Security posture

Controls described without overclaiming.

These answers describe the current state of Fi and its supporting operations. Planned work is labeled, and no SOC 2 report or certification is claimed.

SOC 2 Type I readiness is in progress. Current control inventory: 4 implemented, 10 in progress, 1 verifying, and 6 planned.

Compliance

Does Cellect have a SOC 2 report?

Current

Cellect is preparing for an initial SOC 2 Type I examination scoped to Fi and the systems that support its production operation. No report has been issued yet, and Cellect does not represent itself as SOC 2 compliant or certified.

Operations

Who operates Cellect?

Current

CellectAI Inc is currently owner-operated with no employees or contractors holding production access. Controls are designed for that actual operating model rather than assuming a larger security organization.

Has Fi had a confirmed security breach?

Current

Cellect is not aware of any confirmed unauthorized access to Fi customer data. Security events and suspected incidents are tracked under the incident-response process.

Infrastructure

Where is Fi hosted?

Current

Fi runs on Cellect-managed infrastructure in a restricted-access United States office environment. Detailed network and physical-location information is shared only when appropriate during a security review.

How is physical access restricted?

Current

The office is protected by keypad access. Production equipment and access credentials are controlled by Cellect's owner, the only person currently authorized for physical or administrative access.

Does Cellect back up customer data?

In progress

Fi database backups are encrypted and restore-tested. Cellect is adding a separately located encrypted copy before selecting the SOC 2 Type I examination date.

Access control

How is customer access separated?

Current

Fi applies organization, company, project, and capability-level authorization. A user without an explicit resource grant cannot view that resource, and administrative routes require elevated authorization.

How are users authenticated?

Current

Fi uses centralized identity through Cellect's identity provider and short-lived application sessions. Administrative access is distinct from ordinary customer access.

Data protection

Is data encrypted in transit?

Current

Public Fi and trust-center traffic is encrypted with HTTPS. Internal service paths are being inventoried as part of SOC 2 readiness, so Cellect does not yet claim universal transport encryption between every internal component.

Is data encrypted at rest?

In progress

Cellect encrypts backups and uses application-level encryption for selected high-risk fields. A complete storage-encryption inventory is in progress; detailed claims are withheld until that verification is complete.

AI and data

Is customer data used to train AI models?

Current

Cellect uses commercial API services from Anthropic, Google, and OpenAI. Their standard commercial terms do not use API inputs and outputs for general model training unless a customer opts in. Cellect has not yet verified zero-data-retention status and therefore does not claim ZDR; limited provider safety or abuse-monitoring retention may apply.

Application security

How can a vulnerability be reported?

Current

Researchers and customers can report suspected vulnerabilities privately to security@cellect.ai. Cellect requests good-faith testing that avoids privacy violations, service disruption, and access to data belonging to others.

How are changes to Fi controlled?

In progress

Fi changes are version-controlled and subject to automated type, lint, and test checks. Cellect is formalizing production change records and deployment approvals for its owner-operated model before the Type I examination date.

Has Fi completed an independent penetration test?

Current

An independent Fi penetration test is planned as part of the readiness program. No completed test report is currently available.

Control inventory

ControlSOC 2 criteriaStatusCadenceEvidence expected
GOV-01Owner security oversightCC1, CC2ImplementedQuarterlyQuarterly security review; Risk register
GOV-02Policy approval and reviewCC1, CC2In progressAt least annuallyPolicy manifest; Approved policy snapshots
RISK-01Security risk assessmentCC3, CC4, CC9PlannedAt least annuallyRisk register; Risk treatment decisions
ASSET-01System and device inventoryCC2, CC5In progressQuarterlyAsset inventory; Administrative endpoint inventory
ACCESS-01Customer authorizationCC6ImplementedContinuousAuthorization tests; Membership and grant records
ACCESS-02Privileged access restrictionCC6PlannedQuarterly reviewPrivileged account register; Bastion and SSH logs
ACCESS-03Multi-factor authenticationCC6VerifyingContinuousIdentity-provider enforcement screenshots; Authentication configuration
ENDPOINT-01Administrative endpoint hardeningCC6, CC7PlannedContinuousFileVault and BitLocker evidence; Patch and endpoint-protection status
CHANGE-01Version-controlled application changesCC8ImplementedPer changeGit history; Test and build output
CHANGE-02Production deployment recordCC8In progressPer deploymentDeployment logs; Release record
VULN-01Dependency and secret scanningCC7, CC8In progressPer change / weeklyDependency scan; Secret scan; Remediation tickets
VULN-02Independent application assessmentCC4, CC7PlannedAt least annuallyPenetration-test report; Retest evidence
LOG-01Security-relevant logging and reviewCC4, CC7In progressContinuous / weekly reviewApplication logs; Administrative access logs; Review record
IR-01Incident identification and responseCC7In progressPer event / annual exerciseIncident register; Tabletop record
BC-01Encrypted backup and restore testingCC7, CC9In progressScheduled backup / quarterly restoreBackup logs; Restore-test record
BC-02Off-site backup copyCC7, CC9PlannedDailyCloud replication logs; Off-site restore test
VENDOR-01Vendor inventory and security reviewCC3, CC9In progressOn onboarding / annuallyVendor register; Provider assurance documents
DATA-01Data classification and retentionCC2, CC6PlannedContinuous / annual reviewData inventory; Retention schedule; Deletion records
CRYPTO-01Encryption and key managementCC6In progressContinuous / annual key reviewTLS scan; Storage encryption inventory; Key rotation record
PHYS-01Physical access restrictionCC6ImplementedContinuous / quarterly reviewAuthorized access record; Physical security inspection
AI-01AI provider and retention governanceCC2, CC3, CC9In progressOn change / annuallyModel route inventory; Provider terms; Retention configuration