Securing Billion-Dollar Biotech IP: How Kaleidoscope Powers Authorization with Oso

Biotech Innovation Can’t Run on Spreadsheets

Kaleidoscope is a biotech R&D project platform designed to help lab and computational teams plan and track scientific work, integrate data, and streamline collaboration. The company focuses primarily on drug discovery in biotechnology, where time, resources, and accurate data are critical to success.

Scientific R&D powers the most important strides in human and planetary health. Yet scientific teams lack purpose-built tools to manage this complex process. Instead, they're forced to painfully cobble together ill-fitting software or swim in a sea of spreadsheets and Powerpoint decks, costing them millions in lost resources and years in lost time.

Kaleidoscope believes that world-class biotechnology science deserves world-class tooling. It is a vision that is fueling rapid company growth with customers now including Vilya Therapeutics (Nobel-winning lab spinout), Gordian Biotechnologies, Wayfinder Biosciences, Forward Therapeutics, and an increasing number of major biotech and pharmaceutical companies.

Kaleidoscope’s biotech R&D platform saves our customers years of time and millions of dollars over a typical drug discovery lifecycle.

- Ahmed Elnaiem, Kaleidoscope CTO and co-founder

Trust is Everything: Building Bulletproof Authorization

Ahmed has been instrumental in architecting the platform from the ground up. His role involves working closely with customers to understand their exact needs—especially how to manage the iterative workflows inherent to scientific research. It was here, early in the company’s journey, that he recognized sophisticated authorization and complex permissioning over highly sensitive data would be essential for industry adoption. 

Kaleidoscope's customers required strict control over who could view and modify intellectual property (IP). In biotechnology, experimental results and molecular data can be worth billions of dollars, so even a small misconfiguration could expose valuable compounds or processes.

The information you have, the data, is your IP—that is everything. You could put a series of information in a single row in a spreadsheet, send that to someone, and they'd have a billion-dollar compound.

- Ahmed Elnaiem, Kaleidoscope CTO and co-founder

Many of Kaleidoscope’s customers collaborate with contract research organizations (CROs) and large pharma partners. Each partner needs restricted, role-based access, ensuring they only see information relevant to their tasks. This “data caution,” as Ahmed describes it, demanded an authorization system flexible enough to accommodate highly specific permission rules—while ensuring lightning-fast performance and zero risk of accidental data leaks, especially as new features were continuously added to the platform.

Authorization Isn’t Optional: The Non-Negotiable Capabilities Biotech Demands

Kaleidoscope needed an authorization framework that could:

• Handle complex, ever-evolving permission rules for external partners, internal teams, and different data types and tasks.
• Operate at sub-10 millisecond latency so as not to bottleneck core workflows.
• Remain understandable and explainable to scientists and administrators defining custom access rules for stakeholders.
• Stay decoupled from the main application code to ensure new app functionality did not break existing permissions, while also keeping code easily maintainable.

Because their customers might demand fully-managed cloud services, on-premises or single-tenant deployments, the solution also had to offer flexible options without compromising security or functionality.

Build vs. Buy: Why Kaleidoscope Refused to Waste Time Reinventing Authorization 

Ahmed and his team initially considered building a custom authorization service from scratch. However, given the complexity and importance of permissions, they realized this would require significant engineering effort and cost that would be better invested into Kaleidoscope’s core functionality.

Kaleidoscope’s clearly defined requirements quickly led them to Oso. Its Polar programming language offered a declarative way to express authorization logic and policies, performant query generation and execution, and the freedom to deploy via a Docker-based approach, meeting highly regulated customers’ stringent data-protection requirements.

Oso was great for organizing and standardizing our thinking around authorization for both user-to-resource and resource-to-resource relationships, providing maximum flexibility in our implementation.

- Ahmed Elnaiem, Kaleidoscope CTO and co-founder

Authorization at Speed: Why Kaleidoscope’s Engineers Love Decoupled Authorization with Oso

By adopting Oso early, Ahmed’s team could cleanly separate authorization from application logic, dramatically simplifying both their code and their ability to test new permission rules. Instead of embedding complex checks and multiple, heavyweight JOINs into database queries to determine what a user can see, they can instead declare policies separately in Oso. 

A key advantage of Oso is Local Authorization, allowing Kaleidoscope’s engineers to centralize their authorization logic and roles without also having to sync sensitive application data to the authorization service as well. Instead, Oso generates tailored queries based on the application’s database schema, enabling authorization decisions to be evaluated securely within the Kaleidoscope’ environment. 

An example of where this approach is highly beneficial — especially for performance — is Oso’s List Filtering with Local Data. What this does is returns a short, targeted query filter instead of a massive list of data, significantly reducing network overhead and response times. The application then uses this filter locally to construct the final list of authorized resources, enabling faster, more secure lookups. By tapping into existing database tools for sorting and pagination, developers maintain their familiar workflows for presenting data. This approach scales smoothly for data-heavy users, delivering better performance and a more responsive user experience.

Kaleidoscope uses Oso in a hybrid configuration: they use Oso Cloud to generate policy-driven queries, and the option to run these policies locally through a Docker-based Oso deployment allows them to satisfy customers needing single-tenant or on-premises solutions. 

Currently, Kaleidoscope maintains a small set of high-level permissions alongside more granular rules for external partners. These rules span dozens of policy statements, controlling everything from read/write access to specific data fields to cross-project sharing limits.

A key learning from adopting Oso is that initially engineers tried to model every single user and resource permutation upfront. This proved impossible. Ahmed’s advice is to start with a single class of user and resource and then iterate from there to capture new use cases. Ahmed highlights how easy it is to iterate on Oso policies: 

We just update our policy files, reflect that change in the platform, and test performance right away. We didn’t have to rebuild our entire permission system, changing dozens of libraries and functions in our code, every time requirements changed.

- Ahmed Elnaiem, Kaleidoscope CTO and co-founder

Ahmed also notes the value of Oso’s Authorization Academy, which quickly trains new engineers on the principles of authorization—especially useful in a fast-paced environment where hiring is ongoing and roles can be fluid.

Why Kaleidoscope Can Take On Bigger Customers—Earlier—Thanks to Oso

With Oso, the Kaleidoscope team avoided months of engineering overhead—if not an entire dedicated team—spent building an authorization framework. This has freed them to focus on what matters most: improving customers’ R&D workflows and accelerating their path to new discoveries.

Kaleidoscope’s customers benefit from a robust collaboration environment without risking IP exposure. According to Ahmed, users can define and test permissions far more confidently, enabling complex partnerships with CROs, government agencies and pharma giants. 

The upshot: By using Oso, Kaleidoscope has been able to pursue bigger, more regulated customers earlier in its lifecycle than would otherwise have been possible.

- Ahmed Elnaiem, Kaleidoscope CTO and co-founder

Kaleidoscope continues to add new services to its platform and Oso remains integral. Future expansions into areas like clinical trial management or other R&D domains would bring new data protection challenges, making Oso’s flexibility and deployment options all the more important.

Next Steps

Enterprises navigating complex authorization challenges can learn from Kaleidoscope’s experience: a dedicated authorization service like Oso accelerates innovation, ensures security, and adapts as product requirements evolve. By decoupling permissions from core application code, teams can protect their most valuable data and move faster toward new breakthroughs.

Authorization-as-a-service is a relatively new concept in the industry, but it's already solving for the toughest authorization challenges that developers have wrestled with for years. If you’re not sure whether it's the right approach for you, take a look at our authorization as a service primer.