In the spirit of openness and transparency, here are some of the security measures we take to protect and defend the Cradle platform.

To prove our high commitment to strong security, availability and privacy, we have gone through SOC 2 Type 2 certification with the help of Drata and Prescient Assurance.

If you would like to see our SOC 2 Type 2 reporting, please reach out to [email protected].

Cradle Inc. uses Drata’s automation platform to continuously monitor 100+ internal security controls across the organization against the highest possible standards.

Automated alerts and evidence collection allows Cradle Inc. to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.

All data is written to multiple disks instantly, backed up daily, and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure.

We distinguish between data about your users and data about you, yourself. While, for example, your billing information is shared with Stripe, and your profile is accessible to us in our help desk software, any data about your users are never shared with any external providers, and never leaves our server cluster hosted with Amazon Web Services Platform.

Whenever your data is in transit between you (or your users) and us, everything is encrypted, and sent using HTTPS.

During a user agent’s (typically a web browser) first site visit, Cradle sends a Strict Transport Security Header (HSTS) to the user agent that ensures that all future requests should be made via HTTPS even if a link to Cradle is specified as HTTP. Additionally, we use HSTS preload, guaranteeing that requests are never – not even the very first – made over a non-encrypted connection. Cookies are also set with a secure flag.

Any files which you upload to us are stored and are encrypted at rest.

Flows/tour content, user attributes and events (all stored in AWS) aren’t encrypted at rest — they are active in our database. Our backups of your data are encrypted.

Cradle is hosted on Amazon Web Services (AWS). Our database is managed by AWS, ensuring redundancy, high availability and trustworthy automated, encrypted backups.

AWS is certified for a growing number of compliance standards and controls, and undergoes several independent third party audits to test for data safety, privacy, and security. Read more about the specific certifications on the AWS Compliance Programs.

We employ several layers to protect against abuse and DoS attacks, such as concurrency limiting (limits number of active requests) and rate limiting (limits number of requests over time). Our servers gracefully queue requests when under high load, and handles them at a safe pace.

On top of our development-related continuous testing, we also conduct periodic third-party manual penetration testing of both our application and infrastructure. You can request a copy of our latest report at [email protected].

Our software infrastructure is updated regularly with the latest security patches. Our products run on a dedicated network which is locked down with firewalls and carefully monitored. While perfect security is a moving target, we work with security researchers to keep up with the state-of-the-art in web security.

All credit card transactions are processed via Stripe using secure encryption—the same level of encryption used by leading banks. Card information is transmitted, stored, and processed securely on a PCI-Compliant network.

Have you noticed abuse, misuse, an exploit, or experienced an incident with your account? Send urgent or sensitive reports directly to [email protected]. We’ll get back to you as soon as we can, usually within 24 hours. Please follow up if you don’t hear back.

Keeping customer data safe and secure is a huge responsibility and a top priority. We work hard to protect our customers from the latest threats. Your input and feedback on our security is always appreciated.

As a leading provider of SaaS lease accounting services, we at Cradle Inc. constantly strive to uphold the highest standards in all aspects of our operations. Recently, queries have arisen regarding our decision not to obtain a SOC 1 Type 2 report. We would like clarify this management decision and assure our users of our unwavering commitment to security and quality.

SOC 1 Type 2 certifications are more applicable to entities directly influencing their user companies' internal control over financial reporting. Contrarily, as a SaaS lease accounting provider, Cradle Inc. has a more indirect relationship with traditional financial reporting processes, which have previously relied upon manual preparation. Our clients maintain control over the data input, making the SOC 1 Type 2 certification less relevant to our operations.

Focused on delivering secure and efficient service, we have instead deemed SOC 2 Type 2 certification to be a more appropriate measure of our operational effectiveness. This certification validates that our organization has adequate controls that ensure the safety, availability, processing integrity, confidentiality, and privacy of customer data.

Processing integrity also includes Cradle's software calculations, which have never been faulted. For example, all our calculations can be tied to the IASB's Illustrative Examples. More on that here. The output of these calculations (debits and credits) is then used as tests in Cradle's software suite, meaning new code pushes can only go live if they tie to the IFRS Illustrative Examples and thousands of more tests. This, in essence, if the future of financial reporting processes where the internal controls inherent to the software itself.

Highlighting our commitment to software quality and reliability, we operate under a best-practice methodology known as test-driven development (TDD). This practice ensures high-level unit testing at the earliest stages of development, enabling early detection and resolution of issues, thereby resulting in more robust and dependable software. This approach underscores our commitment to the control principles encapsulated in our SOC 2 Type 2 report.

In summary, our decision as management has been to prioritize the best-fit certification, which reflects our commitment to our customers' most pressing needs and concerns and reflects our business.

Should you have further inquiries or require additional information, please do not hesitate to contact our support team. Cradle takes care of everything, even things you may not have considered yet, such as your mandatory lease accounting disclosures in a second, as you can see here: