Security Posture
LatticeZero is built for pharmaceutical and biotech organizations where compound structures are trade secrets. This page documents our security architecture, data handling practices, and compliance posture.
Data Security
Encryption
- In transit: All traffic encrypted via TLS 1.3. HTTPS enforced on all endpoints - no plaintext HTTP.
- At rest: Server-side files stored on encrypted volumes on DigitalOcean infrastructure (SOC 2 Type II certified).
Data Isolation
- Per-account isolation: Each user's uploaded files, job results, and projects are stored in isolated directories. No cross-tenant data access is possible.
- Authentication-gated: Every API endpoint verifies session authentication and job ownership before granting access.
- No shared state: WebGPU scoring sessions are completely independent - there is no server-side state that could leak between users.
Shield Mode (Zero-Retention)
For maximum IP protection, LatticeZero offers Shield Mode on WebGPU-powered tools (IsoScore, Demo Gallery):
- Molecular structures are parsed by the browser's File API - never uploaded to our servers
- Scoring runs on the user's local GPU (or CPU via SwiftShader fallback) using WebGPU compute shaders
- When the browser tab closes, all data is gone - nothing persists on disk or in the cloud
- Our servers never see your compound structures during WebGPU scoring
What crosses the network during Shield Mode? Only the initial page load (HTML, JavaScript, WGSL shader code) and authentication tokens. Your receptor coordinates, ligand structures, and scoring results stay entirely in your browser's memory.
Server-Side Data Retention
For operations that require server computation (IsoPose docking, Target Prep):
| Mode | Retention | Details |
|---|---|---|
| Standard | 30 days | Job files automatically eligible for cleanup after 30 days |
| Zero-Trace | 1 hour | Automatic purge of all job data after 1 hour |
| Manual deletion | Immediate | Users can delete any job and its files at any time |
When a job is deleted, the server removes input files, output files, and job metadata from the database.
Authentication & Access Control
Current
- Password-based authentication with secure session management (server-side sessions, HTTP-only cookies)
- CSRF protection on all form submissions and state-changing API calls
- Admin and user role separation - administrative functions are isolated behind a separate access layer
- Session tokens with automatic expiry - inactive sessions are terminated automatically
- Input validation - uploaded files are validated for format correctness (PDB/SDF/MOL2) before processing
Planned
- SSO/SAML integration for enterprise single sign-on
- API key authentication for programmatic access with scoped permissions
- Audit logging for compliance-sensitive deployments
Computational Security
Client-Side Scoring (WebGPU)
The majority of LatticeZero's scoring runs entirely in the user's browser:
- IsoScore (rescoring): All computation happens on the client GPU via WebGPU compute shaders
- Demo Gallery: Pre-loaded benchmark targets scored locally - no server round-trip
- No telemetry on compound data: We do not collect, log, or transmit any molecular structure data from client-side operations
Server-Side Docking
When server computation is required (IsoPose, Target Prep, Autotune):
- Jobs run in isolated per-user directories with no cross-job data sharing
- Uploaded files are validated and sanitized before processing
- Results are returned to the user and subject to the retention policy above
What We Don't Do
- We do not mine or analyze your compound structures. Server-side files exist only to run the computation you requested.
- We do not train models on your data. All scoring profiles are developed using public benchmark datasets (DEKOIS2, DUD-E).
- We do not share data with third parties. Your files are never transmitted to external services, analytics platforms, or partner organizations.
Infrastructure
| Component | Details |
|---|---|
| Hosting | DigitalOcean (SOC 2 Type II certified infrastructure) |
| TLS | TLS 1.3, certificates via Let's Encrypt with auto-renewal |
| Application | Python/Flask with Gunicorn behind Nginx reverse proxy |
| Database | SQLite with per-user data isolation |
| Backups | Automated daily backups with encrypted off-site storage |
Compliance
GDPR
- Data access: Users can view all stored data through their account dashboard
- Data export: Full job data export available on request
- Data deletion: Users can delete individual jobs, projects, or their entire account at any time
- Data Processing Agreement (DPA): Template available for enterprise customers upon request
SOC 2 / ISO 27001
LatticeZero is an early-stage platform. We are not currently SOC 2 or ISO 27001 certified. We prioritize transparency - documenting our security architecture honestly rather than making unsubstantiated compliance claims. Infrastructure-level SOC 2 compliance is provided by DigitalOcean.
Privacy
- Privacy Policy available at /privacy
- Terms of Service available at /terms
- No third-party analytics are used on compound data or scoring results
Reproducibility & Integrity
Every scoring run includes provenance metadata for audit and reproducibility:
- SHA256 signatures for input files (receptor, ligands, scoring profile) via the Asset Signature system
- Code version tracking (git SHA) for exact reproducibility
- Replication kits available for all demo benchmarks - download the full input bundle and verify results independently
Responsible Disclosure
If you discover a security vulnerability, please report it to:
security@latticezero.com
We commit to:
- Acknowledging your report within 48 hours
- Investigating and providing a status update within 5 business days
- Not pursuing legal action against good-faith security researchers
- Crediting reporters (with permission) after the issue is resolved
Summary
| If you use... | Your compounds are... |
|---|---|
| IsoScore / Demo Gallery | Never sent to our server - scored entirely in your browser (Shield Mode) |
| IsoPose / Target Prep / Autotune | Uploaded via HTTPS, stored temporarily (30 days or 1 hour in Zero-Trace), deletable on demand |
For questions about data handling or to request a DPA, contact security@latticezero.com.