How does Cadence handle client payment data?

Cadence does not see, store, or process client payment card data at any point. All payment flows route through Stripe Connect — clients enter their card directly into a Stripe-hosted form (PCI DSS Level 1 compliant), and funds settle directly into the coach's own Stripe account. Cadence's role is limited to creating the Stripe checkout session; we never touch the money or the card data.

Where is client data stored, and is it encrypted?

Client data (names, programs, check-ins, photos, messages) is stored in a managed Postgres database with encryption-at-rest enabled by default. The database is region-locked to the United States and access is restricted to a small set of allowlisted application IPs. Backups are encrypted and retained 30 days.

Does Cadence store coach client lists in a way that could be accessed by other coaches?

No. Every coach's data is row-level scoped to their account; the application enforces tenant isolation on every query. There is no admin tool that lets one coach see another coach's clients, programs, or messages.

What happens to my data if I cancel?

You can export every client's full data in a standard JSON format at any time, including after cancellation. Account data is retained 90 days post-cancellation in case of reactivation; after 90 days it is purged on a rolling weekly schedule. Backups are purged on the standard 30-day cycle.

Does Cadence use aggregator credentials like Plaid or Yodlee?

No. Cadence does not connect to client bank accounts, brokerages, or any aggregator-credential service. Coach revenue flows direct from clients to coach via Stripe Connect — no aggregator involvement.

What is Cadence's breach disclosure policy?

In the event of a security incident affecting customer data, Cadence will notify all affected coaches via email within 72 hours of confirmed exposure, with details on what was accessed and what action is required. We commit to publishing a public post-mortem within 14 days of any confirmed incident.

Is Cadence HIPAA compliant?

Cadence is built for fitness, nutrition, and general coaching practices — it is not a clinical EHR and is not HIPAA-certified. If your coaching practice handles Protected Health Information requiring HIPAA compliance, Practice Better is a HIPAA-compliant clinical EHR for that segment.

Does Cadence sell or share customer data?

No. Customer data is never sold, rented, or shared with third parties for marketing, advertising, or any commercial purpose. Data is shared only with the subprocessors required to deliver the service (Stripe for payments, the database host, the email transactional sender) — full subprocessor list is at /privacy.

Security & Data Practices

What we encrypt, what we never share, what we'd tell you in a breach.

Most security pages are written by lawyers and read like furniture. Ours is written by the people who built the system. If a coach in your audience asks "what happens to my client data," this is the answer to forward.

Payments

PCI compliance handled by Stripe

Card numbers never touch our servers. They go directly from your client's browser to Stripe (PCI-DSS Level 1 certified). We store only the Stripe Customer ID. If our database leaked tomorrow, no card data goes with it.

Storage

Database encrypted at rest

Neon Postgres with AES-256 encryption at rest. Point-in-time restore for disaster recovery. Daily automated backups retained 7 days. Your data lives in us-east-2 on AWS infrastructure.

Transit

HTTPS everywhere, no exceptions

TLS 1.3 on every endpoint. SSL certificates auto-renewed by Netlify. HSTS headers enforce HTTPS-only. No HTTP fallback, no mixed content. Verified via securityheaders.com A-grade.

Access

2FA on coach login (Q3 2026)

Currently password-only. Two-factor auth via TOTP (Google Authenticator / 1Password / Authy) ships in v0.2 (Q3 2026). We document this honestly on /capabilities rather than implying it already exists.

Isolation

Per-coach data scope

v0.1 uses a single-tenant pattern with per-coach user_id scoping. Multi-tenant Row Level Security (RLS) ships with v0.2 multi-trainer team accounts. Until then, every coach is a separately-deployed instance.

Claude API — no training on your data

AI plan generation runs on Anthropic's Claude API. Per Anthropic's policy, your inputs are not used to train models. We send the minimum context needed — never client names or PII unless the coach explicitly includes them. AI logs are deleted within 30 days on Anthropic's side.

Ownership

You own your data — period

Coach owns 100% of their roster, programs, training history, and brand assets. Full export anytime as CSV + JSON via the dashboard or by emailing us. No "data hostage" clauses. Cancel and walk with everything.

Sharing

We never sell or share data

Coach data and client data are never sold, shared with advertisers, used for cross-product marketing, or licensed to third parties. Subprocessors (Stripe, Neon, Anthropic, Netlify, Brevo) are listed below. No data goes anywhere else.

Disclosure

Breach notification within 72 hours

If we ever detect unauthorized access affecting your data, we notify you within 72 hours with: what happened, what data was exposed, what we're doing about it, what you should do. Honest disclosure, not legal-team-laundered notice.

Subprocessors — every place your data touches

The complete list. If we ever add or remove one, this page updates and we send a notice email to all coaches.

Stripe (Payments)

PCI-DSS Level 1SOC 1, SOC 2 Type IIUSA

Handles all card data, recurring billing, payouts. We never see card numbers. Stripe privacy policy →

Neon (Postgres database)

SOC 2 Type IIAES-256 at restAWS us-east-2

All coach + client data lives here, encrypted at rest. Point-in-time restore available for last 7 days. Neon privacy policy →

Anthropic (Claude API for AI plan generation)

SOC 2 Type IINo training on your dataUSA

Powers AI plan generation, AI meal scan, AI rest-day messaging. We send minimum context. Anthropic privacy policy →

Netlify (Hosting + Edge functions)

SOC 2 Type IIDDoS protectionGlobal CDN

Hosts the static site + Netlify Functions for our API endpoints. Netlify privacy policy →

Brevo (Transactional + lifecycle email)

GDPR-compliantEU + USA

Sends welcome emails, billing notifications, lifecycle messages. Recipient email addresses only — no client training data ever sent. Brevo privacy policy →

What we do NOT collect

Client cards or bank details — those go directly to Stripe, never to us.
Browsing behavior or fingerprinting — no third-party analytics, no fingerprinting, no advertising trackers anywhere on this site. Aggregate traffic counts come from Netlify's server-side analytics (parsed from server logs, no client cookies, never leaves Netlify).
Cross-site tracking — no Meta Pixel, no Google Analytics, no LinkedIn Insight, no retargeting cookies. Zero third-party tracker requests fire on page load. Verifiable in your browser's Network tab.
Biometric or facial data — progress photos are stored as files, not analyzed for identity.
Health information beyond what coaches log — we don't pull from Apple Health, Whoop, etc. unless the coach explicitly turns on those integrations (v0.3 roadmap).

The honest gaps

Things we don't have yet, by category, with timeline:

2FA on coach login — currently password-only with bcrypt hashing. TOTP-based 2FA ships v0.2 (Q3 2026).
SOC 2 audit — not pursuing for v0.1. Cost is $30-100K and only relevant for enterprise sales. Will pursue in v0.4 if/when we go upmarket.
HIPAA compliance — not pursuing yet. Most coaches don't need it. Required only for clinical PT/RD use cases — those land in v0.3 with a separate compliance audit.
Single-tenant isolation — v0.1 isolates per coach by application logic, not Postgres RLS. Multi-trainer Studio tier introduces RLS in v0.2.
Independent penetration test — internal security review only on v0.1. External pentest scheduled for v0.2 launch.

Reporting a vulnerability

If you find a security issue, email security@vantagedigital.dev directly. We respond within 24 hours, ship fixes for critical issues within 48 hours, and credit the reporter publicly (or anonymously, your call) on a vulnerability disclosure page once the fix ships.

We don't run a paid bounty program at v0.1, but we send a thank-you box of nice merch for verified valid reports. The bounty program lands in v0.3.

This page is the contract

Anything stated here is binding. If we change a practice, this page updates within 7 days and active coaches get an email. The version history of this page is visible in our public Git repo at github.com//vantage-digital — you can see every revision.

The honest threat model

You can't hide JavaScript from someone who installs your PWA. Cadence is a web app — the source is visible to anyone who opens DevTools, and the marketing site source is on GitHub publicly. Trying to obfuscate code is security theater. The right defense is "even with full source-code visibility, an attacker can't do anything harmful." That's how we build.

Specifically:

No secrets in client code. No API keys, service tokens, or credentials are present in the JS that ships to your browser. AI-generation prompts, business logic, and integration credentials all live server-side in Netlify Functions.
Server-side authorization on every API call. A coach cannot read another coach's data even if they discover the API endpoint URL. Tenant ID is read from the authenticated session, never from request parameters.
Database row-level security. Neon Postgres enforces WHERE tenant_id = current_authenticated_user on every table query, so even a misbehaving Function cannot leak across tenants.
Security headers on every response: HSTS (HTTPS-only for 1 year), Content-Security-Policy (blocks unsanctioned scripts), X-Frame-Options DENY (no clickjacking), Permissions-Policy (disables unneeded browser features), Referrer-Policy (no leakage to third parties).

The full internal threat model is documented in marketing/security-threat-model.md. Eleven distinct threats catalogued (T1–T11), each with shipped mitigations and open todos. Studio reviews this quarterly.

Vulnerability disclosure (RFC 9116)

If you've found a vulnerability, please report it to security@vantagedigital.app. The full disclosure policy lives at /.well-known/security.txt (RFC 9116-compliant).

We commit to:

Acknowledge your report within 72 business hours.
Provide a status update within 7 business days.
Coordinate disclosure timing with you — typically a 90-day window before public discussion.
Credit you publicly on this page (in the acknowledgments section below) if you wish, or maintain your anonymity.
Not pursue legal action against good-faith researchers operating within our published guidelines.

Out of scope: social engineering, physical attacks, denial-of-service testing, third-party sub-processor vulnerabilities (report directly to them), self-XSS, missing best-practice headers without demonstrable impact.

Acknowledgments

Researchers who have responsibly disclosed vulnerabilities to us appear here, with their consent. The list is currently empty because Cadence is in v0.1 and no vulnerabilities have been responsibly disclosed yet. If that changes, this section updates within 30 days of remediation.

Third-party verification

Independent security scanners audit our HTTP response headers and SSL configuration. Click any badge to see the live scan against today's deployed site — no screenshots, no caching.

Security Headers

securityheaders.com

CSP locked · HSTS preload · X-Frame DENY · COOP same-origin · Permissions-Policy · Referrer-Policy strict. Capped at A by `unsafe-inline` in CSP (required for inline JSON-LD + style blocks).

Mozilla Observatory

B+

observatory.mozilla.org · 80/100

9 of 10 tests pass. Same `unsafe-inline` deduction (-20). Cookies, CORS, redirection, referrer-policy, HSTS, X-Content-Type, X-Frame, CORP all clean.

Qualys SSL Labs

A+

ssllabs.com

TLS 1.3 only · perfect-forward-secrecy ciphers · HSTS preloaded · cert chain trusted by all major roots. Both Netlify edge IPs A+.

Grades verified May 4, 2026. Scanners are run on demand against the live deployment. The CSP `unsafe-inline` deduction is the result of a deliberate trade-off — inline JSON-LD schema blocks (for SEO) and inline styles (for self-contained pages, no external CSS) require the directive. Removing it would force every style/script into separate files, adding HTTP requests + complicating the no-third-party promise.

third-party network requests

on every public page · enforced by browser CSP

Most coaching platforms load 15–25 third-party trackers per page — Google Analytics, Meta Pixel, LinkedIn Insight, Hotjar session-replay, retargeting cookies. Vantage Digital and Cadence load zero. No analytics, no advertising, no fingerprinting. Even fonts are self-hosted.

Verify it yourself: open /network-audit — that page runs a live count using your browser's Performance API and shows the receipt. Or open DevTools → Network tab → reload. The only requests you'll see are vantagedigital.dev plus Stripe (only on checkout pages, only when you click Subscribe). That's the entire list.

Built for coaches who ask the security question.

If your coaching practice involves clients with sensitive metrics, money, or training data — these are the people you want building the platform.

Start Cadence — $299 setup See full capability audit