Access by design
Fi uses explicit organization, company, project, and capability grants, with default denial when no grant exists.
Shape Technology security and trust
Security information for Shape Technology's use of Fi, powered and operated by Cellect AI.
Our approach
We separate controls that exist today from improvements still underway. Draft policies and plans never become public claims by accident.
Fi uses explicit organization, company, project, and capability grants, with default denial when no grant exists.
Financial, identity, tax, banking, and project data receive handling based on sensitivity and workflow need.
Commercial AI APIs are disclosed. We do not claim zero retention until provider configuration is verified.
Policies, reviews, tests, access records, and recovery results are mapped to the controls they support.
Common questions
Cellect is preparing for an initial SOC 2 Type I examination scoped to Fi and the systems that support its production operation. No report has been issued yet, and Cellect does not represent itself as SOC 2 compliant or certified.
CellectAI Inc is currently owner-operated with no employees or contractors holding production access. Controls are designed for that actual operating model rather than assuming a larger security organization.
Fi runs on Cellect-managed infrastructure in a restricted-access United States office environment. Detailed network and physical-location information is shared only when appropriate during a security review.
The office is protected by keypad access. Production equipment and access credentials are controlled by Cellect's owner, the only person currently authorized for physical or administrative access.
Fi applies organization, company, project, and capability-level authorization. A user without an explicit resource grant cannot view that resource, and administrative routes require elevated authorization.
Fi uses centralized identity through Cellect's identity provider and short-lived application sessions. Administrative access is distinct from ordinary customer access.
Need the evidence?
SOC reports, assessments, detailed policies, and diagrams are shared only after a manual business review.