The compliance theatre that wins the early demo loses the procurement review. This page is the procurement review. Every certification we have, every one we're earning with a real auditor and a dated observation window, every sub-processor that touches customer data, and every retention rule the lifecycle enforces — honestly dated. If the answer is "not yet," we say "not yet" with a date.
Posture statement
Celvex serves customers across EU, US, APAC, and on customer-owned VPCs. Default deployment is global infrastructure with regional data residency on request — EU, US, APAC, or your own VPC, with the matching data-processing addendum. Sub-processors are named publicly below; thirty-day notice on changes with material customer-data scope.
Trust isn't a flag on a page. It's the quarterly transparency report, the public sub-processor list, the dated SOC 2 observation window, and a Proof Capsule format anyone can verify offline using open tools. Below is the real state of the program, dated — updated whenever it changes.
Vendor-risk teams: skip the form. Email security@celvexgroup.com and the founder reads it. Pre-filled vendor-risk packet (SIG Lite, CAIQ v4), MSA + DPA boilerplate, and regional data-residency addenda are available on request — most return inside one business day.
For incidents in progress, see Incident response below for the 24-hour triage SLA.
Certifications & frameworks
We won't put a SOC 2 Type II badge on this site before the report is signed. We won't claim a framework before the auditor's letter is in hand. Below is the real state of the program, dated.
Six-month observation window opened with a named auditor. Type I bridge letter available on request from month six. Type II report targeted for Q4 2026.
Readiness gap assessment scheduled to begin once SOC 2 Type II issues. Cert target month eighteen (Q2 2027). NIST 800-53 Moderate overlaps roughly eighty percent with SOC 2 + ISO 27001 — the work is bookkeeping, not duplication.
BAA template, risk analysis, and hardened audit logs delivered alongside SOC 2 Type II. Healthcare prospects receive the BAA on signed MSA. Not "HIPAA certified" — there is no such certification — HIPAA-aligned via documented controls.
CELVEX Group/.well-known/security.txtPublic scope, reporting channel, response-time commitment, and PGP key all published. See Responsible disclosure below.
Cyber-liability and errors-and-omissions certificates in force, surfaced in the vendor-risk packet on request. We carry the right policies because they are going to be asked for.
Additional sector or regional authorisations — healthcare, financial services, public sector, regional residency — are pursued when an anchor customer with a matching requirement materialises. We won't spend runway on speculative authorisation without a sponsor.
Customer attestation pack available today: pre-filled SIG Lite, CAIQ v4, MSA + DPA boilerplate, sub-processor change-notification clause, annual third-party penetration-test attestation letter, and cyber-liability + E&O certificates. Email security@celvexgroup.com.
Sub-processors
The full list, the purpose, the data shared, and the region. Customers receive thirty days' written notice before we add or change a sub-processor with material customer-data scope, per the DPA.
| Sub-processor | Purpose | Data shared | Region |
|---|---|---|---|
| Anthropic | LLM inference for the agentic chain (recon synthesis, payload variant generation, finding triage) | Target metadata, scan-step prompts; not raw customer credentials or full HTTP bodies | Customer-aligned region (US default, EU on request) |
| Cloudflare | Edge ingress, Workers, Queues, Turnstile (bot mitigation), DNS, WAF | Form submissions, verification-link tokens, IP for rate limiting | Global edge; data-plane processing in customer-aligned region |
| Resend | Transactional email (authorisation links, scan-complete notifications, billing receipts) | Customer email address, scan reference IDs | Customer-aligned region |
| Sigstore (rekor) | Append-only transparency log for Proof Capsule signatures | Capsule digest hashes only — no capsule payload | Public-good infrastructure |
| Fly.io | Application compute for the master plane (API, scheduler, worker fleet) | All customer data, encrypted at rest | Customer-aligned region (EU, US, APAC available) |
| Modal | Burst compute for parallel scan shards and capsule rendering | Per-scan ephemeral state; purged at job completion | Customer-aligned region |
Regional data residency (EU, US, APAC, or your own VPC) available on request, with matching data-processing addenda.
Supply chain
Yes. Every Proof Capsule we ship is signed with an open standard, anchored to a public, append-only log. The build-time software bill of materials ships alongside every release artifact. Signing keys rotate quarterly on the calendar quarter; the previous quarter's fingerprint stays valid for verification of historical capsules.
CycloneDX 1.5 JSON, generated per release. All transitive dependencies enumerated, licence-classified, vulnerability-scanned. Per-release SBOMs attached to public release notes.
Anchored in a public transparency log. Quarterly rotation. Verification via celvex verify CLI or any compatible open-source tool. Anyone can verify a capsule offline without our infrastructure.
Q1 (Jan 1) · Q2 (Apr 1) · Q3 (Jul 1) · Q4 (Oct 1). Rotation events trigger a transparency-report entry; previous-quarter keys remain valid for verification of historical artifacts indefinitely.
Sub-processor changes, data-handling stats, incident summary, uptime, signing-key rotations. Published the first Monday after each quarter close. Subscribe via security@celvexgroup.com.
Data handling & retention
Two clocks people frequently confuse: the 9-month dedupe window for free-tier scans (a colleague at the same domain root inside 9 months gets the existing report, not a fresh scan) and the 24-month report retention from creation. Both are documented below and enforced in code.
| Category | Retention | What it covers |
|---|---|---|
| Scan-target data & reports | 24 months from creation | Recon graph, finding inventory, Proof Capsules, evidence artifacts. Read access persists through subscription cancellation. |
| Customer email & account | Until cancellation + 6 months | Email, name, organisation. Six-month wind-down to handle reactivation; permanent purge at the end of the window or on verified deletion request. |
| Audit logs (immutable) | 24 months, append-only | Authentication events, scope-grant grants, scan launches, capsule signs, admin actions. Hash-chain integrity; object-lock replica. |
| Billing & tax records | 7 years | Invoice metadata only. Required by tax-record retention rules; cannot be shortened on customer request. |
| Free-tier dedupe index | 9 months from scan | Used to return the existing report to a colleague at the same domain root; does not extend report retention. |
| Free-tier authorisation tokens | 90 days from form submission | Magic-link tokens expire after 90 days. Reminder emails at day 3, 10, and 30. After 90 days the link returns HTTP 410 and the user resubmits — tokens are never manually reissued. |
| IP addresses (rate limiting) | 30 days | Hashed and salted at ingest. Used for abuse detection and form-submission rate limits only; never associated with scan content. |
Cross-region processing of customer data only happens with an explicit customer flag (regional residency option) and a signed addendum.
Incident response
Report a security concern to security@celvexgroup.com. Acknowledgement within 24 hours. If the report is a confirmed incident affecting a customer, that customer receives written notification within 72 hours of confirmation, regardless of whether the impact is contained or in remediation.
Auto-ack to the reporter within minutes. Founder paged on every security@ email; this is not an alias that goes to a queue and dies.
Reproduce, classify (informational / vulnerability / active incident), establish blast radius. Reporter receives a written triage update.
If confirmed and customer-affecting: written notification with timeline, scope, mitigation status, and CVE / advisory ID if applicable. No undue delay to allow PR spin.
Public post-mortem on material incidents. Quarterly transparency report carries the rolled-up summary (count, severity distribution, MTTR).
Responsible disclosure
We sell verifiable security. We expect to be tested. The path below is the only sanctioned path; please use it before any public disclosure.
Email security@celvexgroup.com. PGP encryption supported.
PGP key fingerprint:Published at /.well-known/security.txt
Acknowledgement within 24h, fix-or-status update within 7 days, public credit on request.
The CelvexGroup production application (app.celvexgroup.com, api.celvexgroup.com), the marketing site (celvexgroup.com), the Proof Capsule signing pipeline, and the edge ingress workers.
Eligible classes: RCE, AuthN/AuthZ bypass, IDOR, privilege escalation, capsule-signing key compromise, scope-manifest forgery, supply-chain attack on the build pipeline.
Findings that are out of scope or do not qualify for credit:
Good-faith research conducted within scope and following this policy will not result in legal action from CelvexGroup. We will not pursue or support law-enforcement action for research that:
Transparency posture
Trust isn't a slogan. It's a quarterly transparency report you can subscribe to, a sub-processor list you can read, a Proof Capsule format you can verify offline using open tools, and a roadmap with dates next to each milestone. Every quarter we publish how we made that work, who our sub-processors were, what changed, and what didn't. The audit answer is the artifact, not the slogan.
The pre-filled vendor-risk packet (SIG Lite, CAIQ v4), MSA + DPA, regional residency addenda, sub-processor list with change-notification clause, annual third-party penetration-test attestation letter, and cyber-liability + E&O certificates are one email away. The founder reads every security@ message.