How to report a security issue
If you believe you have found a vulnerability or that an account has been compromised, please contact us before disclosing publicly. Email privacy@corpbolt.com with subject SECURITY REPORT, or call +1 (307) 300-2206.
For active account-takeover incidents, also send a copy to hello@corpbolt.com.
We aim to acknowledge within 2 business days. We do not pursue legal action against security researchers acting in good faith under the rules in §7.
Security principles
- Least privilege. People and services get only the access they need.
- Defense in depth. Multiple, independent controls protect each asset.
- Encrypt by default. Data is encrypted at rest and in transit.
- Audit by design. High-risk actions are logged and reviewable.
- Vendor due diligence. Subprocessors are screened, contractually bound, and monitored.
- Continuous improvement. Security debt is tracked and burned down over time.
Data protection
3.1Encryption
- In transit: TLS across customer-facing endpoints; HTTP Strict Transport Security (HSTS) enabled at the edge.
- At rest: Supabase Postgres and Supabase Storage are encrypted at rest by the platform.
- Payment data: card data is collected by Stripe through Stripe Elements and tokenized in Stripe. CORPBOLT does not store full payment-card numbers.
- Secrets: stored in Supabase Edge Function secret stores and the Railway environment; never in source control. Rotated on suspected compromise.
3.2Network security
- Cloudflare in front of public surfaces (WAF, DDoS mitigation, bot management at the edge).
- Caddy reverse proxy with strict security headers (HSTS, X-Content-Type-Options, frame-ancestors / X-Frame-Options, Referrer-Policy, Permissions-Policy, Content-Security-Policy).
- Application surfaces hosted on Railway.
- Bunny.net CDN with hash-based immutable caching for static assets.
3.3Application security
- AuthN. Supabase Auth (email, magic link, OAuth where enabled, TOTP MFA). Credentials are hashed.
- AuthZ. Role-based access (customer, agent, admin); sensitive mutations go through Supabase Edge Functions using the service-role key rather than the client anon key.
- Bot / abuse. Google reCAPTCHA on signup, sign-in, password reset, and high-value forms.
- Input validation. Server-side validation with Zod schemas; React Hook Form on the client.
- Output encoding. React's auto-escaping; HTML-stripping for rich-text content where embedded.
- Dependency hygiene. Automated vulnerability scanning and lockfile management.
- Build supply chain. Reproducible Docker builds; no hook bypass flags during release.
3.4Backups and disaster recovery
- Daily logical backups of Supabase Postgres, retained for 35 days (rolling).
- Storage objects versioned where the bucket configuration supports it.
- Recovery Time Objective and Recovery Point Objective defined internally and reviewed through periodic tabletop testing.
3.5Access controls
- Staff access. MFA is required for admin roles. Role-based access via Supabase and the identity provider, with the principle of least privilege.
- Joiners / movers / leavers. Access is provisioned and revoked on role change or departure.
- Privileged actions. Database admin actions and production deploys are logged and reviewable.
3.6Logging and monitoring
- Application and access logs in Supabase and Railway with retention sufficient to investigate incidents.
- Sentry browser error monitoring helps us investigate client-side failures and regressions; PostHog product analytics is consent-gated separately.
- Alerting on authentication anomalies, abuse signals, and security-relevant errors.
People and endpoint security
- Company laptops are full-disk-encrypted and kept current.
- Security-awareness training is provided to staff handling customer data.
- Acceptable Use rules require unique credentials, MFA where supported, and no credential sharing.
Vendor management
We engage third-party processors ("subprocessors") to deliver the Services. We sign written data-protection terms with our subprocessors where they handle Personal Data, and we review them periodically for security posture, geography, and reliability. We do not transfer Personal Data outside the categories disclosed in the Privacy Policy.
5.1Current subprocessor list
| Subprocessor | Role | Location |
|---|---|---|
| Supabase, Inc. | Auth, Postgres, storage, Edge Functions | United States |
| Railway Corp. | Container hosting for the application | United States |
| Cloudflare, Inc. | Edge WAF, DDoS, bot management | Global edge (US controller) |
| Bunny.net | CDN for static assets | Slovenia (EU controller) |
| Stripe, Inc. | Payment processing | United States |
| Google — reCAPTCHA | Bot / abuse detection | Global (US controller) |
| Sumsub | Identity verification (KYC / AML / sanctions; biometric face match and liveness with consent) | UK + EU, global SDK |
| Anvil Foundry, Inc. | E-signature and PDF generation for IRS Form SS-4 and related forms | United States |
| Twilio Inc. | Inbound SMS receipt only (signature-validated webhook). No outbound SMS today. | United States |
| Resend | Transactional email | United States |
| Intercom | Live chat for support | United States / regional hosting as configured in Intercom |
| Sentry (first-party reliability monitoring) | Browser error monitoring through api.corpbolt.com, with PII scrubbing | United States |
PostHog Inc. (proxied at t.corpbolt.com) | Product analytics + exception tracking | United States (EU region available) |
| Google Analytics 4 | Aggregate web analytics | Global (US controller) |
| Senja.io (consent-gated) | Testimonial toast, social proof display, and CTA/review interaction analytics | Global |
| Trustpilot A/S (consent-gated) | TrustBox review collector widget and review interaction analytics | Denmark / Global |
| Registered-agent provider (per state) | Statutory registered-agent service | United States (state-specific) |
| Business-address provider (per state) | Virtual business address, mail scan, forward | United States (state-specific) |
| Google Ads / Google Tag (consent-gated) | Paid-advertising delivery, measurement, conversion tracking, retargeting | Global (US / EU controllers) |
| Meta Pixel + CAPI (consent-gated) | Ad measurement, attribution, retargeting, audience building | US + Ireland |
| LinkedIn Insight (consent-gated) | B2B ad measurement and conversion attribution | US + Ireland |
| Microsoft Advertising (UET) (consent-gated) | Ad measurement and conversion attribution | United States |
| TikTok Pixel (consent-gated) | Ad measurement and conversion attribution | Singapore + United States |
Advertising, social-proof, and measurement platforms are used or may be used depending on active campaigns and your consent. The live status for each tool is shown in the Cookie Settings dialog and applied through Google Consent Mode v2 and the equivalent Meta / LinkedIn / Microsoft / TikTok consent signalling APIs.
5.2What's not in production today
The following are sometimes assumed in legal templates but are not currently active at CORPBOLT: Microsoft Clarity, Cloudflare Turnstile, and outbound SMS (we only receive inbound SMS via Twilio).
The advertising and measurement platforms above are disclosed forward-looking: they will be wired through the CMP and Google Consent Mode v2 (or the equivalent Meta / LinkedIn / Microsoft / TikTok consent API) before they are activated, and the live status is reflected in the Cookie Settings dialog.
We have never sent to any advertising or analytics platform: government identifiers (SSN, ITIN, passport, DL, national ID), images of government IDs, biometric / KYC files, the content of any uploaded formation / EIN / Form 8821 / BOI / operating-agreement document, payment-card numbers, the contents of support tickets / chat transcripts / mail scans, or fields masked for session replay. See Privacy Policy.
5.3Banking and fintech partners (only on Customer instruction)
Banking partners (e.g., Mercury — Mercury Technologies, Inc.; Wise — Wise Payments Ltd.; or any other partner you select) are not subprocessors of CORPBOLT. We only share data with them when you direct us to. Their privacy notices govern their processing.
5.4Change notice
Material subprocessor changes are reflected on this page. To subscribe to notice of changes, email privacy@corpbolt.com with subject SUBSCRIBE — SUBPROCESSOR UPDATES. Business customers under a DPA receive at least 30 days' prior notice of new subprocessors.
Incident response
We follow a documented process:
- Detect — alerts from monitoring, vendor notices, user reports, or security research.
- Triage — severity rated; communications and technical leads notified.
- Contain — isolate affected systems; rotate credentials and keys as needed.
- Eradicate — remove the root cause.
- Recover — restore services with monitoring.
- Notify — notify regulators and affected individuals per applicable law and contracts:
- GDPR / UK GDPR: notify the supervisory authority within 72 hours of becoming aware of a personal-data breach where required; affected individuals "without undue delay" where high risk.
- U.S. state breach-notification laws: notify per each affected state's law.
- HIPAA: not in scope — we do not knowingly process PHI.
- Business customers under a DPA: notified per the DPA's commitments.
- Learn — post-incident review with documented corrective actions.
Coordinated disclosure rules
We welcome reports from security researchers. Rules of engagement:
- Test only against accounts you own, or accounts you have explicit written permission to test.
- No DDoS, no destructive testing, no social engineering of staff or customers.
- No accessing or downloading customer data beyond the minimum needed to demonstrate the issue.
- No public disclosure for 90 days or until we publish a fix, whichever is earlier.
- Provide a clear write-up at the channel in §1.
We do not currently operate a paid bug-bounty program. This may change.
Data Processing Addendum (DPA)
Business customers can request our DPA, which addresses:
- our role as Processor and Customer's role as Controller (or Processor on behalf of a controller);
- documented Customer instructions and confidentiality;
- the technical and organizational measures we apply;
- sub-processor authorization, change notice (≥ 30 days), and objection rights;
- assistance with data-subject requests, security obligations, breach notification, DPIAs, and consultation with supervisory authorities;
- audit and information-request rights;
- international transfers (EU SCCs Module 2 / 3, UK Addendum, Swiss adjustments, transfer-impact assessment);
- CCPA/CPRA Service Provider / Processor obligations;
- return or deletion on termination;
- liability allocated under the Terms of Service.
To request the DPA, email privacy@corpbolt.com with subject DPA REQUEST and a short description of your processing. We will return a signature-ready version.
Compliance posture
We are transparent about what we have and what we are working toward. We do not claim certifications we do not hold.
- SOC 2 Type II: not currently certified. We track readiness internally.
- ISO/IEC 27001: not currently certified. We track relevant controls internally.
- PCI DSS: Stripe handles card data so CORPBOLT's PCI scope is minimised. We complete the appropriate Self-Assessment Questionnaire (SAQ) tier for our Stripe-Elements + tokenized flow.
- HIPAA: not in scope; we do not process Protected Health Information.
- GDPR / UK GDPR / FADP: we process Personal Data per these laws — see Privacy Policy and DPA above.
- CCPA / CPRA + state privacy laws: see Privacy Policy.
- OFAC / AML screening: we screen new customers against U.S. OFAC, EU, UK OFSI, and UN consolidated lists, and apply ongoing monitoring.
Contact
For security disclosures, privacy questions, or DPA requests, reach our team using the details below.
CORPBOLT LLC
Security & Trust
Wyoming
1309 Coffeen Ave,
Ste 1200
Sheridan, WY 82801
Florida
4283 Express Ln,
Ste 6331-140
Sarasota, FL 34249
+1 (307) 300-2206
Related: Privacy Policy · Terms of Service · Accessibility