Unreleased campaigns, contracts, financials, and client footage flow through Cutvey. Here's how we treat that responsibility.
No passwords to steal, reuse, or leak. Team and client-portal sign-in uses short-lived, single-use email codes — rate-limited and hashed at rest.
Optional TOTP two-factor on every plan, with one-time recovery codes. Owners can also sign out all sessions everywhere with one click.
Seven roles from owner to viewer, with a per-role permission matrix you control. Finance sees money; editors see edits; clients see only what you share.
Significant actions — signatures, payments, permission changes, deletions — are logged with actor and timestamp. E-signatures carry a certificate with signer, time, IP, and document hash.
Full workspace backup export any time, CSV exports throughout, and GDPR-grade account deletion on request. Leaving is easy — which is exactly why you can trust staying.
Encrypted transport (TLS) everywhere, signed webhooks, API keys with rate limiting, upload scanning, and client-link expiry controls. Retention policies and legal hold for teams that need them.
Access to production systems is limited to the small set of people who operate them, and administrative actions inside customer workspaces are logged. Backups run on a schedule and restores are tested. Dependencies are kept current, and changes ship through review — the same discipline we'd demand from any vendor holding our own client work, because Cutvey does hold our own client work: the production company it was built in runs on it.
Found a vulnerability? Email contact@cutvey.com with "security" in the subject line. We read those first, respond quickly, and credit good-faith reports if you'd like the acknowledgment.
Security questionnaires, DPAs, and Enterprise requirements (including SSO/SAML) go through sales — we're happy to walk through specifics with your team.