The compliance theatre that wins the early demo loses the procurement review. This page is the procurement review. Every certification we have, every one we're earning with a real auditor and a dated observation window, every sub-processor that touches customer data, and every retention rule the lifecycle enforces, all honestly dated. If the answer is "not yet," we say "not yet" with a date.
Posture statement
Celvex is Canadian-built and Canadian-owned, and serves customers across Canada, the US, EU, APAC, and on customer-owned VPCs. Default deployment is global infrastructure with regional data residency on request: Canada, US, EU, APAC, or your own VPC, with the matching data-processing addendum. Canadian customers can keep their data in a Canadian-region residency option under PIPEDA; US, EU, and APAC customers are served in-region under the framework that applies to them. Sub-processors are named publicly below; thirty-day notice on changes with material customer-data scope.
Trust isn't a flag on a page. It's the quarterly transparency report, the public sub-processor list, the dated SOC 2 observation window, and a Proof Capsule format anyone can verify offline using open tools. Below is the real state of the program, dated and updated whenever it changes.
Vendor-risk teams: skip the form. Email security@celvexgroup.com and the founder reads it. Pre-filled vendor-risk packet (SIG Lite, CAIQ v4), MSA + DPA boilerplate, and regional data-residency addenda are available on request, and most return inside one business day.
For incidents in progress, see Incident response below for the 24-hour triage SLA.
Certifications & frameworks
We won't put a SOC 2 Type II badge on this site before the report is signed. We won't claim a framework before the auditor's letter is in hand. Below is the real state of the program, dated.
Six-month observation window opened with a named auditor. Type I bridge letter available on request from month six. Type II report targeted for Q4 2026.
Readiness gap assessment scheduled to begin once SOC 2 Type II issues. Cert target month eighteen (Q2 2027). NIST 800-53 Moderate overlaps roughly eighty percent with SOC 2 + ISO 27001, so the work is bookkeeping, not duplication.
BAA template, risk analysis, and hardened audit logs delivered alongside SOC 2 Type II. Healthcare prospects receive the BAA on signed MSA. Not "HIPAA certified" (there is no such certification), but HIPAA-aligned via documented controls.
CELVEX Group/.well-known/security.txtPublic scope, reporting channel, response-time commitment, and PGP key all published. See Responsible disclosure below.
Cyber-liability and errors-and-omissions certificates in force, surfaced in the vendor-risk packet on request. We carry the right policies because they are going to be asked for.
Additional sector or regional authorisations (healthcare, financial services, public sector, regional residency) are pursued when an anchor customer with a matching requirement materialises. We won't spend runway on speculative authorisation without a sponsor.
Customer attestation pack available today: pre-filled SIG Lite, CAIQ v4, MSA + DPA boilerplate, sub-processor change-notification clause, annual third-party penetration-test attestation letter, and cyber-liability + E&O certificates. Email security@celvexgroup.com.
Sub-processors
The full list, the purpose, the data shared, and the region. Customers receive thirty days' written notice before we add or change a sub-processor with material customer-data scope, per the DPA.
| Sub-processor | Purpose | Data shared | Region |
|---|---|---|---|
| Anthropic | LLM inference for the agentic chain (recon synthesis, payload variant generation, finding triage) | Target metadata, scan-step prompts; not raw customer credentials or full HTTP bodies | Customer-aligned region (US default; Canada, EU on request) |
| Cloudflare | Edge ingress, Workers, Queues, Turnstile (bot mitigation), DNS, WAF | Form submissions, verification-link tokens, IP for rate limiting | Global edge; data-plane processing in customer-aligned region |
| Resend | Transactional email (authorisation links, scan-complete notifications, billing receipts) | Customer email address, scan reference IDs | Customer-aligned region |
| Sigstore (rekor) | Append-only transparency log for Proof Capsule signatures | Capsule digest hashes only, with no capsule payload | Public-good infrastructure |
| Fly.io | Application compute for the master plane (API, scheduler, worker fleet) | All customer data, encrypted at rest | Customer-aligned region (Canada, US, EU, APAC available) |
| Modal | Burst compute for parallel scan shards and capsule rendering | Per-scan ephemeral state; purged at job completion | Customer-aligned region |
Regional data residency (Canada, US, EU, APAC, or your own VPC) available on request, with matching data-processing addenda. Canadian customers can elect a Canadian-region residency option under PIPEDA.
Supply chain
Yes. Every Proof Capsule we ship is signed with an open standard, anchored to a public, append-only log. The build-time software bill of materials ships alongside every release artifact. Signing keys rotate quarterly on the calendar quarter; the previous quarter's fingerprint stays valid for verification of historical capsules.
CycloneDX 1.5 JSON, generated per release. All transitive dependencies enumerated, licence-classified, vulnerability-scanned. Per-release SBOMs attached to public release notes.
Anchored in a public transparency log. Quarterly rotation. Verification via celvex verify CLI or any compatible open-source tool. Anyone can verify a capsule offline without our infrastructure.
Q1 (Jan 1) · Q2 (Apr 1) · Q3 (Jul 1) · Q4 (Oct 1). Rotation events trigger a transparency-report entry; previous-quarter keys remain valid for verification of historical artifacts indefinitely.
Sub-processor changes, data-handling stats, incident summary, uptime, signing-key rotations. Published the first Monday after each quarter close. Subscribe via security@celvexgroup.com.
Data handling & retention
Two clocks people frequently confuse: the 9-month dedupe window for free-tier scans (a colleague at the same domain root inside 9 months gets the existing report, not a fresh scan) and the 24-month report retention from creation. Both are documented below and enforced in code.
| Category | Retention | What it covers |
|---|---|---|
| Scan-target data & reports | 24 months from creation | Recon graph, finding inventory, Proof Capsules, evidence artifacts. Read access persists through subscription cancellation. |
| Customer email & account | Until cancellation + 6 months | Email, name, organisation. Six-month wind-down to handle reactivation; permanent purge at the end of the window or on verified deletion request. |
| Audit logs (immutable) | 24 months, append-only | Authentication events, scope-grant grants, scan launches, capsule signs, admin actions. Hash-chain integrity; object-lock replica. |
| Billing & tax records | 7 years | Invoice metadata only. Required by tax-record retention rules; cannot be shortened on customer request. |
| Free-tier dedupe index | 9 months from scan | Used to return the existing report to a colleague at the same domain root; does not extend report retention. |
| Free-tier authorisation tokens | 90 days from form submission | Magic-link tokens expire after 90 days. Reminder emails at day 3, 10, and 30. After 90 days the link returns HTTP 410 and the user resubmits. Tokens are never manually reissued. |
| IP addresses (rate limiting) | 30 days | Hashed and salted at ingest. Used for abuse detection and form-submission rate limits only; never associated with scan content. |
Cross-region processing of customer data only happens with an explicit customer flag (regional residency option) and a signed addendum.
Incident response
Report a security concern to security@celvexgroup.com. Acknowledgement within 24 hours. If the report is a confirmed incident affecting a customer, that customer receives written notification within 72 hours of confirmation, regardless of whether the impact is contained or in remediation.
Auto-ack to the reporter within minutes. Founder paged on every security@ email; this is not an alias that goes to a queue and dies.
Reproduce, classify (informational / vulnerability / active incident), establish blast radius. Reporter receives a written triage update.
If confirmed and customer-affecting: written notification with timeline, scope, mitigation status, and CVE / advisory ID if applicable. No undue delay to allow PR spin.
Public post-mortem on material incidents. Quarterly transparency report carries the rolled-up summary (count, severity distribution, MTTR).
Responsible disclosure
We sell verifiable security. We expect to be tested. The path below is the only sanctioned path; please use it before any public disclosure.
Email security@celvexgroup.com. PGP encryption supported.
PGP key fingerprint:Published at /.well-known/security.txt
Acknowledgement within 24h, fix-or-status update within 7 days, public credit on request.
The CelvexGroup production application (app.celvexgroup.com, api.celvexgroup.com), the marketing site (celvexgroup.com), the Proof Capsule signing pipeline, and the edge ingress workers.
Eligible classes: RCE, AuthN/AuthZ bypass, IDOR, privilege escalation, capsule-signing key compromise, scope-manifest forgery, supply-chain attack on the build pipeline.
Findings that are out of scope or do not qualify for credit:
Good-faith research conducted within scope and following this policy will not result in legal action from CelvexGroup. We will not pursue or support law-enforcement action for research that:
Transparency posture
Trust isn't a slogan. It's a quarterly transparency report you can subscribe to, a sub-processor list you can read, a Proof Capsule format you can verify offline using open tools, and a roadmap with dates next to each milestone. Every quarter we publish how we made that work, who our sub-processors were, what changed, and what didn't. The audit answer is the artifact, not the slogan.
The pre-filled vendor-risk packet (SIG Lite, CAIQ v4), MSA + DPA, regional residency addenda, sub-processor list with change-notification clause, annual third-party penetration-test attestation letter, and cyber-liability + E&O certificates are one email away. The founder reads every security@ message.