Executive Summary
Cradle provides a secure protein engineering platform that combines advanced machine learning capabilities with enterprise-grade security controls. As a company working with valuable intellectual property in protein engineering, we understand that security is paramount to our customers' trust and success. Our security program is built on modern cloud security principles, focusing on strong technical controls, data isolation, and continuous security monitoring.
Our platform runs on Google Cloud's enterprise infrastructure in European data centers, with comprehensive security controls spanning infrastructure, application security, access management, and data protection. All customer data is encrypted, isolated, and backed up securely. We enforce strict access controls through multi-factor authentication, maintain comprehensive audit logs, and employ continuous security monitoring with automated threat detection. Our development practices incorporate security at every stage, from code review to deployment, ensuring the platform's integrity and reliability.
Cradle's security and privacy SOPs, practices, and posture comply with industry best practices and leading standards including SOC 2 Type 2 and NIST. As we continue to advance protein engineering through machine learning, we remain dedicated to protecting our customers' data with the highest security standards.
Our Commitment
At Cradle, we treat security as a company-wide mandate and core engineering challenge, implementing enterprise-grade protection for our customer’s valuable sequence and protein engineering data through robust technical controls, encryption, and access management. We believe true security comes from sound engineering principles - which is why we've built security into our platform's foundation through infrastructure-as-code, continuous security testing, and strict isolation of customer data and machine learning models. Our experienced team of engineers from companies like Google, Databricks, McKinsey, and Uber brings deep expertise in building secure systems, allowing us to take a thoughtful, engineering-driven approach to protecting our customer’s intellectual property.
Product Security
Authentication & Access Control
The Cradle platform has built-in features to allow customers to interact with Cradle securely. We utilize WorkOS to provide seamless Single Sign-On (SSO) capabilities, allowing workspace administrators to easily set up SAML or OpenID Connect (OIDC) integrations with their existing Identity Providers.
For customers who choose not to integrate their own Identity Provider, we enforce mandatory Multi-Factor Authentication (MFA) for all user accounts to prevent credential-based attacks. We also support modern, phishing-resistant authentication methods, including Passkeys, ensuring a high standard of security regardless of the authentication method chosen.
Role-Based Access Management
Platform administrators have granular control over user access through role-based access control (RBAC). Within each customer workspace, administrators can manage team member access and permissions, ensuring users have appropriate access levels for their responsibilities.
Data Encryption
All data within the Cradle platform is encrypted using industry-standard protocols. Data at rest is protected using AES-256 encryption in Google Cloud Storage and databases. All data in transit is secured using TLS 1.2 or higher, ensuring secure communication between a customer’s browser and the Cradle platform. Customer workspaces are logically isolated to ensure each customer’s data and results remain private and separated from other customers.
Compliance & Certifications
Trust and transparency are fundamental to our relationship with customers. We are actively investing in formal security certifications and compliance programs.
SOC 2
Cradle is SOC 2 Type II certified, validating our security, availability, and confidentiality controls. Our SOC 2 compliance status and controls can be viewed in our public Trust Center.
Data Privacy & GDPR
As a data processor operating in the EU, to the extent we process personal data from our customers under the GDPR, the terms of our Data Processing Addendum (“DPA”) apply. All customer data is stored in Google Cloud data centers located in the EU. We maintain documented procedures for data protection, including data minimization, secure deletion, and breach notification protocols.
Automated Compliance Monitoring
We use Vanta's security and compliance automation platform to continuously monitor our security controls and maintain compliance. This automated approach helps us identify and address potential security gaps in real-time rather than relying solely on periodic assessments.
Production Security
Cradle implements comprehensive security controls across our production environment to protect customer data and ensure platform integrity. Our security strategy encompasses infrastructure, development, access management, data protection, and ongoing security operations.
Infrastructure Security and Engineering
Cradle's production infrastructure is built on Google Cloud Platform, leveraging its enterprise-grade security features and compliance certifications. Our production environment operates in isolated Google Cloud projects separate from development, with distinct security boundaries and firewall rules preventing cross-environment access. All external traffic is routed through Google Cloud Load Balancers to a Traefik reverse proxy deployment, with firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) monitoring and protecting ingress and egress traffic.
Our entire infrastructure is defined and managed as code through Terraform, ensuring consistent security configurations and requiring peer review for all code and infrastructure changes. No manual modifications are permitted in production - all deployments occur through our CI/CD pipeline, which includes automated vulnerability scanning of container images, dependencies, and infrastructure configurations. Jobs run with dedicated service accounts following the principle of least privilege, with permissions tightly scoped to required resources. Most workloads use Google Workload Identity Federation for managing authentication, eliminating the need for long-lived service account keys.
Development and production environments run in separate logical clusters on different virtual networks. Engineers require explicit code changes and multi-factor authentication to gain temporary access to production systems, with all access logged immutably for audit purposes. Our infrastructure leverages Google Cloud's secure-by-default features including encryption at rest, secure boot, and automated security patching, providing multiple layers of protection for customer data and platform operations.
Software Development Life Cycle
Cradle maintains a secure development lifecycle that combines strict coding standards with comprehensive security controls. All code running in production on customer data is version controlled, requiring peer review and explicit discussion of security impacts before changes can be merged. These strict controls are enforced throughout the Cradle platform including frontend, backend and machine learning codebases. Our development process enforces automated linting and code quality checks, ensuring consistent standards across our codebase.
Our testing framework operates at multiple levels, with unit tests, integration tests, and end-to-end tests running automatically in our continuous integration pipeline. The CI/CD process includes security scanning for vulnerabilities in code and dependencies, container image scanning, and infrastructure security validation. Only builds that pass all security checks and tests can be deployed to production, ensuring consistent security standards across all deployments.
Major changes to our machine learning algorithms undergo additional validation through extensive benchmarking against public protein databases and Cradle's internal validation datasets. This process verifies that algorithmic improvements maintain model quality while preserving security and data isolation between customers. All results are documented and reviewed before deployment to production, maintaining the high standards our customers expect for both security and performance.
Identity and Access Management
Cradle enforces the principle of least privilege throughout our production environment. By default, no employee—including members of our DevOps team—has standing administrative access to production systems or customer data. Access is granted temporarily and only when explicitly needed, such as for debugging machine learning workflows, investigating customer issues, or supporting R&D collaborations with customers. All access requests require a formal process, and in the case of production access, changes must be made to our infrastructure-as-code and undergo standard review procedures. Access grants are typically limited to the timespan required to complete specific tasks. DevOps engineers also must request temporary, elevated privileges through Google’s Privileged Access Manager (PAM) to conduct specific tasks.
Every such request is documented and fully audited to maintain a clear trail of activity. Furthermore, these requests require review and approval by a second person from the DevOps team before permissions are granted. To further reduce our attack surface, all super admin accounts have been decommissioned, with the exception of two breakglass accounts reserved strictly for emergency recovery scenarios.
Authentication and authorization for all Cradle employees is centralized through Google's Identity Provider, with mandatory multi-factor authentication enforced using phishing-resistant hardware or software security keys. This ensures consistent access control across our entire toolchain and production infrastructure. Higher privilege requests for any system require formal documentation and approval, maintaining a clear audit trail of access grants and their purposes. The use of Google's Identity Platform for authentication ensures that our access controls are built on enterprise-grade security infrastructure while maintaining detailed logs of all authentication and authorization decisions.
Data Protection
All customer data in the Cradle platform is encrypted using AES-256 at rest through Google Cloud's default encryption and in transit using TLS 1.2 or higher. Customer data is stored in Google Cloud data centers in the Netherlands (europe-west4 region) and replicated across the EU region for redundancy. Our platform maintains data isolation between customers, with access controls enforced at both the application and infrastructure levels to prevent any cross-contamination of data or machine learning models.
Backup and Disaster Recovery
Our disaster recovery strategy leverages infrastructure-as-code practices, enabling rapid restoration of our platform when combined with our backup policies. We pursue a pull-based backup approach, where data is replicated to a dedicated Google Cloud organization that is completely isolated from our main production environment. This structure ensures that backups are air-gapped and tamper-proof, preventing an attacker from compromising our backups even if they gain access to the main organization.
We perform regular backups of all critical stateful data, including Google Cloud Storage buckets, BigQuery datasets, CloudSQL databases, and Artifact Registries. This robust strategy is designed to meet a Recovery Point Objective (RPO) of 24 hours and a Recovery Time Objective (RTO) of 2 weeks. To ensure readiness, we conduct automated tests verifying that the backup data is readable and includes recent snapshots.
Security Operations
Cradle maintains comprehensive security monitoring and threat detection across both our production platform and corporate infrastructure. In our production environment, we continuously monitor system health and security events through Grafana and Prometheus, with automated alerting via Slack. Platform availability is independently monitored through Betterstack, maintaining our track record of platform reliability. Our defense-in-depth approach includes Intrusion Detection and Prevention Systems (IDS/IPS) deployed in both production and corporate networks, actively monitoring for and blocking suspicious activities. In our corporate environment, we maintain robust endpoint security through Endpoint Detection and Response (EDR) systems deployed on all machines, providing real-time threat detection and response capabilities.
We follow a documented incident response plan that defines clear severity levels and response procedures. All security events and production access are logged immutably in Google Cloud, providing a complete audit trail. Regular security reviews, continuous vulnerability scanning, and automated patch management ensure our systems remain current with security best practices.
Our disaster recovery strategy leverages infrastructure-as-code practices, enabling rapid restoration of our platform when combined with our backup policies. We conduct yearly tabletop exercises to validate our recovery procedures and maintain team readiness. Our corporate IT infrastructure relies entirely on third-party SaaS solutions without on-premise servers, significantly reducing our vulnerability to physical disasters affecting office locations.
Privacy
Protecting the confidentiality of customer data is fundamental to our business. We understand that our customers' sequence data, experimental results, and protein designs represent valuable intellectual property that requires rigorous protection.
Data Usage and Control
Customer data is used solely to train machine learning models specific to their protein engineering projects. Each customer's data, including sequences, experimental results, and trained models, remains strictly isolated. Cradle never combines or shares data or models between customers. Should the customer choose to end the relationship with Cradle, all customer data will be deleted within 7 days of contract termination.
Machine Learning Model Privacy and Integrity
Protecting the confidentiality of your intellectual property is fundamental to our business, and we treat machine learning models with the same rigorous security standards as your raw user data. Just like your sequences and experimental results, every model trained on your data is stored in a fully isolated environment dedicated to your organization. This isolation is enforced at both the infrastructure and application levels, ensuring that your models are secured within your specific customer tenant. We adhere to a strict policy where models trained on one customer’s data are never used, shared, or deployed outside that customer’s tenant.
For benchmarking purposes, we strictly focus on validating our underlying algorithms rather than sharing models. We utilize specific datasets to rigorously validate that algorithmic improvements are effective and safe before wider deployment. This validation process ensures that changes made to the platform will generally benefit all customers, while also directly improving the performance of the specific models for those customers on which we benchmark. At no point during this process does a model trained on one customer's data leave their isolated environment or get used to aid another organization.
Minimal Data Collection
We collect only the information necessary to provide our service - primarily protein sequences, experimental data, and basic user information required for authentication (email addresses and names). We follow GDPR principles of data minimization and purpose limitation.
Responsible Disclosure Policy
We at Cradle are committed to ensuring the security of our platform and the data of our users. We greatly value the contributions of the security community and welcome reports from ethical hackers and researchers. Although we do not currently offer a bug bounty or financial rewards, we take all reported issues seriously and work diligently to investigate and address them.
How to Report a Vulnerability
If you discover a vulnerability, we encourage you to report it via our dedicated form: Report a Vulnerability
Alternatively, you may contact us directly at security@cradle.bio.
We aim to acknowledge all valid submissions within 24 hours and will keep you informed of our progress as we investigate and address the issue.
Guidelines for Responsible Disclosure
To support a productive and respectful security process, we ask that you:
Do not access or modify data that does not belong to you.
Avoid using automated tools that generate significant traffic or cause disruptions.
Give us a reasonable amount of time to resolve the issue before any public disclosure.
Do not attempt to extort or demand compensation.
Comply with applicable laws.
Our Commitment
We will acknowledge your report within 24 hours.
We will investigate the issue thoroughly and fix it as appropriate.
We will keep you informed throughout the process.
While we do not currently offer rewards, we may acknowledge your contribution publicly (with your permission).
We are exploring a vulnerability rewards program and will update this page if that changes.
Contact Security
For any other security inquiries or concerns, please contact our security team at security@cradle.bio.