Security & compliance

Defensible by design.

Cadre Watch was built knowing the record might be read by an internal investigator, an arbitrator, or a court — and the contract by a city attorney. Every layer, from RLS to insurance, is designed to make that review easy.

For procurement

The answers your city attorney is going to ask for.

We're a young company being transparent about exactly where we are on each control. Nothing here is marketing — it's what we'll put in writing.

Aligned

CJIS Security Policy alignment

Cadre Watch is built to the controls in the FBI CJIS Security Policy v5.9+: advanced authentication, session lock, audit logging, encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access, and personnel screening for any staff with production access. We do not store CHRI, NCIC, or III data — DORs reference incidents narratively, not by criminal-history record.

In progress

SOC 2 Type II

We are actively pursuing SOC 2 Type II with an observation window beginning Q2 2026. Until the report is issued, we provide a security questionnaire response (CAIQ-lite + custom controls matrix) on request, signed by the founder.

Enforced

US-only data residency

All tenant data — database rows, file uploads, backups, and logs — is stored in US-region infrastructure. No data is replicated to non-US regions. Vendor staff with production access are US persons.

Contractual

Data ownership & exit

Your data is yours. On 30 days notice you receive a full export: every DOR, rollup, remediation plan, signature, and audit-log entry as both PDFs and structured CSV/JSON. All tenant data is deleted within 60 days of contract end, with a written certificate of destruction on request.

Carried

Insurance

Cyber liability and technology errors & omissions coverage in place through a US carrier. Certificates of insurance are available to procurement on request and can name the agency as additional insured where required.

On request

MSA, DPA, and BAA

Sample Master Services Agreement and Data Processing Addendum are available for legal review before contract. We can execute agency-paper contracts. A Business Associate Agreement is available for agencies whose FTO program touches PHI (e.g. fitness-for-duty notes).

Need a vendor security packet? We send a single PDF containing the SOC 2 progress letter, CJIS control mapping, sample MSA + DPA, certificate of insurance summary, and our incident-response policy. Request it from your contact form and we reply within one business day.

Inside the app

Access controls that hold up in an IA review.

Row-Level Security

Every database table enforces access at the row level. An FTO sees only their own DORs; a supervisor sees their platoon; a recruit sees only their submitted reports. RLS is the backstop — server-side middleware is the gate.

Role Separation

Distinct roles for Chief, Deputy Chief, FTO Coordinator, Admin, Supervisor, FTO, and Recruit — each with explicit policy scopes. Roles live in a separate table, never on the profile, to prevent privilege escalation.

Signed Acknowledgements

Every signature is a typed name + timestamp captured server-side. Trainee acknowledgements, FTO sign-offs, and supervisor review signatures are stored on the report and reproduced on the PDF.

Immutable Audit Trail

Every status transition, override, role change, and certification update writes to an append-only audit log. Command staff can query and export the trail at any time.

Domain-Restricted Sign-Up

New accounts are restricted to authorized department email domains. All new accounts require explicit Chief or Deputy Chief approval before they can access the app.

No Public Data Exposure

There are no public endpoints that return officer or recruit data. The marketing site you're reading right now has zero access to tenant data — the app lives behind authentication.

Where your data lives

One private database. No officer-device storage. No third-party trainers.

Every DOR, signature, rating, audit entry, and uploaded certificate lives in your agency's private Postgres database, hosted in the US. PDFs are generated on demand from the source records — nothing is cached on officer devices or shipped to outside services. Once written, audit entries cannot be edited or deleted by anyone, including the chief.

Daily Observation Reports
daily_observation_reports, dor_ratings, dor_calls, dor_acknowledgements, supervisor_overrides
DOR PDFs
Generated on demand from the database — never stored as files.
Weekly evaluations
weekly_evaluations
Remediation / PIPs
remediation_plans, remediation_activities, remediation_evaluations
Immutable audit log
audit_logs — insert-only; no UPDATE or DELETE policy exists.
People, roles, permissions
profiles, user_roles, user_permissions, trainees
Certifications
user_certifications (metadata) + private cert-documents storage bucket (uploaded files)
Notifications
notifications
AI suggestions
ai_suggestions — used to improve in-app prompts; never sent to third-party model trainers.

Row-Level Security on every table

FTOs see their DORs, recruits see their signed records, supervisors see their squad, command sees everything.

Audit log is append-only

No UPDATE or DELETE policy exists on audit_logs. Nobody — including the chief — can edit history from the app.

Uploads stay private

Certificate files live in a private bucket. No public URLs, no shareable links by default.

Export everything, anytime

Chief or deputy can pull a full agency ZIP (every table as CSV + README) or a filtered audit-log CSV from the admin console.

Hosting

Modern, encrypted, US-hosted infrastructure.

Encrypted in transit

TLS 1.2+ on every connection. The marketing site and the app are served over HTTPS with HSTS.

Encrypted at rest

Database and file storage are encrypted with AES-256 and managed keys. Document uploads (certifications) live in a private bucket scoped per officer.

Per-tenant isolation

Each agency gets its own tenant with its own users, categories, and SEG anchors. No cross-tenant access by design — enforced in RLS, not just application code.

Incident response

If something goes wrong, you hear from us first.

Security incidents affecting tenant data are reported to the agency's designated contact within 24 hours of confirmation, with a written post-incident report within 5 business days. We don't wait for you to notice.

Uptime & support

99.9% target, with credits for misses.

Standard SLA targets 99.9% monthly uptime excluding scheduled maintenance, with service credits for misses. Watch and Command tiers get a named support contact and a 4-hour response SLA for critical issues.

Have a specific compliance requirement?

Tell us your state, your accreditation status, and what your city attorney needs to see. We'll send the matching documentation.

Request the security packet