Security overview

For the buyer who reads the architecture before the marketing.

The Trust Center sets the posture. This page sets the implementation: AuthN flow, encryption substrates, plane separation, scope-enforcement primitives, audit-ledger integrity, and the vendor-questionnaire pipeline. If you're filling in a SIG or CAIQ on our behalf, you should be able to answer most rows from this page alone.

← Trust Center security@celvexgroup.com

Authentication

Verification-link by default. SOC 2 Type II in observation. In observation

The free-scan flow uses a single-use, signed verification link tied to the eTLD+1 of the requester's email — no scan enters the queue until the user clicks the link. Paid customers authenticate via password (argon2id) or verification link, with optional TOTP/WebAuthn at Business tier and above. SAML / OIDC / SCIM provisioning at Enterprise.

Free-tier flowForm submission + Turnstile → verification-link email → click → scan enqueued. Email-on-target-domain rule (or DNS TXT escape hatch at _celvex-authorize.<domain>). 90-day token TTL. See retention.
Password storageargon2id (memory ≥ 64 MiB, parallelism 1, time cost 3). Plaintext never written, never logged, never sent to subprocessors.
Session managementHTTP-only Secure SameSite=Lax session cookie. 14-day idle timeout, 30-day absolute. CSRF token bound per-session for authenticated mutations.
MFATOTP at Business tier; WebAuthn / passkeys at Business tier; mandatory MFA at Enterprise.
SSOSAML 2.0, OIDC. Okta, Azure AD, Google Workspace tested. SCIM 2.0 provisioning at Business+. Enforced SSO available — local password auth disabled per-tenant.
SOC 2Type II in observation with named auditor; report target Q4 2026. Type I bridge letter on request from month 6.

Encryption

TLS in transit. AES-256 at rest. Sigstore for capsules.

Every byte of customer data is encrypted at rest and in transit. Capsules carry a third encryption layer — a per-capsule symmetric key, sealed to the recipient — so even a compromised at-rest store does not expose unsealed PoC payloads. Signing keys move to HSM custody on the SOC 2 Type II target date.

In transitTLS 1.2 minimum, 1.3 preferred. HSTS with preload on celvexgroup.com and all subdomains. Certificate transparency monitored.
At rest (Postgres)AES-256-GCM. Provider-managed envelope keys. Per-row encryption for credentials handed to authenticated scans.
At rest (KV / queue)AES-256. Cloudflare KV: provider-encrypted. Verification-link tokens stored hashed (SHA-256), never as plaintext.
Capsule signingEd25519, anchored in Sigstore (rekor). Per-capsule symmetric key sealed to recipient public key. Verifiable via cosign or celvex verify.
Signing key custodySoftware-isolated today; HSM custody planned alongside SOC 2 Type II. Planned Q4 2026
Key rotationCapsule signing key rotates quarterly (Q1/Q2/Q3/Q4). Previous-quarter key remains valid for verification of historical artifacts.
BackupsEncrypted (AES-256), region-replicated within US, 30-day retention, point-in-time recovery to within 5 minutes. Restore tested quarterly.

Network architecture

Three planes, hard separation.

The edge plane terminates customer traffic and never sees the master data store. The master plane orchestrates scans and never directly executes against customer assets. The data plane runs the actual scan, scoped to a single signed manifest, isolated per scan. See how-it-works for the customer-facing version.

Edge planeCloudflare workers, queues, Turnstile

Public ingress. Terminates TLS at the edge. Bot mitigation, rate limiting, WAF. No customer data at rest beyond verification-link tokens and Turnstile state.

CF Workers (data plane in customer-aligned region)
CF Queues for free-scan ingest
CF Turnstile (no CAPTCHA fallback)
WAF + DDoS by default

Master planeAPI, scheduler, billing

Customer dashboard, account state, scan-schedule orchestration, billing webhooks. Issues per-scan signed scope manifests; never executes scans directly.

Postgres (Fly.io US regions)
Redis (session, queue, rate limit)
API behind Cloudflare
Scope-manifest signer (Ed25519)

Data planeScan executors, capsule build

Per-scan ephemeral compute. Loads exactly one signed scope manifest, executes inside the safe-execution envelope, builds & signs the Proof Capsule, exits. State is purged on completion.

Modal burst compute (US)
One scope manifest per executor
OPA-policed network egress
Sigstore log on capsule sign

Customer data flows: edge → master (encrypted, authenticated). Master → data plane (signed manifest, no shared credentials). Data plane → master (signed result + Sigstore receipt). No path skips a layer.

Scope enforcement

Per-scan Ed25519-signed manifest. OPA-policed egress. Destructive-action classifier.

The single most important invariant in our architecture: a scan executor cannot legally touch a host that is not on its signed scope manifest. A compromised scheduler that tries to launch out-of-scope scans gets caught at signature verification; a compromised executor that tries to fetch outside its manifest gets caught at OPA egress. Two independent layers, neither can suppress the other.

Scope manifestPer-scan JSON document: target eTLD+1, allowed subdomains, allowed ports, allowed verbs, destructive-action posture, capsule-recipient public key. Signed Ed25519 by the master-plane signer; verified on executor boot.
Egress policyOpen Policy Agent (OPA) sidecar. Every outbound HTTP request from an executor passes through OPA, which compares the destination against the manifest. Default-deny.
Destructive-action classifierPre-execution model that classifies each candidate payload as destructive / non-destructive / ambiguous. Destructive payloads require an explicit per-scan toggle that is off by default; ambiguous defaults to non-destructive.
Safe-execution envelopeNo DROP, no DELETE without WHERE, no truncate, no rm -rf, no destructive HTTP verbs to write endpoints — unless the manifest's destructive-action toggle is set and the operator countersigned. Caught at the classifier and at the OPA layer.
WatermarkingEvery PoC artifact carries a per-scan watermark (visible header + steganographic frame on screenshots). If a Capsule leaks, we know which engagement.
Out-of-scope attemptsLogged immediately to the audit ledger, scan terminated, customer notified within 24 hours. Zero tolerated.

Audit

Append-only ledger. Hash-chained. S3 Object-Lock replica.

Every security-relevant event in the platform — authentication, scope grant, scan launch, capsule sign, billing transition, admin action — is written to an append-only ledger. Each row carries the SHA-256 of the previous row, so any tampering is detectable in O(N) by re-walking the chain. A second copy is replicated under S3 Object-Lock for tamper-resistance even from us.

CoverageAuthN, AuthZ, scope-grant, scan-launch, scan-stop, capsule-sign, capsule-verify, billing-transition, admin-action, subprocessor-change. New event classes added when new state-changing surfaces land.
IntegrityPer-row prev_hash + row_hash (SHA-256). Daily integrity job re-walks the chain and alerts on any break.
Append-only enforcementPostgres role with INSERT only, no UPDATE / DELETE grant. Schema migrations require a documented exception with founder approval.
Immutable replicaS3-compatible Object-Lock bucket in compliance mode, governance-mode admin override unavailable. Retention 24 months, auto-purge thereafter.
Customer-facing accessCustomers can request their own audit-ledger slice (their account events) for any 30-day window via privacy@. Full ledger export on legal request.
Retention24 months online + immutable replica. Beyond 24 months: cold-archive to encrypted offline storage on case-by-case basis (e.g. open litigation hold).

Vendor security questionnaire

Pre-filled SIG Lite. CAIQ v4. Custom rows on request.

Procurement workflows usually want a SIG, a CAIQ, or a vendor-specific spreadsheet. We've pre-filled the standard ones — most vendor-risk packets close in one round-trip with the bundle below.

SIG Lite (Shared Assessments)

Pre-filled across all 19 SIG Lite domains. Every "yes" cross-references the artifact (this page, Trust Center, MSA + DPA). Returned within one business day of request.

Request SIG Lite →

CAIQ v4 (CSA Consensus Assessments)

Pre-filled CAIQ v4 covering all 17 CCM domains. Particularly useful for cloud-procurement-driven vendor risk. Returned within one business day.

Request CAIQ v4 →

Custom questionnaires

F500 procurement teams sometimes ship a bespoke spreadsheet (200–400 rows). We answer them — typical turnaround is 3–5 business days for first draft, with technical follow-up calls scheduled directly with the founder.

Send your questionnaire →

MSA + DPA + Section 889 attestation

Standard MSA, DPA with EU SCC Module 2 attached, Section 889 / 1260H attestation, beneficial-ownership disclosure. Available as a single procurement-ready bundle.

Request MSA bundle →

[PLACEHOLDER: A self-serve responder portal is on the roadmap. Until it ships, the founder responds to security@ manually within one business day.]

Reporting a vulnerability

Use the responsible-disclosure path. We expect to be tested.

We sell offensive security; we get tested every day. The path below is the only sanctioned one — please use it before any public disclosure. Acknowledgement within 24 hours, fix-or-status update within 7 days, public credit on request, safe-harbour for good-faith research within scope.

How to report

Email security@celvexgroup.com. PGP encryption supported.

PGP key fingerprint:
[PLACEHOLDER: 4096R/XXXXXXXX — full key block published at /.well-known/security.txt when production key is generated]

Full scope, eligible classes, ineligible classes, and safe-harbour terms are documented on the Trust Center responsible-disclosure section.