Do you store my Google password?

Never. Cedric uses Google OAuth 2.0 exclusively. We never see, request, or store your Google password.

What Google data can Cedric access?

Only your Google Business Profile reviews. We cannot access your Gmail, Google Drive, contacts, ads, or any other Google service.

Yes, instantly. Visit your Google Account settings, go to Third-party access, and remove Cedric. Access is revoked immediately.

What happens to my data if I cancel?

Your data is deleted from our systems. We follow a clear data retention and deletion policy. No data is kept after service termination. Your review data is never sold, shared, or used to train external models.

Where is my data stored?

Cedric runs on Vercel’s Edge Network. Application data is stored in managed PostgreSQL databases with AES-256 encryption. All infrastructure is provisioned in secure, SOC 2-compliant data centres.

Is my data used to train AI?

No. Your review data is never used to train external AI models. It is used solely to generate responses and analytics within your Cedric account.

Do you have SOC 2 certification?

Not yet. We are evaluating SOC 2 Type II as part of our 2026–2027 roadmap. Our infrastructure providers — Vercel, Stripe, and Anthropic — all maintain SOC 2 Type II compliance.

Can you complete a security questionnaire?

Yes. Contact security@trycedric.com and we’ll work through your requirements.

What happens during an outage?

Cedric is deployed on Vercel with automatic failover. Database backups run daily with point-in-time recovery. Our status indicator shows real-time system health.

Security

Your data is our priority

Cedric is built with security-first principles at every layer. We never see or store your Google password, request only the minimum permissions needed, and give you full control over your data at all times.

Protect your reputation See how it works

Built on infrastructure you trust

VercelAnthropicStripeGoogle

Security architecture

Built secure from the ground up

Every component of Cedric is designed with enterprise-grade security standards.

OAuth-only authentication

We never see or store your Google password. Authentication is handled entirely through Google’s OAuth 2.0 protocol with encrypted token storage.

Your Google password is never seen or stored
Industry-standard OAuth 2.0 flow
Token encryption at rest
Automatic token refresh

Authentication

Connected

No passwords stored

Minimal permissions

We follow the principle of least privilege. Cedric requests only the specific Google API scopes needed to function — nothing more.

Read reviews only
Publish replies (optional scope)
No access to email, drive, or contacts
No access to financials or ads

Requested scopes

Read reviews

Post replies

Email access

Drive access

Full revocation control

You maintain complete control. Revoke Cedric’s access instantly from your Google account settings, no questions asked.

Instant revocation from Google
No data retained after disconnection
No lock-in or exit penalties
Clear data deletion process

Connection status

Connected to Google

Cedric App

Linked 14 days ago

One click to disconnect

Infrastructure security

Cedric runs on enterprise-grade cloud infrastructure with multiple layers of protection at every level of the stack.

TLS 1.3 encryption in transit
AES-256 encryption at rest
Organisation-scoped data isolation
Regular automated backups

TLS 1.3

Encryption in transit

AES-256

Encryption at rest

Isolation

Organisation-scoped data

Multiple encryption layers protecting your data

Audit trails

Every action in Cedric is logged with a complete audit trail. Know who did what, and when — with exportable reports.

Full reply approval history
Login and access logs
Configuration change tracking
Exportable audit reports

Activity log

Reply posted to Google

2 min ago

Draft approved by Sarah M.

5 min ago

Review flagged for review

12 min ago

New 3-star review received

18 min ago

Access controls

Granular role-based access ensures your team only sees and does what they’re supposed to. Lock down by role and location.

Role-based permissions
Per-location access controls
Approval chain workflows
Admin-only configuration

Role hierarchy

OwnerFull access

AdminManage team & settings

MemberDraft & approve replies

ViewerRead-only access

Responsible AI

AI that protects your reputation, by design

Cedric publishes content on behalf of your business. We take that responsibility seriously. Every response passes through multiple safety layers before it ever reaches your customers.

Guardrails by default

Every AI-generated response passes through safety checks before reaching your approval queue. Sensitive content, potential legal risks, and off-brand language are flagged automatically.

Approval-first architecture

No AI response is published without explicit human approval — unless you enable Autopilot with your custom rules. You are always the final decision-maker.

Your data stays yours

Review data is used solely to generate responses and analytics for your account. It is never used to train external AI models, never shared with third parties, and never sold.

No hallucinated promises

Cedric’s AI is specifically instructed never to make discount offers, admit legal liability, or make commitments on your behalf unless you configure it to do so.

Powered by Anthropic’s Claude

Cedric uses Claude Sonnet 4 — built by Anthropic with safety, helpfulness, and honesty as core design principles.

Safety pipeline

✓

Review received

✓

Sentiment analysisNegative — service

✓

Brand voice matchingProfessional, warm

✓

Safety guardrailsNo liability admission

✓

Content quality checkSpecific, not generic

✓

Hallucination preventionNo false promises

Ready for approval — awaiting your review

Design principles

Security by design, not afterthought

Transparency first

You can see exactly what permissions Cedric has, what data it accesses, and what actions it takes. No hidden behaviour, no surprises.

Approve-first by default

Nothing is published without your explicit approval. Autopilot auto-posts to Google only when enabled and within your defined rules and guardrails.

Zero-trust architecture

Every request is authenticated and authorized. Internal services communicate over encrypted channels with mutual TLS verification.

Data minimisation

We only collect and store what’s necessary to provide the service. Review data is used solely for generating replies and analytics — nothing else.

Our commitment

Your reputation is safe with Cedric

We understand that reputation management requires trust. That's why we've built Cedric to be the most transparent, secure, and controllable platform in the space.

Google passwords stored

Approval control

Instant

Access revocation

Transparency

Every vendor, visible

We believe you should know exactly who handles your data. Here's every service provider in the Cedric stack.

Provider	Purpose	Data handled	Compliance
Vercel	Hosting & edge delivery	Application code, static assets	SOC 2 Type II
Anthropic (Claude)	AI response generation	Review text (processed, not stored)	SOC 2 Type II
PostgreSQL (managed)	Database	All application data (encrypted)	AES-256 at rest
Stripe	Payment processing	Billing & card data (never on our servers)	PCI DSS Level 1
Resend	Transactional email	Email addresses, notification content	SOC 2 Type II
Twilio	SMS delivery	Phone numbers, SMS content	SOC 2 Type II, ISO 27001
Upstash	Rate limiting	Request metadata only	SOC 2 Type II
Google	OAuth & GBP API	Review data, authentication tokens	ISO 27001, SOC 2

Vercel

Hosting & edge delivery

Application code, static assetsSOC 2 Type II

Anthropic (Claude)

AI response generation

Review text (processed, not stored)SOC 2 Type II

PostgreSQL (managed)

Database

All application data (encrypted)AES-256 at rest

Stripe

Payment processing

Billing & card data (never on our servers)PCI DSS Level 1

Resend

Transactional email

Email addresses, notification contentSOC 2 Type II

Twilio

SMS delivery

Phone numbers, SMS contentSOC 2 Type II, ISO 27001

Upstash

Rate limiting

Request metadata onlySOC 2 Type II

Google

OAuth & GBP API

Review data, authentication tokensISO 27001, SOC 2

Last reviewed: March 2026 · Questions? security@trycedric.com

Compliance

Built for Australian privacy standards

Australian Privacy Principles

Cedric is designed in alignment with the Privacy Act 1988 and the 13 Australian Privacy Principles (APPs), including data minimisation, purpose limitation, and individual access rights.

GDPR Alignment

Our data handling practices align with GDPR principles — even though Cedric currently operates primarily in Australia. This positions us for international expansion without architectural changes.

Compliance Roadmap

We are evaluating SOC 2 Type II certification as part of our 2026–2027 roadmap. In the meantime, our infrastructure providers (Vercel, Stripe, Anthropic) all maintain SOC 2 Type II compliance.

Security FAQ

Common security questions

Security questions? Reach us at security@trycedric.com