Security Policy
At cadop.io, the security of your data is our highest priority. This Security Policy describes the technical and organizational measures we implement to ensure the confidentiality, integrity, and availability of our systems and your information.
1.Our security principles
Confidentiality — We protect your data from unauthorized access at all times.
Integrity — We safeguard data accuracy and prevent unauthorized modification or deletion.
Availability — We ensure our services and your data are available when you need them.
Transparency — We communicate openly about our security practices and incidents.
2.Data encryption
All data in transit is encrypted using TLS 1.2/1.3. HTTP requests are automatically redirected to HTTPS.
All data at rest is encrypted using AES-256 via our cloud provider's managed encryption services. Sensitive database fields are additionally protected with AES encryption combined with cryptographic hash functions and salting.
Secrets and credentials are never stored in source code and are rotated regularly.
Our authentication endpoint publishes a standard JSON Web Key Set (JWKS) at https://auth.cadop.io/.well-known/jwks.json, allowing clients and integrators to verify token signatures programmatically using our public signing keys.
For enterprise customers with elevated security requirements, we can offer additional layered encryption for data transfer on top of standard HTTPS — for example mutual TLS (mTLS) or payload-level encryption. Please contact us at security@cadop.io to discuss options.
3.Access controls
Access to systems and data is strictly role-based (RBAC) and limited to authorized personnel on a need-to-know basis. We use AWS Identity and Access Management (IAM) to enforce granular permissions across our cloud infrastructure.
We apply the principle of least privilege across all internal services. Access rights are reviewed and updated upon changes in employment status.
Strong authentication is enforced for all internal access: short-lived tokens and multi-factor authentication (MFA) where applicable.
Authentication tokens are rotated regularly.
4.User authentication
User authentication for cadop.io is powered by Clerk, a dedicated identity and authentication platform built to the highest security standards.
We support passkeys as a primary authentication method. Passkeys are phishing-resistant by design — they use public-key cryptography and are bound to our domain, meaning they cannot be stolen or replayed on a fake site.
Single Sign-On (SSO) is supported via trusted OAuth 2.0 / OpenID Connect providers including Google, Discord, and others. This means you can authenticate using your existing identity without cadop.io ever handling your provider credentials directly.
Session tokens are short-lived and cryptographically signed. Token integrity can be verified by any client using the public signing keys published at https://auth.cadop.io/.well-known/jwks.json.
5.Secure development practices
Our software is developed following OWASP secure-coding guidelines with mandatory code reviews for all changes.
Dependencies are regularly audited for known vulnerabilities using automated tooling. Critical findings are remediated before release.
Penetration testing and security reviews are conducted periodically by internal and external parties.
6.Network security & monitoring
Our infrastructure is protected by firewalls and continuously monitored for suspicious activity and anomalies.
Regular vulnerability assessments and penetration tests are conducted. Identified risks are prioritised and remediated promptly.
DDoS mitigation is active at the edge level via our cloud provider.
7.Data backup & recovery
Data is backed up regularly and backups are stored securely with encryption at rest.
Disaster recovery plans are in place and tested periodically to ensure continuity of service.
8.Incident response
Security incidents are tracked and managed according to an established internal incident response plan.
In the event of a significant incident affecting your data, affected users will be notified promptly and in accordance with applicable law (including GDPR Art. 33/34 where relevant).
Post-incident reviews are conducted to identify root causes and prevent recurrence.
9.Vendor & third-party security
We only work with trusted vendors who demonstrate adequate security controls.
Data processing agreements (DPAs) are in place with all third-party service providers who process personal data on our behalf.
Third-party access to our systems is restricted to the minimum necessary and subject to the same access control principles applied internally.
10.Employee training & awareness
All team members receive regular security awareness training covering phishing, social engineering, and secure data handling.
Access rights are reviewed and promptly revoked when a team member's role changes or they leave the organisation.
11.User responsibilities
Keep your login credentials confidential and never share them with others.
Report any suspicious activity or potential security issue to security@cadop.io immediately.
Enable multi-factor authentication (MFA) on your cadop.io account when available — we strongly recommend doing so.
12.Reporting a vulnerability
If you believe you have discovered a security vulnerability in cadop.io, please contact us immediately at security@cadop.io.
Please include: a description of the vulnerability, steps to reproduce, the potential impact, and any proof-of-concept — without causing damage to our systems or accessing data that does not belong to you.
We will acknowledge your report within 3 business days and aim to provide an initial assessment within 7 business days.
We ask that you follow responsible disclosure: give us a reasonable time to investigate and remediate before publishing details publicly.
We do not currently operate a paid bug-bounty programme, but we are happy to credit researchers in our public security acknowledgements with your permission.
13.Responsible disclosure guidelines
Do not access, modify, or exfiltrate data that does not belong to you.
Do not disrupt the availability of our services.
Do not perform automated scans against our production systems without prior written authorisation.
We commit to not pursuing legal action against researchers who follow these guidelines in good faith.
14.GDPR & compliance
cadop.io is operated by Wilhelm Solutions UG (haftungsbeschränkt), based in Germany. We are subject to the EU General Data Protection Regulation (GDPR) and implement the required technical and organizational measures (TOMs) accordingly.
For information about how we process personal data, please refer to our Privacy Policy.
15.Policy updates
We may update this Security Policy to reflect changes in our practices, technology, or legal requirements. The latest version will always be available on this page. The effective date is shown below.
16.Effective date
Effective date: 2026-04-24