cadensa.io/saml/acs
- SLS URL: https://app.cadensa.io/saml/sls
Attribute Mapping:
- Email: email, emailAddress, mail
- First Name: firstName, givenName
- Last Name: lastName, surname, sn
- Display Name: displayName (optional)
Step 3: Test & Enable
- CADENSA support configures connection
- Test login provided
- Verify user attributes
- Enable for workspace
- Users login via SSO
SSO configuration:
βββββββββββββββββββββββββββββββββββββββββββ
β Single Sign-On Configuration β
β (ENTERPRISE) β
βββββββββββββββββββββββββββββββββββββββββββ€
β β
β SSO Status: Enabled β
β β
β Identity Provider: β
β Microsoft Azure AD β
β β
β Connection Details: β
β β’ Entity ID: https://sts.windows.net/../β
β β’ SSO URL: https://login.microsoftonlineβ
β .com/.../saml2 β
β β’ Certificate: Valid until Dec 2027 β
β β
β Attribute Mapping: β
β Email: emailaddress β
β First Name: givenname β
β Last Name: surname β
β Display Name: displayname β
β β
β User Provisioning: β
β β Just-In-Time (JIT) β
β (Create user on first login) β
β β Manual only β
β β
β Default Role for New Users: β
β [Member βΌ] β
β β
β Fallback Authentication: β
β β Allow password login for admins β
β (Emergency access) β
β β
β [Test SSO] [Disable SSO] [Edit] β
βββββββββββββββββββββββββββββββββββββββββββ
LDAP / Active Directory (ENTERPRISE)β
Direct integration with corporate directory.
Setup:
βββββββββββββββββββββββββββββββββββββββββββ
β LDAP / Active Directory Integration β
β (ENTERPRISE) β
βββββββββββββββββββββββββββββββββββββββββββ€
β β
β Server Settings: β
β Host: [ldap.company.com__________] β
β Port: [389] β Use SSL (636) β
β β
β Bind Credentials: β
β Bind DN: [cn=admin,dc=company,dc=com_] β
β Password: [β’β’β’β’β’β’β’β’β’] β
β β
β User Search: β
β Base DN: [ou=users,dc=company,dc=com_] β
β Filter: [(objectClass=person)_______] β
β β
β Attribute Mapping: β
β Email: [mail____________] β
β First Name: [givenName______] β
β Last Name: [sn____________] β
β Username: [sAMAccountName_] β
β β
β Group Sync (optional): β
β β Sync LDAP groups to CADENSA β
β Admin Group: [CN=CADENSA_Admins____] β
β Manager Group: [CN=CADENSA_Managers_] β
β β
β [Test Connection] [Save Configuration] β
βββββββββββββββββββββββββββββββββββββββββββ
Audit Logsβ
Security & Activity Logs (ENTERPRISE)β
Track all account activity for compliance.
What's logged:
Authentication Events:
- User login (success/failure)
- User logout
- Password changes
- 2FA enabled/disabled
- SSO logins
- Failed login attempts
Account Changes:
- User created/deleted
- Email changed
- Role changed
- Permission changes
- Workspace access granted/revoked
Data Access:
- Project created/edited/deleted
- Time entries created/edited/deleted
- Report generated
- Data exported
- Settings changed
Billing:
- Subscription upgraded/downgraded
- Payment method added/removed
- Invoice generated
Audit log viewer:
βββββββββββββββββββββββββββββββββββββββββββ
β Audit Logs β
β [Export CSV] [Filter βΌ] [Search____] β
βββββββββββββββββββββββββββββββββββββββββββ€
β β
β Timestamp User Action β
β ββββββββββββββββββ βββββββββ ββββββββββ β
β β
β 2026-01-25 10:45 John Doe LOGIN β
β IP: 185.123.45.67 β
β Device: Chrome on macOS β
β Location: Budapest, HU β
β [View Details] β
β β
β 2026-01-25 10:30 Sarah J. EDITED β
β Project: Website Redesign β
β Changed: Budget 80h β 100h β
β [View Details] β
β β
β 2026-01-25 10:15 Mike C. EXPORTED β
β Report: Monthly Time Report β
β Format: CSV β
β Rows: 1,234 entries β
β [View Details] β
β β
β 2026-01-25 09:58 System FAILED β
β Login attempt failed β
β User: john.doe@example.com β
β Reason: Invalid password β
β IP: 192.168.1.100 β
β [View Details] β
β β
β 2026-01-25 09:45 Lisa P. CREATED β
β Time Entry: 2h 30m β
β Project: Mobile App β
β Task: Bug fixes β
β [View Details] β
β β
β [Load More] [Jump to Date...] β
βββββββββββββββββββββββββββββββββββββββββββ
Filter audit logs:
βββββββββββββββββββββββββββββββββββββββββββ
β Filter Audit Logs β
βββββββββββββββββββββββββββββββββββββββββββ€
β β
β Date Range: β
β From: [2026-01-01_] To: [2026-01-31_] β
β β
β Event Type: β
β β All Events β
β β Authentication (login/logout) β
β β User management β
β β Project changes β
β β Time entries β
β β Data exports β
β β Settings changes β
β β Billing events β
β β Security alerts β
β β
β User: β
β [All Users βΌ] or [Search user...] β
β β
β IP Address: β
β [_______________] (optional) β
β β
β Result: β
β β All β
β β Success only β
β β Failed only β
β β
β [Clear Filters] [Apply Filters] β
βββββββββββββββββββββββββββββββββββββββββββ
Export audit logs:
Export Format:
β CSV (Excel-compatible)
β JSON (machine-readable)
β PDF (human-readable)
Date Range: Last 90 days
Events: 12,345 matching events
Columns to include:
β Timestamp
β User
β Event Type
β IP Address
β Device/Browser
β Location
β Details
β Result (Success/Failed)
[Cancel] [Export Audit Log]
IP Allowlisting (ENTERPRISE)β
Restrict Access by IPβ
Only allow access from specific IP addresses.
Use cases:
- Office-only access
- VPN-required access
- Geographic restrictions
- Compliance requirements
IP allowlist configuration:
βββββββββββββββββββββββββββββββββββββββββββ
β IP Allowlisting β
β (ENTERPRISE) β
βββββββββββββββββββββββββββββββββββββββββββ€
β β
β β Enable IP allowlisting β
β β
β Warning: This will block access β
β from IPs not on the list. β
β β
β Allowed IP Addresses: β
β β
β ββββββββββββββββββββββββββββββββββββββ β
β β 185.123.45.0/24 β β
β β Description: Budapest Office β β
β β [Edit] [Remove] β β
β ββββββββββββββββββββββββββββββββββββββ β
β β
β ββββββββββββββββββββββββββββββββββββββ β
β β 78.234.56.100 β β
β β Description: Remote VPN β β
β β [Edit] [Remove] β β
β ββββββββββββββββββββββββββββββββββββββ β
β β
β ββββββββββββββββββββββββββββββββββββββ β
β β 192.168.1.0/24 β β
β β Description: Local Network β β
β β [Edit] [Remove] β β
β ββββββββββββββββββββββββββββββββββββββ β
β β
β [+ Add IP Address/Range] β
β β
β Bypass Options: β
β β Allow API access (for integrations) β
β β Allow mobile apps β
β β Allow admins (emergency access) β
β β
β Current IP: 185.123.45.67 β
β Status: Allowed β
β β
β [Save Settings] β
βββββββββββββββββββββββββββββββββββββββββββ
Add IP address:
βββββββββββββββββββββββββββββββββββββββββββ
β Add IP Address or Range β
βββββββββββββββββββββββββββββββββββββββββββ€
β β
β Type: β
β β Single IP (192.168.1.100) β
β β IP Range (CIDR notation) β
β β
β IP Address: β
β [185.123.45.67______________] β
β β
β Or IP Range (CIDR): β
β [185.123.45.0/24____________] β
β β
β Description: β
β [Office Network_____________] β
β β
β [Cancel] [Add to Allowlist] β
βββββββββββββββββββββββββββββββββββββββββββ
Session Managementβ
Active Sessionsβ
(Covered in Profile Settings)
Quick actions:
- View all active sessions
- See device, location, IP
- Logout individual sessions
- Logout all other sessions
Remember Me & New Tab Behaviorβ
Understanding how login sessions work across browser tabs.
When you log in to CADENSA, you choose how your session is stored:
| Login option | Session storage | New tab behavior |
|---|---|---|
| β Remember me checked | localStorage (persists across tabs) | Opens directly to dashboard |
| β Remember me unchecked | sessionStorage (tab-only) | Redirects to login page |
This is intentional security behavior. When you log in without "Remember me", your session is tied to that specific browser tab. Opening a new tab starts a fresh, unauthenticated session β your credentials are never shared between tabs.
This protects you on shared computers: closing the tab ends your session completely.
Enable the "Remember me" checkbox on the login page. Your session will persist across all tabs and browser restarts until you explicitly log out or the token expires (24 hours).
What to do if you're always redirected to login on new tabs:
- Log out completely
- Log back in with "Remember me" checked
- New tabs will now open directly to your dashboard
Session Security Settingsβ
Configure session behavior.
βββββββββββββββββββββββββββββββββββββββββββ
β Session Security β
βββββββββββββββββββββββββββββββββββββββββββ€
β β
β Session Timeout: β
β [7 days βΌ] β
β β
β Idle Timeout: β
β [30 minutes βΌ] β
β (Logout after 30 min of inactivity) β
β β
β Concurrent Sessions: β
β β Unlimited β
β β Single device only β
β β Maximum: [3] devices β
β β
β Remember Device: β
β β Remember this device for 30 days β
β (Skip 2FA on trusted devices) β
β β
β Security Notifications: β
β β Email on new device login β
β β Email on suspicious activity β
β β Email on password change β
β β
β [Save Settings] β
βββββββββββββββββββββββββββββββββββββββββββ
Security Alertsβ
Suspicious Activity Detectionβ
Automatic security monitoring.
What's monitored:
- Multiple failed login attempts
- Login from unusual location
- Login from new device
- Large data exports
- Unusual API activity
- Permission changes
Security alert example:
From: CADENSA Security <a data-action="support" href="#">support@cadensa.io</a>
To: john.doe@example.com
Subject: Security Alert: New Device Login
Dear John,
We detected a login to your CADENSA account from
a new device:
Device: Chrome on Windows
Location: London, United Kingdom
IP Address: 78.234.56.78
Time: Jan 25, 2026 at 10:45 GMT
Was this you?
[Yes, this was me] [No, secure my account]
If this wasn't you:
1. Change your password immediately
2. Enable 2FA if not already enabled
3. Review active sessions
4. Contact support if needed
Best regards,
CADENSA Security Team
Security dashboard:
βββββββββββββββββββββββββββββββββββββββββββ
β Security Overview β
βββββββββββββββββββββββββββββββββββββββββββ€
β β
β Account Security Score: 85/100 
β
β β
β Recommendations Completed: β
β β’ Strong password (12+ chars) β
β β’ 2FA enabled β
β β’ Recent security review β
β β
β Recommendations: β
β β’ Review active sessions (5 devices) β
β β’ Update password (last changed 90d) β
β β
β Recent Security Events: β
β β’ Login from new device (2 hours ago) β
β β’ Password changed (15 days ago) β
β β’ 2FA enabled (30 days ago) β
β β
β [View All Security Events] β
βββββββββββββββββββββββββββββββββββββββββββ
Compliance & Certificationsβ
SOC 2 Type II (ENTERPRISE)β
CADENSA compliance certifications.
Available certifications:
SOC 2 Type II
- Annual audit
- Security, availability, confidentiality
- Report available on request
GDPR Compliant
- Data processing agreements
- Right to deletion
- Data portability
- Privacy by design
ISO 27001 (in progress)
- Information security management
- Expected: Q2 2026
HIPAA Compliant (ENTERPRISE add-on)
- Healthcare data protection
- Business Associate Agreement
- Contact sales for details
Request compliance documents:
1. Email: <a data-action="support" href="#">support@cadensa.io</a>
2. Specify:
- Company name
- Certification needed
- Purpose (vendor assessment, audit, etc.)
3. Receive:
- SOC 2 report
- DPA (Data Processing Agreement)
- Security questionnaire responses
- Penetration test summaries
Data Encryptionβ
Encryption Detailsβ
How CADENSA protects your data.
Encryption at rest:
AES-256 encryption
Database encrypted
Backups encrypted
File storage encrypted (S3)
Encryption in transit:
TLS 1.3 (minimum TLS 1.2)
Perfect Forward Secrecy
HSTS enabled
Certificate pinning (mobile apps)
Key management:
AWS KMS (Key Management Service)
Automatic key rotation
Separate keys per customer (ENTERPRISE)
Best Practicesβ
Do'sβ
- Enable 2FA - Extra security layer
- Use strong passwords - 12+ characters, unique
- Review active sessions - Logout unknown devices
- Monitor audit logs - Check for suspicious activity (ENTERPRISE)
- Restrict IP access - If possible (ENTERPRISE)
- Use SSO (Coming Soon) - Centralized authentication (ENTERPRISE)
- Regular security reviews - Quarterly minimum
- Educate team - Security awareness training
Don'tsβ
- Don't share passwords - Each user has own account
- Don't ignore security alerts - Investigate all warnings
- Don't disable 2FA - Unless absolutely necessary
- Don't use public WiFi - Without VPN
- Don't share API keys - Revoke and regenerate if leaked
- Don't skip compliance - Legal requirements
Troubleshootingβ
Can't login with SSO (Coming Soon)β
Problem: SSO login not working.
Solutions:
- Check with IT admin (IdP configuration)
- Verify user exists in IdP
- Check email attribute mapping
- Use emergency password login (if enabled)
- Contact CADENSA support
2FA code not workingβ
Problem: 6-digit code rejected.
Solutions:
- Ensure time sync on device (settings β date/time)
- Wait for new code (refresh every 30 seconds)
- Use backup code instead
- Contact support to disable 2FA temporarily
IP blockedβ
Problem: Cannot access from current IP.
Solutions:
- Check current IP: whatismyipaddress.com
- Contact workspace admin to add IP
- Use VPN if configured
- Use mobile data as temporary workaround
- Admin emergency access
Next Stepsβ
- Profile Settings β - Personal account
- Notification Preferences β - Alerts
- Localization β - Language & timezone
- Cookie Preferences β - Privacy & GDPR
- Workspace Settings β - Team security
Need Help?β
- Security questions: support@cadensa.io
- Privacy questions: support@cadensa.io
- Compliance: support@cadensa.io
- Enterprise support: support@cadensa.io
- General support: support@cadensa.io
- Phone (ENTERPRISE): Available in Settings β Support