Security

Security controls and current status

This page lists current controls, work in progress, planned work, and the evidence expected for each control.

SOC 2 Type I readiness is in progress. Current control inventory: 4 implemented, 10 in progress, 1 verifying, and 6 planned.

Compliance

Does Shape Technology have a SOC 2 report?

Current

Cellect is preparing for an initial SOC 2 Type I examination of its product environment and supporting production systems. Fi is currently Cellect's only product and is therefore the product in the present examination scope. No report has been issued, and Cellect does not represent itself as SOC 2 compliant or certified.

Operations

Who operates Shape Technology?

Current

CellectAI Inc is currently owner-operated with no employees or contractors holding production access. Controls are designed for that actual operating model rather than assuming a larger security organization.

Has Shape Technology had a confirmed security breach?

Current

Cellect is not aware of any confirmed unauthorized access to customer data in its product environment. Fi is currently Cellect's only product. Security events and suspected incidents are tracked under the incident-response process.

Infrastructure

Where is Shape Technology hosted?

Current

Cellect's product environment runs on Cellect-managed infrastructure in a restricted-access United States office environment. Fi is currently the only product in that environment. Detailed network and physical-location information is shared only when appropriate during a security review.

How is physical access restricted?

Current

The office is protected by keypad access. Production equipment and access credentials are controlled by Cellect's owner, the only person currently authorized for physical or administrative access.

Does Cellect back up customer data?

In progress

Cellect backs up its current product data. Fi database backups are encrypted and restore-tested. Cellect is adding a separately located encrypted copy before selecting the SOC 2 Type I examination date.

Access control

How is customer access separated?

Current

Cellect's current product, Fi, applies organization, company, project, and capability-level authorization. A user without an explicit resource grant cannot view that resource, and administrative routes require elevated authorization. New products must define and test equivalent access boundaries before handling customer data.

How are users authenticated?

Current

Cellect product access currently uses centralized identity and short-lived application sessions. Fi is the current implementation. Administrative access is distinct from ordinary customer access.

Data protection

Is data encrypted in transit?

Current

Public traffic to Cellect products, including Fi, and the trust center is encrypted with HTTPS. Internal service paths are being inventoried as part of SOC 2 readiness, so Cellect does not yet claim universal transport encryption between every internal component.

Is data encrypted at rest?

In progress

Cellect encrypts backups and uses application-level encryption for selected high-risk fields. A complete storage-encryption inventory is in progress; detailed claims are withheld until that verification is complete.

AI and data

Is customer data used to train AI models?

Current

Cellect uses commercial API services from Anthropic, Google, and OpenAI. Their standard commercial terms do not use API inputs and outputs for general model training unless a customer opts in. Cellect has not yet verified zero-data-retention status and therefore does not claim ZDR; limited provider safety or abuse-monitoring retention may apply.

Application security

How can a vulnerability be reported?

Current

Researchers and customers can report suspected vulnerabilities privately to security@cellect.ai. Cellect requests good-faith testing that avoids privacy violations, service disruption, and access to data belonging to others.

How are changes to Shape Technology controlled?

In progress

Cellect product changes are version-controlled and subject to risk-appropriate automated checks. For Fi, these include type, lint, test, and production-build checks. Cellect is formalizing production change records and deployment approvals for its owner-operated model before the Type I examination date.

Has Shape Technology completed an independent penetration test?

Current

An independent penetration test of Cellect's current product environment, which presently consists of Fi, is planned as part of the readiness program. No completed test report is currently available.

Control inventory

ControlSOC 2 criteriaStatusCadenceEvidence expected
GOV-01Owner security oversightCC1, CC2ImplementedQuarterlyQuarterly security review; Risk register
GOV-02Policy approval and reviewCC1, CC2In progressAt least annuallyPolicy manifest; Approved policy snapshots
RISK-01Security risk assessmentCC3, CC4, CC9PlannedAt least annuallyRisk register; Risk treatment decisions
ASSET-01System and device inventoryCC2, CC5In progressQuarterlyAsset inventory; Administrative endpoint inventory
ACCESS-01Customer authorizationCC6ImplementedContinuousAuthorization tests; Membership and grant records
ACCESS-02Privileged access restrictionCC6PlannedQuarterly reviewPrivileged account register; Bastion and SSH logs
ACCESS-03Multi-factor authenticationCC6VerifyingContinuousIdentity-provider enforcement screenshots; Authentication configuration
ENDPOINT-01Administrative endpoint hardeningCC6, CC7PlannedContinuousFileVault and BitLocker evidence; Patch and endpoint-protection status
CHANGE-01Version-controlled application changesCC8ImplementedPer changeGit history; Test and build output
CHANGE-02Production deployment recordCC8In progressPer deploymentDeployment logs; Release record
VULN-01Dependency and secret scanningCC7, CC8In progressPer change / weeklyDependency scan; Secret scan; Remediation tickets
VULN-02Independent application assessmentCC4, CC7PlannedAt least annuallyPenetration-test report; Retest evidence
LOG-01Security-relevant logging and reviewCC4, CC7In progressContinuous / weekly reviewApplication logs; Administrative access logs; Review record
IR-01Incident identification and responseCC7In progressPer event / annual exerciseIncident register; Tabletop record
BC-01Encrypted backup and restore testingCC7, CC9In progressScheduled backup / quarterly restoreBackup logs; Restore-test record
BC-02Off-site backup copyCC7, CC9PlannedDailyCloud replication logs; Off-site restore test
VENDOR-01Vendor inventory and security reviewCC3, CC9In progressOn onboarding / annuallyVendor register; Provider assurance documents
DATA-01Data classification and retentionCC2, CC6PlannedContinuous / annual reviewData inventory; Retention schedule; Deletion records
CRYPTO-01Encryption and key managementCC6In progressContinuous / annual key reviewTLS scan; Storage encryption inventory; Key rotation record
PHYS-01Physical access restrictionCC6ImplementedContinuous / quarterly reviewAuthorized access record; Physical security inspection
AI-01AI provider and retention governanceCC2, CC3, CC9In progressOn change / annuallyModel route inventory; Provider terms; Retention configuration