Executive Summary
Cradle provides a secure protein engineering platform that combines advanced machine learning capabilities with enterprise-grade security controls. As a company working with valuable intellectual property in protein engineering, we understand that security is paramount to our customers' trust and success. Our security program is built on modern cloud security principles, focusing on strong technical controls, data isolation, and continuous security monitoring.
Our platform runs on Google Cloud's enterprise infrastructure in European data centers, with comprehensive security controls spanning infrastructure, application security, access management, and data protection. All customer data is encrypted, isolated, and backed up securely. We enforce strict access controls through multi-factor authentication, maintain comprehensive audit logs, and employ continuous security monitoring with automated threat detection. Our development practices incorporate security at every stage, from code review to deployment, ensuring the platform's integrity and reliability.
Cradle's security and privacy SOPs, practices, and posture comply with industry best practices and leading standards including SOC 2 Type 2 and NIST. As we continue to advance protein engineering through machine learning, we remain dedicated to protecting our customers' data with the highest security standards.
Message from Noé Lutz, Information Security Officer at Cradle
Security and privacy are foundational pillars at Cradle. We understand that our customers entrust us with their valuable R&D assets, which is why we've committed significant resources to building not just an industry-leading protein engineering platform, but one that sets the standard for security in our industry.
My dual role at Cradle encompasses both information security and machine learning engineering, building on my decade-long experience at Google. During my time there, I witnessed firsthand how security practices evolved following major incidents like Aurora in 2009 where Google was breached by a nation state actor. Most recently, I led Google's EMEA threat analysis teams in protecting against sophisticated cyber threats from both sophisticated criminal organizations and nation-state actors.
This experience has proven invaluable in developing Cradle's security program. What's particularly exciting is how the security landscape has evolved - technologies that were once exclusive to tech giants like Google, such as zero trust architecture, phishing-resistant MFA, and verified software stacks, are now accessible to growing companies like Cradle. This democratization of enterprise-grade security allows us to implement sophisticated protections without requiring hundreds of security engineers.
At Cradle, we implement data security and privacy practices to ensure we align with and exceed common industry standards such as SOC 2 Type II, ISO 27001, GDPR , etc. but we also we recognize that compliance alone isn't sufficient. We're continuously investing in strengthening our security posture beyond compliance requirements, ensuring our platform remains worthy of our customers' trust.
Our Commitment
At Cradle, we treat security as a company-wide mandate and core engineering challenge, implementing enterprise-grade protection for our customer’s valuable sequence and protein engineering data through robust technical controls, encryption, and access management. We believe true security comes from sound engineering principles - which is why we've built security into our platform's foundation through infrastructure-as-code, continuous security testing, and strict isolation of customer data and machine learning models. Our experienced team of engineers from companies like Google, Databricks, McKinsey, and Uber brings deep expertise in building secure systems, allowing us to take a thoughtful, engineering-driven approach to protecting our customer’s intellectual property.
Product Security
The Cradle platform has built-in features to allow customers to interact with Cradle in a secure fashion.
Authentication & Access Control
Our platform supports authenticating users through Google or Microsoft Identity Providers or users may use their own identity provider to support single sign-on (SSO) via OpenID Connect. This integration allows enforcement of existing authentication policies, including multi-factor authentication requirements. User sessions are managed securely through Google's Identity Platform.
Role-Based Access Management
Platform administrators have granular control over user access through role-based access control (RBAC). Within each customer workspace, administrators can manage team member access and permissions, ensuring users have appropriate access levels for their responsibilities.
Data Encryption
All data within the Cradle platform is encrypted using industry-standard protocols. Data at rest is protected using AES-256 encryption in Google Cloud Storage and databases. All data in transit is secured using TLS 1.2 or higher, ensuring secure communication between a customer’s browser and the Cradle platform. Customer workspaces are logically isolated to ensure each customer’s data and results remain private and separated from other customers.
Compliance & Certifications
Trust and transparency are fundamental to our relationship with customers. We are actively investing in formal security certifications and compliance programs.
SOC 2
Cradle is SOC 2 Type II certified, validating our security, availability, and confidentiality controls. Our SOC 2 compliance status and controls can be viewed in our public Trust Center.
Data Privacy & GDPR
As a data processor operating in the EU, we comply with GDPR requirements. All customer data is stored in Google Cloud data centers located in the EU. We maintain documented procedures for data protection, including data minimization, secure deletion, and breach notification protocols.
Automated Compliance Monitoring
We use Vanta's security and compliance automation platform to continuously monitor our security controls and maintain compliance. This automated approach helps us identify and address potential security gaps in real-time rather than relying solely on periodic assessments.
Production Security
Cradle implements comprehensive security controls across our production environment to protect customer data and ensure platform integrity. Our security strategy encompasses infrastructure, development, access management, data protection, and ongoing security operations.
Infrastructure Security and Engineering
Cradle's production infrastructure is built on Google Cloud Platform, leveraging its enterprise-grade security features and compliance certifications. Our production environment operates in isolated Google Cloud projects separate from development, with distinct security boundaries and firewall rules preventing cross-environment access. All external traffic is routed through Google Cloud Load Balancers to a Traefik reverse proxy deployment, with firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) monitoring and protecting ingress and egress traffic.
Our entire infrastructure is defined and managed as code through Terraform, ensuring consistent security configurations and requiring peer review for all changes. No manual modifications are permitted in production - all deployments occur through our CI/CD pipeline, which includes automated vulnerability scanning of container images, dependencies, and infrastructure configurations. Jobs run with dedicated service accounts following the principle of least privilege, with permissions tightly scoped to required resources. Most workloads use Google Workload Identity Federation for managing authentication, eliminating the need for long-lived service account keys.
Development and production environments run in separate logical clusters on different virtual networks. Engineers require explicit code changes and multi-factor authentication to gain temporary access to production systems, with all access logged immutably for audit purposes. Our infrastructure leverages Google Cloud's secure-by-default features including encryption at rest, secure boot, and automated security patching, providing multiple layers of protection for customer data and platform operations.
Software Development Life Cycle
Cradle maintains a secure development lifecycle that combines strict coding standards with comprehensive security controls. All code running in production on customer data is version controlled, requiring peer review and explicit discussion of security impacts before changes can be merged. These strict controls are enforced throughout the Cradle platform including frontend, backend and machine learning codebases. Our development process enforces automated linting and code quality checks, ensuring consistent standards across our codebase.
Our testing framework operates at multiple levels, with unit tests, integration tests, and end-to-end tests running automatically in our continuous integration pipeline. The CI/CD process includes security scanning for vulnerabilities in code and dependencies, container image scanning, and infrastructure security validation. Only builds that pass all security checks and tests can be deployed to production, ensuring consistent security standards across all deployments.
Major changes to our machine learning algorithms undergo additional validation through extensive benchmarking against public protein databases and Cradle's internal validation datasets. This process verifies that algorithmic improvements maintain model quality while preserving security and data isolation between customers. All results are documented and reviewed before deployment to production, maintaining the high standards our customers expect for both security and performance.
Identity and Access Management
Cradle enforces the principle of least privilege throughout our production environment. By default, no employee (with the exceptions of DevOps) has access to production systems or customer data. Access is granted temporarily and only when explicitly needed, such as for debugging machine learning workflows, investigating customer issues, or supporting R&D collaborations with customers. All access requests require a formal process, and in the case of production access, changes must be made to our infrastructure-as-code and undergo standard review procedures. Access grants are typically limited to the timespan required to complete specific tasks.
Authentication and authorization for all Cradle employees is centralized through Google's Identity Provider, with mandatory multi-factor authentication enforced using phishing-resistant hardware or software security keys. This ensures consistent access control across our entire toolchain and production infrastructure. Higher privilege requests for any system require formal documentation and approval, maintaining a clear audit trail of access grants and their purposes. The use of Google's Identity Platform for authentication ensures that our access controls are built on enterprise-grade security infrastructure while maintaining detailed logs of all authentication and authorization decisions.
Data Protection and Backup
All customer data in the Cradle platform is encrypted using AES-256 at rest through Google Cloud's default encryption and in transit using TLS 1.2 or higher. Customer data is stored in Google Cloud data centers in the Netherlands (europe-west4 region) and replicated across the EU region for redundancy. Our platform maintains data isolation between customers, with access controls enforced at both the application and infrastructure levels to prevent any cross-contamination of data or machine learning models.
Database backups are performed daily and retained for seven days, while blob storage maintains version history with multi-region replication. All backup operations and data access are logged immutably in Google Cloud, providing a complete audit trail of data handling activities. Secrets and infrastructure credentials are managed through Google Cloud's Secret Manager, with most workloads using Google Workload Identity Federation for service account management. Any infrastructure secrets managed through GitOps are encrypted using SOPS and never stored in plaintext.
Security Operations
Cradle maintains comprehensive security monitoring and threat detection across both our production platform and corporate infrastructure. In our production environment, we continuously monitor system health and security events through Grafana and Prometheus, with automated alerting via Slack. Platform availability is independently monitored through Betterstack, maintaining our track record of platform reliability. Our defense-in-depth approach includes Intrusion Detection and Prevention Systems (IDS/IPS) deployed in both production and corporate networks, actively monitoring for and blocking suspicious activities. In our corporate environment, we maintain robust endpoint security through Endpoint Detection and Response (EDR) systems deployed on all machines, providing real-time threat detection and response capabilities.
We follow a documented incident response plan that defines clear severity levels and response procedures. All security events and production access are logged immutably in Google Cloud, providing a complete audit trail. Regular security reviews, continuous vulnerability scanning, and automated patch management ensure our systems remain current with security best practices.
Our disaster recovery strategy leverages infrastructure-as-code practices, enabling rapid restoration of our platform when combined with our backup policies. We conduct yearly tabletop exercises to validate our recovery procedures and maintain team readiness. Our corporate IT infrastructure relies entirely on third-party SaaS solutions without on-premise servers, significantly reducing our vulnerability to physical disasters affecting office locations.
Privacy
Protecting the confidentiality of customer data is fundamental to our business. We understand that our customers' sequence data, experimental results, and protein designs represent valuable intellectual property that requires rigorous protection.
Data Usage and Control
Customer data is used solely to train machine learning models specific to their protein engineering projects. Each customer's data, including sequences, experimental results, and trained models, remains strictly isolated. Cradle never combines or shares data or models between customers. Should the customer choose to end the relationship with Cradle, all customer data will be deleted within 7 days of contract termination.
Machine Learning Model Integrity
When Customers opt in to benchmarking, Cradle may use their datasets to validate new algorithmic approaches. However, these benchmarks are used only to measure model performance - the insights gained are used to improve our general machine learning architecture without exposing any specific customer data. Customer models and results always remain siloed for their exclusive use.
Minimal Data Collection
We collect only the information necessary to provide our service - primarily protein sequences, experimental data, and basic user information required for authentication (email addresses and names). We follow GDPR principles of data minimization and purpose limitation.
Security Page & Whitepaper
Learn more about our progress on certification and how we are committed to delivering bank-grade level of security on the following security page: https://trust.cradle.bio/
Contact Security
Cradle takes security seriously and welcomes engagement from our customers and security researchers. To report potential vulnerabilities, please share any findings via our form. For any other security inquiries or concerns, please contact our security team at security@cradle.bio.