Key takeaways
-
Cake has received its SOC 2 Type 2 with HIPAA/HITECH certification
-
The detailed report is available for download in the Cake Trust Center
-
Additionally, Cake goes even further to protect its customer's data, including by always deploying in customer VPCs so that no data egresses
-
Cake continues to work with many customers in highly regulated environments. We are proud to announce this certification as the latest step in our ongoing commitment to providing production-ready open source AI
Security and reliability are evergreen challenges working with open source AI in production. Organizations often struggle to implement proper authentication, encryption, and access controls across their complex AI/ML environments.
Cake has successfully completed its SOC 2 Type 2 audit including HIPAA/HITECH, validating our platform's security, availability, processing integrity, confidentiality and privacy controls. This certification confirms that our open source AI infrastructure platform meets rigorous industry standards for protecting customer data.
In addition to SOC 2 Type 2 requirements, Cake also offers additional safeguards for teams building AI/ML applications. Most importantly, Cake deploys directly into your VPC, ensuring sensitive data never leaves your environment. With encryption in transit and at rest, Kubernetes RBACs, and comprehensive audit logging, Cake provides the secure foundation necessary for enterprise AI workloads.
For organizations in regulated industries such as healthcare, finance, and insurance, and for any businesses handling PII, PHI, or other sensitive information, Cake’s HIPAA/HITECH attestation offers additional assurance that Cake meets compliance requirements, safely unlocking frontier open source AI technologies for those teams.
SOC 2 (Service Organization Control 2) is a framework designed by the American Institute of Certified Public Accountants (AICPA) to evaluate how service organizations manage customer data. For infrastructure platforms such as Cake, SOC 2 certification (technically an attestation) verifies that our systems and controls adequately protect the security, availability, processing integrity, confidentiality and privacy of customer information.
SOC 2 includes two report types: Type 1 assesses the design of security controls at a specific point in time, while Type 2 evaluates both the design and operating effectiveness of these controls over a sustained period (typically 6-12 months). Cake had previously been SOC 2 Type 1 certified and has now achieved SOC 2 Type 2 certification including HIPAA/HITECH, demonstrating that our security architecture is well-designed and consistently functions as intended.
Unlike cloud-based AI providers that require sensitive data to be sent outside your organization, Cake's platform enables you to deploy sophisticated AI capabilities entirely within your own infrastructure. Cake customers have used this in-house approach to create differentiated AI/ML products with enterprise-grade security, reliability, and data privacy.
The Cake platform implements robust, high-level threat mitigations to ensure security and compliance:
-
Encryption-in-transit: All access to data in transit is strongly encrypted
-
Encryption-at-Rest: Critical security data is protected via encryption at rest using cloud Key Management Services (KMS) and Kubernetes secrets.
-
RBAC and Principle of Least Privilege: Permissions are tightly scoped to enable only necessary operations, leveraging Kubernetes Role-Based Access Control.
-
User Authentication:.Access to platform services requires authentication enforced using an Envoy Gateway and Istio Service Mesh via OIDC authentication, supporting Cloud IAM, LDAP, and Active Directory.
-
Network Segmentation: Cake is deployed in a dedicated AWS account or GCP project with a new VPC, ensuring deliberate routing to critical organizational resources.
-
Audit Logging and Non-repudiation: User activity is tracked via cloud provider logs and service mesh sidecars. Cluster changes are managed through pull requests to a client-controlled IaC repository, with component logging directed to secure cloud logging services.
-
Data Integrity: Privileges to modify data are tightly restricted. Default profile namespaces require explicit permissions for data access, and well-protected data warehouses or cloud-managed databases ensure integrity.
-
PII/PHI Handling: Designed to facilitate proper handling of PII/PHI, the platform restricts user access to scoped namespaces and supports data sanitization in training while allowing full datasets for production inference. Tools for PII/PHI best practices can be integrated into workflows.
-
Code Scanning: Docker images are automatically scanned, and SBOMs are generated for compliance.
-
Certification: In addition to our SOC 2 Type 2 certification, we are HIPAA/HITECH certified, simplifying certification processes for customers.
The Cake platform minimizes risk of unauthorized or accidental changes by requiring appropriate review and testing processes based on the potential impact of changes on production systems. Cake provides audit logs and other vital observability information necessary for effective incident response, non-repudiation, and forensic analysis.
Cake also ensures availability and stability at a level that matches the business criticality of the services provided, maintaining reliable and robust performance.
SOC 2 Type 2 with HIPAA/HITECH certification represents a key component of Cake’s comprehensive approach to protecting customer data and enabling safe, secure solution development using the latest open source AI technologies. We continuously enhance our security framework to address emerging threats and the evolving compliance requirements in the AI landscape.
If you have additional questions regarding security, availability, or confidentiality, we are happy to answer them. Please review the Cake trust center or contact us here.