Compliance
Does Cellect have a SOC 2 report?
CurrentCellect is preparing for an initial SOC 2 Type I examination scoped to Fi and the systems that support its production operation. No report has been issued yet, and Cellect does not represent itself as SOC 2 compliant or certified.
Operations
Who operates Cellect?
CurrentCellectAI Inc is currently owner-operated with no employees or contractors holding production access. Controls are designed for that actual operating model rather than assuming a larger security organization.
Has Fi had a confirmed security breach?
CurrentCellect is not aware of any confirmed unauthorized access to Fi customer data. Security events and suspected incidents are tracked under the incident-response process.
Infrastructure
Where is Fi hosted?
CurrentFi runs on Cellect-managed infrastructure in a restricted-access United States office environment. Detailed network and physical-location information is shared only when appropriate during a security review.
How is physical access restricted?
CurrentThe office is protected by keypad access. Production equipment and access credentials are controlled by Cellect's owner, the only person currently authorized for physical or administrative access.
Does Cellect back up customer data?
In progressFi database backups are encrypted and restore-tested. Cellect is adding a separately located encrypted copy before selecting the SOC 2 Type I examination date.
Access control
How is customer access separated?
CurrentFi applies organization, company, project, and capability-level authorization. A user without an explicit resource grant cannot view that resource, and administrative routes require elevated authorization.
How are users authenticated?
CurrentFi uses centralized identity through Cellect's identity provider and short-lived application sessions. Administrative access is distinct from ordinary customer access.
Data protection
Is data encrypted in transit?
CurrentPublic Fi and trust-center traffic is encrypted with HTTPS. Internal service paths are being inventoried as part of SOC 2 readiness, so Cellect does not yet claim universal transport encryption between every internal component.
Is data encrypted at rest?
In progressCellect encrypts backups and uses application-level encryption for selected high-risk fields. A complete storage-encryption inventory is in progress; detailed claims are withheld until that verification is complete.
AI and data
Is customer data used to train AI models?
CurrentCellect uses commercial API services from Anthropic, Google, and OpenAI. Their standard commercial terms do not use API inputs and outputs for general model training unless a customer opts in. Cellect has not yet verified zero-data-retention status and therefore does not claim ZDR; limited provider safety or abuse-monitoring retention may apply.
Application security
How can a vulnerability be reported?
CurrentResearchers and customers can report suspected vulnerabilities privately to security@cellect.ai. Cellect requests good-faith testing that avoids privacy violations, service disruption, and access to data belonging to others.
How are changes to Fi controlled?
In progressFi changes are version-controlled and subject to automated type, lint, and test checks. Cellect is formalizing production change records and deployment approvals for its owner-operated model before the Type I examination date.
Has Fi completed an independent penetration test?
CurrentAn independent Fi penetration test is planned as part of the readiness program. No completed test report is currently available.
Control inventory
| Control | SOC 2 criteria | Status | Cadence | Evidence expected |
|---|---|---|---|---|
| GOV-01Owner security oversight | CC1, CC2 | Implemented | Quarterly | Quarterly security review; Risk register |
| GOV-02Policy approval and review | CC1, CC2 | In progress | At least annually | Policy manifest; Approved policy snapshots |
| RISK-01Security risk assessment | CC3, CC4, CC9 | Planned | At least annually | Risk register; Risk treatment decisions |
| ASSET-01System and device inventory | CC2, CC5 | In progress | Quarterly | Asset inventory; Administrative endpoint inventory |
| ACCESS-01Customer authorization | CC6 | Implemented | Continuous | Authorization tests; Membership and grant records |
| ACCESS-02Privileged access restriction | CC6 | Planned | Quarterly review | Privileged account register; Bastion and SSH logs |
| ACCESS-03Multi-factor authentication | CC6 | Verifying | Continuous | Identity-provider enforcement screenshots; Authentication configuration |
| ENDPOINT-01Administrative endpoint hardening | CC6, CC7 | Planned | Continuous | FileVault and BitLocker evidence; Patch and endpoint-protection status |
| CHANGE-01Version-controlled application changes | CC8 | Implemented | Per change | Git history; Test and build output |
| CHANGE-02Production deployment record | CC8 | In progress | Per deployment | Deployment logs; Release record |
| VULN-01Dependency and secret scanning | CC7, CC8 | In progress | Per change / weekly | Dependency scan; Secret scan; Remediation tickets |
| VULN-02Independent application assessment | CC4, CC7 | Planned | At least annually | Penetration-test report; Retest evidence |
| LOG-01Security-relevant logging and review | CC4, CC7 | In progress | Continuous / weekly review | Application logs; Administrative access logs; Review record |
| IR-01Incident identification and response | CC7 | In progress | Per event / annual exercise | Incident register; Tabletop record |
| BC-01Encrypted backup and restore testing | CC7, CC9 | In progress | Scheduled backup / quarterly restore | Backup logs; Restore-test record |
| BC-02Off-site backup copy | CC7, CC9 | Planned | Daily | Cloud replication logs; Off-site restore test |
| VENDOR-01Vendor inventory and security review | CC3, CC9 | In progress | On onboarding / annually | Vendor register; Provider assurance documents |
| DATA-01Data classification and retention | CC2, CC6 | Planned | Continuous / annual review | Data inventory; Retention schedule; Deletion records |
| CRYPTO-01Encryption and key management | CC6 | In progress | Continuous / annual key review | TLS scan; Storage encryption inventory; Key rotation record |
| PHYS-01Physical access restriction | CC6 | Implemented | Continuous / quarterly review | Authorized access record; Physical security inspection |
| AI-01AI provider and retention governance | CC2, CC3, CC9 | In progress | On change / annually | Model route inventory; Provider terms; Retention configuration |