Legal
Effective date: March 10, 2026. This policy applies to all users of Cadenora Bridge and the cadenora.com website.
Cadenora ("we", "us", or "our") is a Canadian company that builds secure document collaboration software for professional services firms. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with Cadenora Bridge and our marketing website at cadenora.com.
We are committed to complying with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. By using our services, you acknowledge that you have read and understood this policy.
Cadenora acts as both a data controller (for information collected about visitors and account holders on our website) and a data processor (for personal information uploaded into Cadenora Bridge by our firm customers). When acting as a processor, the firm is responsible for the lawful basis of its data processing activities; this policy addresses Cadenora's own collection and use.
When you register for Cadenora Bridge, contact us, or request a demo, we may collect:
When you use Cadenora Bridge or visit cadenora.com, we automatically collect:
Cadenora Bridge allows firms to upload documents, messages, and related data on behalf of their clients. This content may contain personal information about third parties (e.g., investors, residents, or legal clients). Cadenora processes this data as a service provider acting on behalf of the firm. The firm is responsible for obtaining any required consents from those individuals. We do not access, analyze, or use this content for any purpose other than providing the contracted service.
We use the personal information we collect for the following purposes, each of which we consider necessary for the performance of our contract with you or for our legitimate business interests:
Regional Data Residency Guarantee
Cadenora's infrastructure is deployed in designated regional data centres. Customer data — including documents, messages, audit logs, and personal information — is stored within the region selected at tenant onboarding and does not leave that region except where explicitly described below. This is a hard architectural constraint, not a policy statement.
Cadenora operates its own infrastructure using dedicated servers and cloud resources. Our primary production environment is located in Canada. All primary databases, object storage, and search indexes are hosted within this region.
Database and object storage backups are created on a regular schedule and retained within the same geographic region as the primary data. Backups are encrypted at rest.
In limited circumstances, data may be accessed by Cadenora personnel or systems outside the primary data region (e.g., for emergency support operations). When this occurs, we employ appropriate safeguards including encrypted channels and access controls. We do not sell, transfer, or disclose customer data to parties in foreign jurisdictions except as required by law or as described in Section 5 (Third-Party Services).
We implement a multi-layer security architecture designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Our key security controls include:
All data is encrypted in transit using TLS 1.2 or higher. All data at rest — including documents, database records, and backups — is encrypted using industry-standard algorithms. Sensitive tokens and passwords are stored using one-way hashing.
Cadenora Bridge supports multi-factor authentication. Accounts are subject to brute-force protections including login attempt rate limiting and temporary account lockouts. Session tokens are rotated and expire on inactivity.
Role-based access controls (RBAC) restrict data access to authorized users within a tenant. Tenant data is isolated at the database level using enforced access boundaries. Platform operations staff access is logged, audited, and restricted to read-only in production environments by default.
Every material action within Cadenora Bridge — document uploads, downloads, access, sharing, and administrative changes — is recorded in a tamper-evident audit log. Audit records are timestamped, attributed to a specific user and session, and retained for the duration defined by your firm's configuration.
Infrastructure is monitored continuously with automated health checks and alerting. Deployments follow a controlled release strategy with automated rollback capabilities. Network access is restricted by secure tunnel and firewall policies; no services are exposed directly to the public internet.
We maintain an incident response process for security events. In the event of a breach involving personal information, we will notify affected customers and, where required by PIPEDA, report to the Office of the Privacy Commissioner of Canada within the legislated timeframes.
While we employ industry-standard safeguards, no system is perfectly secure. We encourage users to use strong, unique passwords and to enable multi-factor authentication on their accounts.
Cadenora uses a limited number of third-party service providers to operate our platform. We share personal information with these providers only to the extent necessary to deliver our services, and we require them to protect that information in accordance with applicable law.
Our production infrastructure is hosted on Canadian cloud infrastructure. Our hosting providers process data in accordance with their Data Processing Agreements and applicable privacy standards.
We use transactional email delivery providers to send account notifications, invitations, and other service emails. These providers receive recipient email addresses and email content for the purpose of delivery only. They are contractually prohibited from using this data for any other purpose.
We use a network security provider for DNS resolution and traffic protection services. This provider may process connection metadata (IP addresses, request headers) in the course of providing network services.
Cadenora does not sell, rent, or trade personal information to any third party. We do not share personal information with advertisers or data brokers. We do not use customer data to train machine learning or AI models without explicit written consent.
For a current list of sub-processors and service providers, please contact privacy@cadenora.com.
We use a minimal set of cookies that are necessary for the operation of our service:
| Cookie | Type | Purpose |
|---|---|---|
| Session cookie | Strictly necessary | Authenticated session identifier. HttpOnly, Secure, SameSite=Strict. Expires on session end or after inactivity timeout. |
| CSRF cookie | Strictly necessary | Cross-site request forgery protection. Required for all state-changing requests. |
Cadenora does not use advertising cookies, third-party tracking pixels, behavioural profiling technologies, or analytics platforms that collect personally identifiable data. We do not use Google Analytics or similar third-party analytics services.
The session cookie listed above is strictly necessary for the application to function. You cannot opt out of this cookie while using the authenticated application. You may block cookies in your browser, but doing so will prevent you from logging in to Cadenora Bridge.
We retain personal information only as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.
Account information (name, email, role, session history) is retained for the duration of your active account. If an account is closed or a tenant subscription is terminated, we begin a 30-day grace period during which data may be recovered. After that period, account data is permanently deleted from primary systems within 90 days. Backups containing account data are purged on a rolling 30-day schedule.
Tenant firms may configure document retention policies within their workspace. Documents subject to an active retention policy are preserved for the defined period regardless of manual deletion requests. When no retention policy applies, documents are deleted when removed by authorized firm users. Following tenant termination, all associated document storage is purged within the same 90-day timeline described above.
Audit logs are retained for a minimum of 12 months to support compliance, security investigations, and dispute resolution. Firm administrators may configure longer retention periods as required by their regulatory obligations.
Personal information submitted via demo request forms or email inquiries is retained for up to 24 months, or until you request deletion, whichever is sooner.
Under PIPEDA, individuals have the following rights with respect to their personal information. We will respond to verified requests within 30 days, or notify you if an extension is required.
You may request a copy of the personal information we hold about you, along with information about how it has been used and disclosed.
If you believe personal information we hold about you is inaccurate or incomplete, you may request that we correct it. You may update most account information directly within your profile settings.
Where we rely on your consent as the basis for processing (e.g., marketing communications), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred prior to withdrawal.
If you believe your privacy rights have been violated, you may contact us at privacy@cadenora.com. If you are unsatisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.
You may request deletion of your personal information by contacting us. Please note that some information may be retained as required by law, to fulfill outstanding contractual obligations, or as part of audit records that cannot be individually modified. We will explain any such limitations when we respond to your request.
Note for client-portal users: If you are an end-user of a firm's client portal (e.g., an investor, resident, or legal client), your personal information is managed by the firm that invited you. To exercise rights against that personal information, please contact the firm directly. We will cooperate with firms in fulfilling their obligations to their clients.
Cadenora Bridge is designed for use by professional services firms and their adult business clients. Our services are not directed to, and we do not knowingly collect personal information from, individuals under the age of 18. If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at privacy@cadenora.com and we will take steps to delete that information promptly.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
We encourage you to review this policy periodically. Your continued use of our services after the effective date of any updated policy constitutes your acceptance of the changes, to the extent permitted by applicable law.
If you have questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact our Privacy Office:
Privacy Inquiries
We will acknowledge receipt of your inquiry within 5 business days and provide a substantive response within 30 days. If the matter is complex or requires additional time, we will notify you of the delay and provide an estimated timeline.
If you are not satisfied with our response, you may escalate your complaint to the Office of the Privacy Commissioner of Canada:
Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
Website: www.priv.gc.ca