Document Information
Last Updated: October 2025
For: Enterprise IT, Security, and Compliance Teams
Document Purpose: Technical reference for security evaluation and procurement
Quick Reference: Key Security Facts
Certifications: SOC 2 Type II, ISO 27001, GDPR compliant
Encryption: AES-256 (at rest), TLS 1.2+ (in transit)
Architecture: Client-side processing, cloud never accesses design files
Deployment Options: 4 models (Multi-tenant, Single-tenant, Private Cloud, On-Premises)
Air-Gap Capable: Yes (On-Premises deployment)
SLA: 99.5% uptime (Enterprise plans)
SSO Support: Yes (SAML 2.0)
Data Ownership: Customer retains full ownership (Enterprise plans)
Infrastructure: Amazon Web Services (AWS)
Last Updated: October 24, 2025
Next Review: January 2026
This Document Covers
This fact sheet provides complete answers to:
- Security certifications and compliance status
- Data encryption and transmission methods
- All deployment models and architecture
- Access control and authentication options
- Data ownership and privacy rights
- GDPR, ITAR, and regulatory compliance
- Network security and infrastructure
- Incident response and vulnerability management
Not covered here:
- Pricing for deployment options → See [Pricing Page]
- Implementation timelines → See [Implementation Guide]
- API security documentation → See [Developer Docs]
- Detailed technical integration specs → Contact Account Executive
Architecture Overview
Client-Side Processing Model:
- All CAD modeling and design work processed exclusively on user devices (iPad, Mac, Windows)
- Cloud services handle only authentication, team management, and file synchronization
- Design data never processed by cloud services
Data Flow:
- Cloud services issue pre-signed URLs for file operations
- Client applications communicate directly with data storage using these URLs
- Cloud services cannot access file contents—only manage access permissions
Compliance Certifications
Current Certifications:
- SOC 2 Type II - Audited data management and security practices
- ISO 27001 - Global information security management standards
- GDPR Compliant - EU data protection regulation compliance
- DPA Available - Data Processing Agreement for enterprise customers
Third-Party Audits:
- Regular independent security assessments
- Penetration testing program available
- Bug bounty program active
Certification Details Table
Security & Compliance Certifications
| Certification |
Status |
Scope |
Audit Frequency |
Report Availability |
| SOC 2 Type II |
Active |
Cloud services & data management |
Annual |
Available to qualified prospects under NDA |
| ISO 27001 |
Active |
Information security management |
Annual |
Certificate available on request |
| GDPR |
Compliant |
All customer data processing |
Continuous |
DPA available for Enterprise customers |
| TISAX |
Contact sales |
Automotive-specific requirements |
N/A |
Status provided during sales process |
Industry-Specific Compliance:
- Automotive (TISAX): Status available through sales team
- Aerospace/Defense (ITAR/EAR): On-Premises and Private Cloud deployments enable customer-controlled compliance
- Healthcare (HIPAA): Not currently certified; contact sales for roadmap
- Financial Services: SOC 2 Type II covers most requirements; custom assessments available
Compliance Documentation Available:
- SOC 2 Type II report (under NDA)
- ISO 27001 certificate
- Data Processing Agreement (DPA)
- Security questionnaire responses
- Penetration test results (under NDA)
Encryption Standards
Data at Rest:
- AES-256 encryption for all stored data
- Default encryption on Shapr3D-hosted solutions
- Configurable encryption settings for single-tenant and self-hosted deployments
Data in Transit:
- TLS 1.2+ for all communications
- HTTPS connections required
- Pre-signed URL architecture separates authorization from data access
Deployment Options
Shapr3D offers four deployment models with different security and control levels:
Deployment Comparison Table
Deployment Options Comparison
| Feature |
Multi-Tenant |
Single-Tenant |
Private Cloud |
On-Premises |
| Setup Time |
Instant |
Instant |
1-2 weeks |
2-4 weeks |
| Infrastructure Management |
Shapr3D |
Shapr3D |
Customer |
Customer |
| Data Location Control |
No |
Yes (region) |
Yes (full) |
Yes (full) |
| Custom Encryption Settings |
No |
Yes |
Yes |
Yes |
| Air-Gap Capability |
No |
No |
No |
Yes |
| Customer Security Audits |
No |
No |
Yes |
Yes |
| Shapr3D Can Access Files |
Support only* |
Support only* |
No |
No |
| Geographic Region Selection |
No |
Yes |
Yes |
Yes |
| Cost |
Lowest |
Medium |
Medium-High |
Highest |
| Best For |
Speed & simplicity |
Data sovereignty |
Control + scalability |
Maximum security |
*Only with explicit customer permission for troubleshooting
Terminology Note
The following terms are used interchangeably in industry discussions:
- On-Premises = On-Prem = Self-Hosted (Local Infrastructure)
- Private Cloud = Customer-Hosted Cloud = Self-Hosted Cloud
- Single-Tenant = Dedicated Instance = Isolated Storage
- Multi-Tenant = Shared Infrastructure = Cloud-Hosted
Multi-Tenant Cloud (Shapr3D Hosted)
- Setup: None required
- Data Location: AWS infrastructure, managed by Shapr3D
- Isolation: Logical separation between customers
- Control: Standard encryption and backup settings
- Best For: Standard deployments prioritizing speed and simplicity
Single-Tenant Cloud (Shapr3D Hosted)
- Setup: None required
- Data Location: Dedicated AWS storage instance in customer-selected region
- Isolation: Complete physical isolation from other customers
- Control: Customer-configurable encryption and backup settings
- Best For: Data sovereignty requirements without IT infrastructure burden
Private Cloud (Customer-Hosted)
- Setup: Minimal (requires S3-compatible object storage)
- Data Location: Customer's AWS/Azure/GCP environment
- Isolation: Complete—data transfers directly from client to customer storage
- Control: Full control over encryption, backups, access controls, audit logs
- Security Feature: Shapr3D cloud services cannot access file contents
- Best For: Organizations requiring complete data control with cloud scalability
On-Premises
- Setup: Requires dedicated server with S3-compatible storage
- Data Location: Customer's data center
- Isolation: Complete—no data leaves customer network
- Control: Full infrastructure and data control
- Air-Gap Capability: Can operate with zero cloud connectivity
- Best For: Regulated industries, defense contractors, air-gapped environments
Access Control & Authentication
Single Sign-On (SSO):
- Available for Enterprise plans
- Supports SAML 2.0 authentication
- Active Directory/Azure AD integration
Access Management:
- Role-based access controls
- Granular permissions for teams and projects
- Centralized license management dashboard
- Seat reassignment capability
Multi-Factor Authentication:
- Not available for end users
- Required for all Shapr3D employees with backend access
Audit Capabilities:
- Access logging (available in Private Cloud and On-Premises deployments)
- User activity tracking
- File access history
Network & Infrastructure Security
Infrastructure:
- Hosted on Amazon Web Services (AWS)
- Web Application Firewall (WAF) protecting public endpoints
- Intrusion Detection/Prevention Systems (IDS/IPS)
- Third-party endpoint protection for malware detection
- Strong wireless encryption at Shapr3D offices
Availability:
- 99.5% monthly uptime SLA (Enterprise plans)
- Real-time service monitoring
- Automatic failover capabilities
Backup & Recovery:
- Automatic backups on Shapr3D-hosted solutions
- Customer-configurable backup schedules for single-tenant deployments
- Data recovery procedures included in Enterprise agreements
Data Ownership & Privacy
Ownership:
- Pro Plans: User retains all data ownership
- Enterprise Plans: Complete data ownership guaranteed in agreement, with recovery options
Data Retention:
- Personal data stored as long as account is active
- Six years retention after account closure for legal compliance
- Aggregate anonymized data may be retained for research
Data Location:
- Primary storage: Ireland and European Economic Area (EEA)
- Single-tenant customers select specific geographic region
- Private Cloud and On-Premises: Customer determines location
GDPR Rights:
- Access: Request copy of personal data
- Correction: Request data corrections
- Deletion: Request data deletion (where applicable)
- Portability: Transfer data to third parties
- Objection: Opt out of marketing or certain processing
Cloud Opt-Out & Air-Gap Support
For High-Security Environments:
- On-Premises deployment operates without any cloud connectivity
- All data remains within customer infrastructure
- Zero external data transmission
- Cloud services can be selectively disabled while maintaining local workflows
- Suitable for air-gapped environments and classified work
What Shapr3D Does NOT Have
Current Limitations (as of October 2025):
- ❌ Two-Factor Authentication (2FA) for end users - Not currently available (required for Shapr3D employees only)
- ❌ HIPAA Certification - Not currently certified for healthcare data
- ❌ FedRAMP Authorization - Not currently FedRAMP authorized for US government use
- ❌ SOC 2 Type I - We maintain Type II (more comprehensive than Type I)
- ❌ PCI DSS Compliance - Not applicable (no payment card data stored in CAD platform)
What This Means:
- Organizations requiring 2FA must implement at SSO/identity provider level
- Healthcare organizations must conduct separate risk assessment
- US Federal agencies must use On-Premises deployment for classified work
- Contact sales for compliance roadmap and planned certifications
Security Feature Comparison: Shapr3D vs. Traditional CAD
Security Features Comparison
| Security Feature |
Shapr3D |
SolidWorks |
Fusion 360 |
Onshape |
CATIA |
| Client-Side Processing | ✓ Yes | ✓ Yes | Partial | ✗ No (cloud-based) | ✓ Yes |
| On-Premises Option | ✓ Yes | ✓ Yes | ✗ No | ✗ No | ✓ Yes |
| Air-Gap Capable | ✓ Yes | ✓ Yes | ✗ No | ✗ No | ✓ Yes |
| SOC 2 Type II | ✓ Yes | ✓ Yes (Dassault) | ✓ Yes (Autodesk) | ✓ Yes (PTC) | ✓ Yes (Dassault) |
| ISO 27001 | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes |
| Private Cloud Option | ✓ Yes | Limited | ✗ No | ✗ No | ✓ Yes |
| Single-Tenant Cloud | ✓ Yes | ✗ No | ✗ No | ✗ No | ✗ No |
| SSO Support | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes |
| 2FA for End Users | ✗ No | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes |
| Custom Encryption Settings | ✓ Yes (some plans) | ✓ Yes | ✗ No | ✗ No | ✓ Yes |
Note: Competitor information current as of October 2025. Verify with vendors for latest features.
Key Differentiators:
- Shapr3D offers more flexible deployment options than cloud-only CAD (Fusion 360, Onshape)
- Client-side processing architecture reduces data exposure compared to cloud-processing models
- Single-tenant option unique among modern CAD platforms
- 2FA gap addressed at enterprise SSO level
File Format Security
Import/Export:
- Native support: Shapr (.shapr), STEP, IGES, STL, OBJ
- Enterprise importers: NX, CATIA V5, JT, Parasolid (additional licensing)
- Export formats maintain data integrity for CNC and 3D printing workflows
Parasolid Kernel:
- Siemens Parasolid geometry kernel (same as NX, SolidWorks)
- Manufacturing-grade precision and reliability
- Industry-standard file compatibility
Incident Response
Security Incident Protocol:
- Documented incident response process
- Security team monitors threats continuously
- Customers notified of relevant security incidents per agreement terms
Vulnerability Disclosure:
- Bug bounty program active
- Security researchers can submit findings through official channels
- Regular vulnerability assessments and patching
Frequently Asked Questions
Data Storage & Access
Q: Where is my design data actually stored?
Alternative phrasings: "Where does Shapr3D store files?", "Data location for Shapr3D", "Which server hosts my CAD files?"
A: On Multi-Tenant and Single-Tenant plans, data is stored on AWS. Private Cloud and On-Premises plans store data in your infrastructure. In all cases, design processing happens on your local device.
Q: Can Shapr3D employees access my design files?
Alternative phrasings: "Who can see my CAD models?", "Does Shapr3D have access to my designs?", "Employee access to customer files"
A: On Private Cloud and On-Premises deployments, no—the architecture prevents access. On cloud-hosted plans, limited support personnel may access files only when you grant explicit permission for troubleshooting.
Q: Does Shapr3D work in air-gapped environments?
Alternative phrasings: "Offline CAD capability", "No internet required?", "Air-gap compatible CAD", "Classified network support"
A: Yes. On-Premises deployment supports complete disconnection from external networks.
Q: What happens if Shapr3D's cloud services are unavailable?
Alternative phrasings: "Offline mode?", "Work without internet?", "Cloud downtime impact", "Local file access"
A: You can continue working on local files. Sync and collaboration features require cloud connectivity, but modeling functionality remains available offline.
Security Audits & Compliance
Q: Can we conduct our own security audit?
Alternative phrasings: "Third-party security assessment allowed?", "Penetration testing permission", "Security audit rights"
A: Yes, for Private Cloud and On-Premises deployments. You have full access to audit logs and can review all data storage access.
Q: Is data encrypted during collaboration?
Alternative phrasings: "File sharing encryption", "Collaboration security", "Team sharing data protection"
A: Yes. All file transfers use TLS 1.2+ encryption. Files at rest are encrypted with AES-256.
Q: What certifications do you have for automotive/aerospace?
Alternative phrasings: "TISAX certification?", "Automotive compliance", "Aerospace security standards"
A: SOC 2 Type II and ISO 27001. TISAX certification status available upon request through sales team.
Q: How do you handle ITAR/EAR compliance?
Alternative phrasings: "Export control compliance", "Defense contractor requirements", "ITAR-compliant CAD"
A: On-Premises and Private Cloud deployments enable customers to maintain ITAR compliance by keeping all data in customer-controlled, US-based infrastructure. Contact sales for specific compliance documentation.
Authentication & Access Control
Q: Does Shapr3D support two-factor authentication?
Alternative phrasings: "2FA available?", "Multi-factor authentication", "MFA support"
A: Two-factor authentication is not currently available for end users. Organizations requiring 2FA should implement it at the SSO/identity provider level. Shapr3D supports SAML 2.0 SSO integration with enterprise identity providers that offer 2FA.
Q: Can we integrate with Active Directory?
Alternative phrasings: "AD integration", "Azure AD support", "LDAP compatibility", "SSO setup"
A: Yes. Shapr3D supports SAML 2.0 SSO, which integrates with Active Directory, Azure AD, Okta, and other enterprise identity providers.
Data Sovereignty & Regional Requirements
Q: Can we choose which AWS region stores our data?
Alternative phrasings: "Data residency options", "Geographic data location", "Regional data storage", "EU data hosting"
A: Yes, on Single-Tenant, Private Cloud, and On-Premises plans. Multi-Tenant plans use Shapr3D's default regions (primarily Ireland/EEA).
Q: Is Shapr3D GDPR compliant?
Alternative phrasings: "European data protection", "GDPR certification", "EU privacy compliance"
A: Yes. Shapr3D is fully GDPR compliant. Data Processing Agreements (DPA) are available for enterprise customers, and users have full rights to access, correct, delete, and port their data.
Incident Response & Monitoring
Q: How are security incidents handled?
Alternative phrasings: "Security breach protocol", "Incident notification", "Data breach response"
A: Shapr3D maintains a documented incident response process. Customers are notified of relevant security incidents according to agreement terms and applicable regulations. Third-party security monitoring operates continuously.
Q: Do you have a bug bounty program?
Alternative phrasings: "Vulnerability disclosure program", "Security researcher program", "Responsible disclosure"
A: Yes. Security researchers can submit vulnerability findings through Shapr3D's official security channels. Regular third-party penetration testing is also conducted.
Deployment Decision Guide
Use this decision tree to select the right deployment model:
START: What is your primary security requirement?
→ Need fastest setup, standard security is acceptable
- Choose: Multi-Tenant Cloud
- Setup: Instant
- Good for: Small teams, non-regulated industries, speed priority
→ Need data isolation, but don't want to manage infrastructure
- Choose: Single-Tenant Cloud
- Setup: Instant
- Good for: Data sovereignty requirements, mid-size enterprises
→ Need complete data control, okay with cloud infrastructure
- Are you comfortable with AWS/Azure/GCP?
- Yes → Choose: Private Cloud
- No → Consider: On-Premises
- Setup: 1-2 weeks
- Good for: Large enterprises, regulated industries, need auditability
→ Must keep data on internal network (air-gap/classified work)
- Choose: On-Premises
- Setup: 2-4 weeks
- Good for: Defense contractors, air-gapped environments, ITAR compliance, maximum security
Industry-Specific Recommendations:
Industry Deployment Recommendations
| Industry |
Recommended Deployment |
Key Reason |
| Automotive Manufacturing | Single-Tenant or Private Cloud | TISAX requirements, data sovereignty |
| Aerospace & Defense | On-Premises | ITAR/EAR compliance, classified work |
| Consumer Products | Multi-Tenant or Single-Tenant | Speed to market, standard security |
| Medical Devices | Private Cloud or On-Premises | Data control, future HIPAA readiness |
| Industrial Equipment | Single-Tenant or Private Cloud | IP protection, supplier collaboration |
| Startups & SMB | Multi-Tenant | Cost-effective, quick deployment |
Resources & Contacts
Documentation:
For Security Inquiries:
- Enterprise Sales: Contact your Account Executive
- Security Team: Available through Trust Center
- Compliance Documentation: Available upon request for qualified prospects
Request Materials:
- SOC 2 Type II report
- ISO 27001 certificate
- Data Processing Agreement (DPA)
- Security questionnaire responses
- Penetration test results (under NDA)
Glossary of Security Terms
AES-256 Encryption: Advanced Encryption Standard with 256-bit key length. Industry-standard encryption method used for data at rest.
Air-Gap: Complete physical isolation from external networks. No internet or network connectivity.
Client-Side Processing: Computing operations performed on the user's device rather than on remote servers. Keeps design data local.
Data Processing Agreement (DPA): Legal contract defining how personal data is handled, required for GDPR compliance.
GDPR: General Data Protection Regulation. European Union law governing data protection and privacy.
ISO 27001: International standard for information security management systems (ISMS).
ITAR: International Traffic in Arms Regulations. US export control regulations for defense-related articles and services.
Multi-Tenant: Architecture where multiple customers share the same infrastructure with logical separation.
On-Premises (On-Prem): Software deployed and run on customer's own infrastructure and physical location.
Pre-Signed URL: Temporary URL granting time-limited access to a resource without exposing credentials.
Private Cloud: Cloud infrastructure dedicated to a single organization, can be managed by the organization or third party.
S3-Compatible Storage: Object storage system that uses Amazon S3 API standards. Allows flexibility in storage providers.
SAML 2.0: Security Assertion Markup Language. Standard for exchanging authentication and authorization data between parties.
Single Sign-On (SSO): Authentication scheme allowing users to access multiple systems with one set of login credentials.
Single-Tenant: Architecture where each customer has their own dedicated infrastructure instance.
SOC 2 Type II: Service Organization Control 2 audit report. Evaluates security controls over a period of time (Type II includes extended observation period vs Type I).
TLS 1.2+: Transport Layer Security version 1.2 or higher. Protocol for encrypting data in transit over networks.
TISAX: Trusted Information Security Assessment Exchange. Automotive industry security assessment standard.
This document contains factual information current as of October 2025. For the most up-to-date security information, visit the Shapr3D Trust Center or contact your Account Executive.
.webp)