Security Features
Where employee trust and enterprise security requirements meet.
From a cancer diagnosis to a company acquisition, Cascade handles what your employees and your business need to share in confidence.
SOC 2 Type 2 certified, identity-first, and grounded in your documentation only.
Everything your IT team needs to start the review.
Cascade is SOC 2 Type 2 certified and compliant with GDPR and CCPA. Every answer employees receive is grounded in your organization’s documentation, with no external model data used to fill gaps. Employees control what stays private and what escalates to HR, and your IT team controls which data sources Cascade connects to.
What employees share stays between them and the platform.
HR holds some of the most sensitive conversations that happen inside any organization. An employee asking about a cancer diagnosis, childcare support, a mental health accommodation, or financial hardship through a leave program needs to know that conversation goes nowhere without their consent. When employees aren’t confident a tool is private, they don’t use it, and the questions that could have connected them to real support go unasked.
Cascade is confidential by design, meaning every conversation stays between the employee and the platform unless the employee chooses otherwise, and when they choose to escalate, they see the full contents of what will be shared before anything is sent.
Access is earned, scoped, and logged.
Cascade is identity-first: before it answers anything, it knows who is asking.
Every response is filtered through the employee’s role, location, eligibility, and access permissions,
and nothing outside that scope is surfaced.
Role-based access
Individual contributors see what they are entitled to see. Managers see what their role authorizes. That mapping is defined during implementation and enforced on every interaction, so a question about compensation or leave never returns information the employee does not have permission to view.
Scoped data sources
During implementation, your team defines exactly which systems and repositories Cascade connects to, and Cascade does not sweep everything in your environment. It connects through approved API integrations to the specific sources you authorize, whether that is ADP, Workday, SharePoint, Confluence, or others, and synchronizes on a defined schedule.
Full visibility for the teams who need to account for it.
CIOs and security teams need more than a certification badge. They need to know that Cascade produces a complete record of how it operates, that access is least-privilege by design, and that the organization can demonstrate compliance when it matters, and the architecture described on this page is built to deliver exactly that.
Most organizations deploy Cascade in HR first, where the combination of sensitive employee data and high question volume makes the security and accuracy case most immediate, but the same architecture that governs a benefits conversation also governs an IT service request, a procurement workflow, or an M&A data room. The certifications, access controls, and audit trails described on this page apply across every use case Cascade supports, because the data at stake is always someone’s most important work, and when your organization is ready to expand beyond HR, the security infrastructure scales with it.
