ShapeDiver hosts and runs Grasshopper files for a wide range of applications, from internal engineering apps to public product configurators. What many of them have in common is that they encode important internal know-how about design or production processes that our customers need to protect — and they trust us to protect it for them.
We have always taken this trust very seriously, and our robust security posture is a main differentiator between ShapeDiver and using custom-built in-house solutions, for example based on Rhino.Compute. But in the end, without verification, that is just another claim that reads nice on a website.
We have onboarded many large and sophisticated businesses in the past, and we were always able to convince them that we are the most secure option to run Grasshopper in a centralized way. But security audits quickly became a significant, and painful, part of our typical onboarding journey.
Certification is the name of the game
This issue is essentially the whole reason information security certifications exist, and it became clear to us early on that we wanted one. I began looking into the topic more than five years ago, and initially it seemed pretty straightforward. In essence, most of the tasks required by an information security management system (ISMS) meant doing the same things we — and any sensible provider of an IT service — were doing already. Most of it was familiar territory:
- Making sure to track anything that goes wrong, and consistently report and fix it.
- Providing access to data only on a need-to-know basis, and properly monitoring it.
- Keeping our access security up-to-date and up to technical standards.
- Ensuring every team member knows how to handle their devices in public places and doesn't use public WiFi.
So my first impression was that this shouldn't be all that difficult for us. But of course, the main difference between just doing things the right way and being certified is documentation. And that turns out to be a pretty hard nut to crack, especially if you don't have a dedicated full-time data security officer on your team to set up, maintain, and enforce it for you.
This already starts with step one: writing all your internal policies. Reading the requirements for SOC 2 and ISO 27001 — the two most common information security certifications around — it is pretty hard to understand which requirements are set in stone and where you have flexibility to adjust things to fit your team size. Most official guides are written for companies with hundreds or thousands of employees, dozens of departments, and numerous dedicated security roles. And even if you can come up with reasonable yet compliant policies, continuously collecting all the different types of proof an auditor will ask for quickly becomes an administrative nightmare without the right set of tools.
False start
Around 2022, we felt the time was right for us to get this done, and there was a growing number of online services advertising quick, painless certification. We were very motivated, but our first attempt ended in failure after many months. In retrospect, I think the reason was a combination of the tool we used not being a good fit for our team and the process dragging on so long that we kept losing sight of the big picture.
Abandoning this effort was a bit of a blow because we had spent quite a lot of time on it, but in retrospect, it helped us understand what to look for in any new setup. We started our second try in early 2025, and this time we got SOC 2 Type 1 done by November and were fully Type 2 certified by Q1 2026. I'm not going to tell you it was easy or quick — for a team of our size, it was still a major effort to put everything in place and to consistently keep at it for a year. But making a few good decisions at the beginning was the difference between another failure and continuous progress.
Three early decisions made the difference:
1. Choose the right platform for your stack
While we ended up using Drata for our security management (shout out to Dimitrie and Moritz from Speckle for the recommendation) and it works very well for us, I think this is a choice every team needs to make based on their requirements, and especially their software stack. The better tools out there can automatically monitor tons of security markers on common cloud providers, and this saves you an incalculable amount of setup and monitoring time. Make sure whatever tool you choose covers as much of your stack as possible from the start, and ideally has integrations into any HR, background check, and other administrative tools you use. Many compliance tasks will need to be done continuously for the life of your company, so every single one you can automate is a big win.
2. Choose your auditor early
Getting to know your auditors and their expectations early on allows you to cut a large amount of work from the process, especially if you are a smaller team. There are tons of things that are written to apply to large businesses by default, and only your auditor can tell you what's really required for your specific case. Also make sure your auditor is fluent in whatever security platform you have chosen, to avoid unnecessary friction during your reviews. In our case, frequent discussions with our auditors during the process meant that the final review was done in a matter of days.
3. Get your team on board
At ShapeDiver, every team member has a specialty and covers lots of ground that no one else is a real expert in. This means that everyone is, to a certain degree, a security owner for a part of the product, and the whole team needs to understand what you are doing there, and especially why. As we were setting up our system in Drata, we got lots of valuable feedback and suggestions from our team, and as a result, our ISMS is now something they can identify with as an important (if not necessarily beloved) part of how we do our work. Simply enforcing something on everyone without consultation may work at a Fortune 500, but it is bound to fail for a team like ours, in my opinion.
Smooth sailing from here?
Once the system is fully in place, the first few weeks are beautiful to work with. You are reminded when something important comes up, for example a periodic review of a vendor or a background check. When something unexpected happens, you have policies to consult and know that everyone else will act on the same principles.
And when something goes wrong, there's a full record of what happened, why, how it was resolved, and what needs to be improved to avoid it in the future. Of course, creating all this information is still work that needs to be done, and decisions need to be made under pressure. But the clarity provided by the standards you and your team defined means that all (or most) of the stuff you "should have thought about in advance" has actually been taken care of, and doesn't add additional stress to an already difficult situation.
Your ISMS is an ongoing work in progress, so you can't expect it ever to be finished. We've only been certified for a few months, but have already gone through several rounds of improvements after discovering things that didn't work as smoothly as expected. But leaving the reputational effect aside, I feel much better now that I always have a bird's-eye view of our security posture and any issues that come up.
Grasshopper in the cloud — scalable and secure
At ShapeDiver, we've always been Grasshopper enthusiasts, and we're more convinced than ever of its potential as a serious programming paradigm for subject-matter experts and their geometry-heavy problems. With versioning, upload from within Grasshopper, and many other convenience features either done or in progress, we're doubling down on Grasshopper as a stable, deterministic geometry engine. And with our AI Skills, we want to make it a full-fledged citizen of the new agentic coding paradigm.
But the basis of all these ambitions is security — and with our new SOC 2 Type 2 certification, everyone can verify that their Grasshopper files are safe and secure on our servers, while state-of-the-art access control systems make sure only duly authorized people (or agents) can access and work with them.
If you have questions, concerns, or an idea for a project using ShapeDiver, we'd be excited to hear from you at contact@shapediver.com!
