Trust center

Safety is on the render path, not in a policy PDF.

Every claim on this page maps to implemented, tested behavior in the product. Where something is not built yet, we say so.

Content provenance

Every asset that leaves the generation path carries a C2PA style provenance manifest, a durable content-derived watermark, and a disclosure flag aligned with EU AI Act Article 50. No asset is returned without them.

Provenance is attached inside the pipeline, after rendering and before anything is handed back, including intermediate assets such as the locked hero frame in staged generation.

Consent and prohibited content

Real person likeness is deny by default and requires recorded consent before generation proceeds. Political and election content is blocked in every geography, with an obfuscation-resistant matcher that catches leet speak, spacing tricks, and paraphrase attempts.

The input policy and the named-person registry are reviewable configuration, updated without a code release. A blocked prompt never reaches a model and never spends a credit.

Explicit publish confirmation

Publishing is a two step flow: Cadenza prepares per-platform previews, and nothing posts until you confirm each destination individually. There is no autonomous posting path in the codebase.

An asset without a provenance manifest cannot be published at all. The safety gate refuses the whole request.

Audit logging

Every generation, block, quarantine, failover, and publish is written to a hash chained audit log. The chain is verifiable, and tests exercise it under concurrent writers.

Authentication and credentials

Sign in uses Google, GitHub, or an emailed magic link through Supabase. Web sessions are signed, HTTP-only cookies. API keys are scoped, shown once, and only a hash is stored. Agent connections use a browser approval flow, so no credential is ever pasted into a config file.

Third-party platform tokens are hashed at rest and are never written to configuration files.

Your data

Brand Memory, references, and generation records are scoped to your account. Public share pages are opt in, and every brand fact is scrubbed at the boundary before anything becomes public, which is covered by tests.

You can request account deletion from your profile or by contacting us; profile rows are protected by row level security.

Third-party model providers

Shots are routed to external video model providers according to a reviewable routing policy. Prompts sent to a provider contain the encoded shot direction, never your account credentials. Model names, routing, and availability are published configuration.

Honest limitations

Cadenza is in beta. We hold no compliance certifications yet, and we will not claim any until an audit says so.

Post-render detection scanning is a conservative, low false-positive backstop. Our primary controls are policy blocking before generation and provenance on every output, because detection alone loses the arms race.

Live provider rendering, live payment checkout, and live platform posting are open seams documented on the build page.

Reporting a security issue

If you believe you have found a vulnerability, contact us through the beta channel you joined with, and we will respond as fast as we can. Please do not test against other users' data.

Trust center | Cadenza