Home/Trust

Trust

Security

Last updated: April 19, 2026

Security is foundational for a platform that handles R&D data. This page summarizes the controls we rely on today and the programs we are building toward.

Authentication and access

  • Authentication is handled by Clerk, a SOC 2 Type II certified identity provider, with support for password + email magic-links, MFA, SSO (on Enterprise), and organization-scoped access.
  • Every API request is scoped to an authenticated principal and a role; row-level authorization is enforced server-side.
  • Sessions are rotated regularly; API keys are per-organization and individually revocable from the dashboard.

Data protection

  • All traffic is encrypted in transit via TLS 1.2+ (HTTPS-only; HSTS enabled).
  • Customer data is stored in a managed PostgreSQL database (DigitalOcean) with encryption at rest and automated daily backups retained for 7 days.
  • Large artifacts are stored in S3-compatible object storage (DigitalOcean Spaces) with server-side encryption.
  • Secrets are held in environment variables managed by the hosting platform; never checked into source control.

Application security

  • Input validation and response schema enforcement via Pydantic on the backend and strict TypeScript on the frontend.
  • Dependency vulnerabilities are tracked with npm audit and pip-audit; critical advisories are patched within 72 hours.
  • Least-privilege database roles for the application runtime.
  • Proxy-level rate limiting is enforced; burst traffic is back-pressured.

Operational security

  • CI runs type-checks, lints, and tests on every pull request before deployment.
  • Production deploys are reviewed; infrastructure changes are code reviewed.
  • Activity in the production database and cloud console is logged centrally.

Incident response

We follow a standard process for security incidents: detect, contain, eradicate, recover, and post-mortem. If an incident materially affects customer data, we will notify affected customers within 72 hours.

Responsible disclosure

We welcome good-faith security research. If you believe you have found a vulnerability, please email security@latticelabs.com with details and reproduction steps. We commit to:

  • Acknowledge your report within 3 business days.
  • Provide a triage update within 7 business days.
  • Credit you publicly (with your permission) once the issue is resolved.

Do not perform testing that degrades service for other users, accesses data that is not your own, or violates applicable law.

On our roadmap

  • SOC 2 Type II attestation (in progress).
  • Customer-managed encryption keys (BYOK) for Enterprise.
  • Regional data residency options.

Contact

Security questions or DD requests: security@latticelabs.com