Skip to main content

Legal

Security & Trust

What we do to keep your data safe — and what we're still working on. PROD-09 (status, compliance, security) supersedes this page when it ships; until then, here's the honest current state.

Effective date: 2026-05-04

Draft — operator/legal review pending. PROD-09 is the authoritative trust-center surface; this page is a placeholder. Sub-processor list, attestation status, and VDP scope must be reviewed by operator + legal counsel before public launch.

Compliance status

  • HIPAA: Standard BAA in place. Healthcare suite gated on BAA-acceptance at signup.
  • SOC 2 Type II: In progress. Auditor engagement pending operator confirmation; current target window posted at PROD-09 launch.
  • ISO 27001: Not pursued in v1.

How data flows

  • Customer-facing surfaces on Railway (cavaridge.app subdomain).
  • Single Supabase production project (us-west-2 / Oregon) with row-level security per tenant_id.
  • Stripe handles payment data (Cavaridge never sees full card data).
  • Internal LLM-routing layer calls OpenRouter, which routes to underlying model providers.

Sub-processors

The current sub-processor list and per-vendor BAA status will be enumerated by PROD-09 at /security. In v1 the headline list:

  • Railway — hosting
  • Supabase — database, RLS, auth helper
  • Stripe — payments + Connect
  • OpenRouter — LLM routing fabric
  • Underlying model providers via OpenRouter (Anthropic, OpenAI, Google, Perplexity, etc.)
  • Sentry — error monitoring
  • Langfuse — LLM observability
  • Cloudflare — DNS + edge + DDoS
  • Doppler — secrets management

Vulnerability disclosure (VDP)

  • Scope: cavaridge.app, *.cavaridge.app, *.cavaridge.ai, public-API endpoints.
  • Out of scope: third-party SaaS Cavaridge consumes, marketing pages of partners.
  • Safe harbor: Good-faith research conducted within scope is welcomed; we will not pursue legal action against researchers acting in good faith.
  • Contact: security@cavaridge.com. Include reproduction steps and any artifacts. Encrypt with our PGP key (link active in v1.1).

Incident response

Live status at status.cavaridge.app. We post-mortem every Sev-1 / Sev-2 incident and publish the post-mortem within 14 days of resolution.

Questions? Email legal@cavaridge.com.

See also: Terms · Privacy · AI Addendum · BAA Request · Security.