Cavatim security policy for planner data, accounts, backups, and agents

Account access

• Authenticated planner, goals, settings, admin, and API surfaces are kept outside the public marketing sitemap.
• Session cookies, MFA cookies, sensitive-action flows, and protected app route checks are used for account access.
• Password reset, MFA, support, and billing flows must avoid returning raw tokens, reset codes, or MFA secrets in production responses.

Browser and API protections

• Production script CSP blocks broad unsafe inline scripts, and Trusted Types is tracked through a reviewed rollout plan.
• Browser-facing helpers must not expose privileged API tokens, and compromised public token families are treated as invalid.
• Sensitive local caches are classified and purged on logout or account switch; browser storage remains a working cache rather than the canonical account record.

Data integrity and recovery

• The API-backed account copy is the system of record for synced planner, goal, settings, workflow, and automation data.
• SQLite WAL, scheduled backups, rollback drills, planner-health checks, and planner-stability smoke tests support recovery and regression detection.
• Normal users can export goals, planner schedules, and full account data without admin intervention.

Security reporting

Report suspected vulnerabilities to support@cavatim.com with a clear description, affected URL or feature, reproduction steps, and whether any data may have been exposed.

Do not access, alter, delete, retain, or share another person's data while testing. Cavatim may restrict accounts or traffic that creates risk to users or service availability.