Security.

cadohq is built for revenue teams operating at scale. Security is treated as a product requirement, not an afterthought. The same standards apply to the founder's own workspace, which runs an active sales pipeline every day.

cadohq runs on Vercel for application hosting and Supabase (Postgres) for data. All traffic is encrypted in transit with TLS 1.2 or higher. Data at rest is encrypted using AES-256 by our cloud providers.

Production access is limited and gated by multi-factor authentication.

Every workspace is isolated by Postgres row-level security policies. Queries can only return data belonging to the requesting user's workspace. Scoring runs, research notes, and integration tokens are workspace-scoped end to end.

User accounts are authenticated through email and password or magic link, with Google OAuth available as an alternative. SSO with SAML is on the Enterprise roadmap.

Sessions are refreshed via secure HTTP-only cookies. Magic link tokens are single-use and short-lived.

Research notes you provide run in your workspace and are not used to train any shared model. Aggregated, de-identified product telemetry may be used to improve the service.

OAuth tokens for connected platforms are stored encrypted at rest and used only to perform the operations you explicitly authorize. SalesLoft is live today. Outreach, Gmail, Outlook, HubSpot, Salesforce, and Slack are on the roadmap. Disconnecting an integration from Settings removes its tokens from our database. To revoke the grant on the provider side, revoke the app authorization in your provider's account settings as well.

Database backups are managed by Supabase, with daily snapshots and point-in-time recovery within the provider's retention window.

We monitor third-party dependencies for known vulnerabilities and apply patches on a regular cadence. Critical security updates are applied as soon as practical after disclosure.

Independent penetration testing is on the roadmap for Enterprise readiness.

If a security incident affects your data, we will notify you without undue delay and in any case within 72 hours of confirmation. Notifications include the nature of the incident, the data involved, and the steps we are taking.

SOC 2 is on the roadmap and will be pursued ahead of the first Enterprise customers. GDPR and CCPA data subject requests can be submitted to privacy@cadohq.com.

If you believe you have found a security issue, please email security@cadohq.com. We will acknowledge your report within one business day and keep you informed as we investigate.