Security & privacy posture
Cache is built around explicit user action: sign in through supported providers, connect only the accounts you trust, import only the content you choose, and keep billing outside the product through Stripe. This page summarizes the controls we can verify today, the boundaries we want buyers and researchers to understand, and how to reach us if you discover a security issue.
Provider-backed authentication with server-side session checks
User-scoped extension ingest tokens with authenticated session gating
Stripe-managed checkout and billing flows
Global HSTS, frame, referrer, and permissions hardening headers
Cache accounts are authenticated through supported identity providers, with server-side session checks at protected routes and APIs.
Connected data access is intentionally scoped to the providers and permissions a user explicitly enables.
Input validation, token checks, and typed failures are part of the request boundary before data is written.
Operational tooling is designed to reduce accidental exposure when engineers diagnose issues.
Billing is delegated to Stripe flows rather than handled directly in Cache UI or database models.
The web application ships a baseline set of browser and transport hardening headers across routes.
What touches the system
Cache stores identity, saved-content metadata, billing state, and operational signals required to run the service. The product is opinionated about separating those concerns rather than blurring them together.
Names, email addresses, profile images, linked-provider identifiers, and session records used to keep accounts signed in.
Imported links, captions, thumbnails, source identifiers, timestamps, collection metadata, and notes that make a Cache library useful.
Subscription state, Stripe customer identifiers, device and browser metadata, IP or user-agent context, and feedback needed to operate securely.
Honest disclosure
Cache already includes meaningful baseline controls such as provider-backed auth, hardened headers, typed request validation, scoped import permissions, tokenized browser ingestion, and log sanitization.
At the same time, this page is not a claim of SOC 2, ISO 27001, a public bug bounty, or a formal vendor trust portal. If and when those programs exist, they should be documented here explicitly rather than implied.
If your team needs a deeper security review, architecture answer, or data-processing clarification before adopting Cache, email support@cachd.app and include the scope of your review.
Reporting security issues
We welcome good-faith reports from customers, researchers, and partners. Include enough detail for us to reproduce the issue responsibly, and avoid testing that would expose someone else’s data or degrade the service.
Resource
How Cache collects, uses, stores, and shares account, library, billing, and Google user data.
Resource
Service terms, commercial framework language, and legal notice details for Cache.
Resource
A single place for the product’s governing policies and disclosures.