Security

Security is not an afterthought at Mission Cadre — it is an engineering constraint embedded in everything we build and every system we operate. We hold ourselves to the same rigorous standards we set for our clients, maintaining a security posture that meets or exceeds enterprise requirements across data handling, access control, and operational practices.

Mission Cadre maintains SOC 2 Type II certification, demonstrating that our security controls have been independently audited and verified over an extended period. This covers the five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Our SOC 2 report is available to prospective clients under NDA upon request.

Our information security management practices are aligned with the ISO 27001 standard. We apply a risk-based approach to managing sensitive information, including client data, intellectual property, and internal systems. This includes formal risk assessments, documented controls, and regular internal reviews to ensure ongoing alignment.

All data transmitted to and from Mission Cadre systems is encrypted in transit using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256. Encryption keys are managed through dedicated key management services with strict access controls and rotation policies. Client data is never stored in unencrypted form.

Access to client data and internal systems is granted on a least-privilege basis. All staff access is governed by role-based access controls, multi-factor authentication, and regular access reviews. Privileged access is logged and monitored. Contractor and third-party access is subject to the same controls and is time-limited by default.

Our engineering team follows secure development lifecycle (SDLC) practices on all client engagements. This includes threat modeling, static code analysis, dependency vulnerability scanning, and peer code review. Security requirements are defined at the start of each engagement and validated prior to production deployment.

Mission Cadre maintains a documented incident response plan that is tested regularly. In the event of a security incident affecting client data, we commit to notifying affected clients within 72 hours of discovery, consistent with GDPR and applicable breach notification requirements. Our response team is on call 24/7 for critical incidents.

All third-party vendors and sub-processors used by Mission Cadre are evaluated against our security requirements prior to engagement. We maintain a register of sub-processors and conduct periodic reviews to ensure ongoing compliance. Clients are notified of any material changes to our sub-processor list.

Mission Cadre complies with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We act as a data processor for client data and adhere to documented data processing agreements. Individuals have the right to access, correct, delete, and port their personal data. Requests can be submitted to support@missioncadre.com.

We monitor and actively prepare for obligations under the EU Artificial Intelligence Act. All AI systems we design and deploy for clients are evaluated for risk classification, transparency requirements, and human oversight obligations. We maintain documentation to support conformity assessments where required.

We welcome reports of potential security vulnerabilities from security researchers and the public. If you believe you have discovered a security issue affecting Mission Cadre systems or our website, please report it responsibly to support@missioncadre.com. We commit to acknowledging all reports within 48 hours and working with reporters in good faith to resolve confirmed issues promptly.