Security

Cascades is built around controlled execution, auditability, and verifiable artifacts. This page summarizes the major security-facing surfaces—not a formal compliance certification.

Execution controls

Workflows compile to directed graphs validated before enqueue. Locks, retries, and policy hooks constrain how tasks run so automation stays within defined envelopes. Operational modes (queued vs inline) are configured per environment (environment checklist).

Audit trails

Execution logs and structured events record workflow lifecycle activity for operators. Pair these with downstream SIEM or log pipelines where your organization centralizes telemetry.

Proof generation

Runs can bind canonical proof payloads—including immutable workflow-definition hashes anchored at enqueue time—so historical execution remains explainable even when live definitions drift. Verification endpoints expose snapshot vs current-definition drift semantics for auditors (Quickstart, OpenAPI explorer at API Reference).

Transparency log anchoring (optional)

When Rekor-aligned anchoring is enabled in your deployment, proof artifacts may be correlated with transparency-log entries—useful where third-party attestability strengthens your compliance story.

Blockchain anchoring (optional)

Separate “on-chain anchoring” is environment-specific. Configure only when required by governance; it adds latency and custody considerations unrelated to Cascades core execution.

Secrets management

Store database URLs, identity-provider secrets, Redis credentials, and other sensitive values outside source control—in secret managers or locked-down CI variables. Cascades inherits posture from how you configure Postgres, identity, queues, and integrations (Database & Storage, Identity Provider Configuration).

Related

• Workflow Catalog — deterministic composition
• Integrations — external connectors and webhooks
• Company — Enterprise