Documentation

Docs / Security Posture

Security Posture

LatticeZero is built for pharmaceutical and biotech organizations where compound structures are trade secrets. This page documents our security architecture, data handling practices, and compliance posture.


Data Security

Encryption

  • In transit: All traffic encrypted via TLS 1.3. HTTPS enforced on all endpoints - no plaintext HTTP.
  • At rest: Server-side files stored on encrypted volumes on DigitalOcean infrastructure (SOC 2 Type II certified).

Data Isolation

  • Per-account isolation: Each user's uploaded files, job results, and projects are stored in isolated directories. No cross-tenant data access is possible.
  • Authentication-gated: Every API endpoint verifies session authentication and job ownership before granting access.
  • No shared state: WebGPU scoring sessions are completely independent - there is no server-side state that could leak between users.

Shield Mode (Zero-Retention)

For maximum IP protection, LatticeZero offers Shield Mode on WebGPU-powered tools (IsoScore, Demo Gallery):

  • Molecular structures are parsed by the browser's File API - never uploaded to our servers
  • Scoring runs on the user's local GPU (or CPU via SwiftShader fallback) using WebGPU compute shaders
  • When the browser tab closes, all data is gone - nothing persists on disk or in the cloud
  • Our servers never see your compound structures during WebGPU scoring
NOTE

What crosses the network during Shield Mode? Only the initial page load (HTML, JavaScript, WGSL shader code) and authentication tokens. Your receptor coordinates, ligand structures, and scoring results stay entirely in your browser's memory.

Server-Side Data Retention

For operations that require server computation (IsoPose docking, Target Prep):

Mode Retention Details
Standard 30 days Job files automatically eligible for cleanup after 30 days
Zero-Trace 1 hour Automatic purge of all job data after 1 hour
Manual deletion Immediate Users can delete any job and its files at any time

When a job is deleted, the server removes input files, output files, and job metadata from the database.


Authentication & Access Control

Current

  • Password-based authentication with secure session management (server-side sessions, HTTP-only cookies)
  • CSRF protection on all form submissions and state-changing API calls
  • Admin and user role separation - administrative functions are isolated behind a separate access layer
  • Session tokens with automatic expiry - inactive sessions are terminated automatically
  • Input validation - uploaded files are validated for format correctness (PDB/SDF/MOL2) before processing

Planned

  • SSO/SAML integration for enterprise single sign-on
  • API key authentication for programmatic access with scoped permissions
  • Audit logging for compliance-sensitive deployments

Computational Security

Client-Side Scoring (WebGPU)

The majority of LatticeZero's scoring runs entirely in the user's browser:

  • IsoScore (rescoring): All computation happens on the client GPU via WebGPU compute shaders
  • Demo Gallery: Pre-loaded benchmark targets scored locally - no server round-trip
  • No telemetry on compound data: We do not collect, log, or transmit any molecular structure data from client-side operations

Server-Side Docking

When server computation is required (IsoPose, Target Prep, Autotune):

  • Jobs run in isolated per-user directories with no cross-job data sharing
  • Uploaded files are validated and sanitized before processing
  • Results are returned to the user and subject to the retention policy above

What We Don't Do

  • We do not mine or analyze your compound structures. Server-side files exist only to run the computation you requested.
  • We do not train models on your data. All scoring profiles are developed using public benchmark datasets (DEKOIS2, DUD-E).
  • We do not share data with third parties. Your files are never transmitted to external services, analytics platforms, or partner organizations.

Infrastructure

Component Details
Hosting DigitalOcean (SOC 2 Type II certified infrastructure)
TLS TLS 1.3, certificates via Let's Encrypt with auto-renewal
Application Python/Flask with Gunicorn behind Nginx reverse proxy
Database SQLite with per-user data isolation
Backups Automated daily backups with encrypted off-site storage

Compliance

GDPR

  • Data access: Users can view all stored data through their account dashboard
  • Data export: Full job data export available on request
  • Data deletion: Users can delete individual jobs, projects, or their entire account at any time
  • Data Processing Agreement (DPA): Template available for enterprise customers upon request

SOC 2 / ISO 27001

LatticeZero is an early-stage platform. We are not currently SOC 2 or ISO 27001 certified. We prioritize transparency - documenting our security architecture honestly rather than making unsubstantiated compliance claims. Infrastructure-level SOC 2 compliance is provided by DigitalOcean.

Privacy

  • Privacy Policy available at /privacy
  • Terms of Service available at /terms
  • No third-party analytics are used on compound data or scoring results

Reproducibility & Integrity

Every scoring run includes provenance metadata for audit and reproducibility:

  • SHA256 signatures for input files (receptor, ligands, scoring profile) via the Asset Signature system
  • Code version tracking (git SHA) for exact reproducibility
  • Replication kits available for all demo benchmarks - download the full input bundle and verify results independently

Responsible Disclosure

If you discover a security vulnerability, please report it to:

security@latticezero.com

We commit to:

  • Acknowledging your report within 48 hours
  • Investigating and providing a status update within 5 business days
  • Not pursuing legal action against good-faith security researchers
  • Crediting reporters (with permission) after the issue is resolved

Summary

If you use... Your compounds are...
IsoScore / Demo Gallery Never sent to our server - scored entirely in your browser (Shield Mode)
IsoPose / Target Prep / Autotune Uploaded via HTTPS, stored temporarily (30 days or 1 hour in Zero-Trace), deletable on demand

For questions about data handling or to request a DPA, contact security@latticezero.com.