Data Handling & Security
Designed for public company compliance from the first line of code.
Data Flow with Security Controls
1
SAP Export
๐ TLS 1.3
Read-only
2
Cafecito Ingestion
๐ TLS 1.3
PII Scrubbed
3
AI Processing (Claude)
๐ TLS 1.3
Zero Retention
4
KV Storage
๐ TLS 1.3
AES-256
5
Dashboard Output
๐ TLS 1.3
Provider Security Certifications
โ๏ธ Cloudflare
SOC 2 Type II
ISO 27001
FedRAMP (select services)
All data stored and processed at the edge โ never centralized in a single data center. GDPR and CCPA compliant.
View Cloudflare Trust Hub โโฆ Anthropic
SOC 2 Type II
Zero-Data-Retention API
API with zero-data-retention enabled: your data is NOT stored, logged, or used for model training. Contractually guaranteed.
View Anthropic Security โWhat We Don't Do
-
โ
Access Cintas production systemsAll data comes from CSV exports. No SAP credentials, no production access, no VPN required.
-
โ
Store data beyond pilot scopeAll data expires after 90 days. One KV namespace deletion removes everything instantly.
-
โ
Share data with third partiesNo data brokers, analytics platforms, or marketing systems. Two providers: Cloudflare (storage/compute) and Anthropic (AI processing).
-
โ
Train AI models on customer dataZero-data-retention API is contractually enforced. Your customer data never touches Anthropic's training pipeline.
-
โ
Make automated decisionsAll insights are advisory. Cafecito surfaces information โ your team takes action.
Pilot Containment
Scope
One branch ยท Greater Cincinnati
Data Source
Read-only CSV from SAP
Retention
90-day auto-expire on all stored data
Kill Switch
Delete KV namespace = all data gone instantly
Access
Password-gated, session tokens, 4-hour TTL
Data Region
US-only Cloudflare edge locations (configurable)
Account Data
Synthetic for demo, real for pilot start
Compliance Readiness
โ
Data Processing Agreement available for review and signature prior to any data transfer
โ
Security questionnaire welcome at any point in the evaluation process
โ
Pilot can begin with synthetic data while infosec review is in progress
โ
No customer PII required in Phase 1 โ account-level data only
โ
Production auth: SSO/SAML integration available for pilot phase (Okta, Azure AD compatible)
Compliance Roadmap
Now
Platform Security Foundations
Cloudflare infrastructure (SOC 2 Type II, ISO 27001 certified). Anthropic API (SOC 2 Type II, zero-data-retention contractually enforced). All data encrypted in transit (TLS 1.3) and at rest (AES-256).
Q2 2026
SOC 2 Type II Audit Initiated
Cafecito organizational SOC 2 Type II audit engagement begins. Scope: data handling, access controls, incident response, change management.
Q3 2026
SOC 2 Type II Report Available
Independent auditor report covering 6-month observation period. Available to enterprise customers under NDA.
Q4 2026
HIPAA BAA + ISO 27001 (Planned)
For customers with healthcare facility accounts. ISO 27001 certification pursuit begins.
Current state: All customer data flows through SOC 2 Type II certified infrastructure (Cloudflare + Anthropic). Cafecito's organizational SOC 2 Type II audit is on track for Q3 2026 completion.
Ready to Review Our Security Posture?
We welcome security questionnaires, DPA review, and technical deep-dives at any point.
Request Security Documentation โ