Cradle

Security at Cradle

Last updated: 2026-03-30|Version: 38ad64ac

Cradle is a communication platform trusted by accounting and bookkeeping firms across New Zealand and Australia. We understand that our customers handle sensitive financial data and client relationships — and that their phone system is critical infrastructure. Security is foundational to how we build and operate Cradle.

Infrastructure

Cradle runs on Google Cloud Platform (GCP), which maintains SOC 1, SOC 2, SOC 3, and ISO 27001 certifications. Our infrastructure benefits from Google's world-class physical security, network security, and operational practices.

  • Hosting regions: Australia and United States
  • Container orchestration: Google Kubernetes Engine (GKE) with hardened node images
  • Network protection: Google Cloud Armor web application firewall with OWASP rulesets for XSS and SQL injection prevention
  • Private networking: Internal services communicate over private networks with restricted access

Encryption

All data is encrypted in transit and at rest:

  • In transit: TLS 1.3 with SHA-256 enforced across all endpoints. You can verify this at SSL Labs.
  • At rest: AES-256-GCM encryption via Google Cloud Key Management Service (KMS), applied at full-disk, container, application, and database levels.
  • Secrets: API keys stored as encrypted secrets in GKE. OAuth tokens encrypted in database. No secrets stored in source code.

Authentication

Cradle does not implement custom authentication. All users authenticate via single sign-on (SSO) through their existing Google Workspace or Microsoft 365 account. This means:

  • No Cradle-specific passwords to manage or compromise
  • Your organisation's MFA and security policies are enforced automatically
  • Session anomaly detection triggers re-authentication
  • Functional-level access control within the Cradle application

Application Security

We build against the OWASP Top 10 across all web, mobile, and API surfaces:

  • Broken access control: Functional-level access control within the application, layered on top of infrastructure and SSO-level controls
  • Security misconfiguration: Automated misconfiguration scanning across all services, with security defaults enforced at build time
  • Supply chain security: Dependency integrity verification, removal of unused packages, and secure CI/CD deployment gates
  • Injection & XSS protection: Parameterised queries, allow-list input validation, Content Security Policy, and escaped user output across all endpoints
  • Insecure design: Security threat modelling incorporated into the development lifecycle

AI and Data Privacy

Cradle uses Google Vertex AI (Gemini) for AI-powered features including chat and call transcription. We chose Vertex AI specifically for its enterprise data governance:

  • Zero data retention: Customer prompts and responses are not retained by Google. Your data is not used to train or improve Google's AI models.
  • No model training on customer data: Google commits to not using Vertex AI customer data for training or fine-tuning models without explicit permission. Cradle has not granted this permission.
  • Responsible AI: Vertex AI is built on Google's AI Principles, with safety filtering, bias monitoring, and content policy enforcement applied to all inputs and outputs.
  • Enterprise certifications: Vertex AI (Gemini) maintains SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, ISO 27701, and ISO 42001 (AI management system) certifications.
  • Data residency: AI processing occurs within Google Cloud's infrastructure under the same data protection agreements as our core platform.

We do not use OpenAI, ChatGPT, or any AI service that retains or trains on customer data.

Data Handling

  • No third-party access: Customer data is not shared with, sold to, or accessed by third parties
  • Least privilege: Role-based access control at both application and infrastructure levels, following the principle of least privilege
  • Call recordings: Governed by our Call Recording Policy and compliant with NZ and Australian telecommunications regulations. Access to call recordings requires explicit permission.
  • Data processing: We maintain a comprehensive data processing register documenting all data collectors, processors, purposes, and retention periods

Monitoring and Logging

  • Application monitoring: Sentry for error detection, crash reporting, and performance monitoring
  • Infrastructure monitoring: Google Security Centre for infrastructure and network threat detection
  • Application scanning: Continuous vulnerability scanning of all applications
  • Audit logging: Comprehensive logging including timestamps, user/process IDs, event descriptions, and success/failure status. Audit logs retained for 400 days.
  • Log integrity: Logs stored in Google Cloud Logging with role-based access controls and immutable storage

Incident Response

Cradle maintains a formal incident response plan with defined severity classifications, escalation paths, and post-incident review processes. Service status is available at our status page.

Compliance

Standard Status
Xero API Security Assessment Certified annually since 2021
OWASP Top 10 Implemented
GCP SOC 2 Type II Inherited from infrastructure provider
GCP ISO 27001 Inherited from infrastructure provider
Vertex AI ISO 42001 (AI Management) Inherited from AI provider
NZ Privacy Act 2020 Compliant
Australian Privacy Act 1988 Compliant

Sub-processors

We maintain a transparent list of sub-processors that process data on behalf of our customers.

Responsible Disclosure

If you discover a security vulnerability in Cradle, please report it to security@cradle.io. We appreciate responsible disclosure and will action legitimate reports promptly. Please note that we do not operate a paid bug bounty program.

Questions

For security-related questions or to request our detailed security documentation, contact us at security@cradle.io.