Data Handling & Security

Designed for public company compliance from the first line of code.

Data Flow with Security Controls

1
SAP Export
๐Ÿ”’ TLS 1.3 Read-only
2
Cafecito Ingestion
๐Ÿ”’ TLS 1.3 PII Scrubbed
3
AI Processing (Claude)
๐Ÿ”’ TLS 1.3 Zero Retention
4
KV Storage
๐Ÿ”’ TLS 1.3 AES-256
5
Dashboard Output
๐Ÿ”’ TLS 1.3

Provider Security Certifications

โ˜๏ธ Cloudflare
SOC 2 Type II ISO 27001 FedRAMP (select services)

All data stored and processed at the edge โ€” never centralized in a single data center. GDPR and CCPA compliant.

View Cloudflare Trust Hub โ†’
โœฆ Anthropic
SOC 2 Type II Zero-Data-Retention API

API with zero-data-retention enabled: your data is NOT stored, logged, or used for model training. Contractually guaranteed.

View Anthropic Security โ†’

What We Don't Do

  • โŒ
    Access Cintas production systems
    All data comes from CSV exports. No SAP credentials, no production access, no VPN required.
  • โŒ
    Store data beyond pilot scope
    All data expires after 90 days. One KV namespace deletion removes everything instantly.
  • โŒ
    Share data with third parties
    No data brokers, analytics platforms, or marketing systems. Two providers: Cloudflare (storage/compute) and Anthropic (AI processing).
  • โŒ
    Train AI models on customer data
    Zero-data-retention API is contractually enforced. Your customer data never touches Anthropic's training pipeline.
  • โŒ
    Make automated decisions
    All insights are advisory. Cafecito surfaces information โ€” your team takes action.

Pilot Containment

Scope
One branch ยท Greater Cincinnati
Data Source
Read-only CSV from SAP
Retention
90-day auto-expire on all stored data
Kill Switch
Delete KV namespace = all data gone instantly
Access
Password-gated, session tokens, 4-hour TTL
Data Region
US-only Cloudflare edge locations (configurable)
Account Data
Synthetic for demo, real for pilot start

Compliance Readiness

โœ… Data Processing Agreement available for review and signature prior to any data transfer
โœ… Security questionnaire welcome at any point in the evaluation process
โœ… Pilot can begin with synthetic data while infosec review is in progress
โœ… No customer PII required in Phase 1 โ€” account-level data only
โœ… Production auth: SSO/SAML integration available for pilot phase (Okta, Azure AD compatible)

Compliance Roadmap

Now
Platform Security Foundations
Cloudflare infrastructure (SOC 2 Type II, ISO 27001 certified). Anthropic API (SOC 2 Type II, zero-data-retention contractually enforced). All data encrypted in transit (TLS 1.3) and at rest (AES-256).
Q2 2026
SOC 2 Type II Audit Initiated
Cafecito organizational SOC 2 Type II audit engagement begins. Scope: data handling, access controls, incident response, change management.
Q3 2026
SOC 2 Type II Report Available
Independent auditor report covering 6-month observation period. Available to enterprise customers under NDA.
Q4 2026
HIPAA BAA + ISO 27001 (Planned)
For customers with healthcare facility accounts. ISO 27001 certification pursuit begins.
Current state: All customer data flows through SOC 2 Type II certified infrastructure (Cloudflare + Anthropic). Cafecito's organizational SOC 2 Type II audit is on track for Q3 2026 completion.

Ready to Review Our Security Posture?

We welcome security questionnaires, DPA review, and technical deep-dives at any point.

Request Security Documentation โ†’