Security & Trust

Security & Trust

How we protect the data we hold, the subprocessors we work with, and how to request our Data Processing Addendum.

10 Sections
Created: 26 May 2026
Last Updated: 26 May 2026
1

How to report a security issue

If you believe you have found a vulnerability or that an account has been compromised, please contact us before disclosing publicly. Email privacy@corpbolt.com with subject SECURITY REPORT, or call +1 (307) 300-2206.

For active account-takeover incidents, also send a copy to hello@corpbolt.com.

We aim to acknowledge within 2 business days. We do not pursue legal action against security researchers acting in good faith under the rules in §7.

2

Security principles

  • Least privilege. People and services get only the access they need.
  • Defense in depth. Multiple, independent controls protect each asset.
  • Encrypt by default. Data is encrypted at rest and in transit.
  • Audit by design. High-risk actions are logged and reviewable.
  • Vendor due diligence. Subprocessors are screened, contractually bound, and monitored.
  • Continuous improvement. Security debt is tracked and burned down over time.
3

Data protection

3.1Encryption

  • In transit: TLS across customer-facing endpoints; HTTP Strict Transport Security (HSTS) enabled at the edge.
  • At rest: Supabase Postgres and Supabase Storage are encrypted at rest by the platform.
  • Payment data: card data is collected by Stripe through Stripe Elements and tokenized in Stripe. CORPBOLT does not store full payment-card numbers.
  • Secrets: stored in Supabase Edge Function secret stores and the Railway environment; never in source control. Rotated on suspected compromise.

3.2Network security

  • Cloudflare in front of public surfaces (WAF, DDoS mitigation, bot management at the edge).
  • Caddy reverse proxy with strict security headers (HSTS, X-Content-Type-Options, frame-ancestors / X-Frame-Options, Referrer-Policy, Permissions-Policy, Content-Security-Policy).
  • Application surfaces hosted on Railway.
  • Bunny.net CDN with hash-based immutable caching for static assets.

3.3Application security

  • AuthN. Supabase Auth (email, magic link, OAuth where enabled, TOTP MFA). Credentials are hashed.
  • AuthZ. Role-based access (customer, agent, admin); sensitive mutations go through Supabase Edge Functions using the service-role key rather than the client anon key.
  • Bot / abuse. Google reCAPTCHA on signup, sign-in, password reset, and high-value forms.
  • Input validation. Server-side validation with Zod schemas; React Hook Form on the client.
  • Output encoding. React's auto-escaping; HTML-stripping for rich-text content where embedded.
  • Dependency hygiene. Automated vulnerability scanning and lockfile management.
  • Build supply chain. Reproducible Docker builds; no hook bypass flags during release.

3.4Backups and disaster recovery

  • Daily logical backups of Supabase Postgres, retained for 35 days (rolling).
  • Storage objects versioned where the bucket configuration supports it.
  • Recovery Time Objective and Recovery Point Objective defined internally and reviewed through periodic tabletop testing.

3.5Access controls

  • Staff access. MFA is required for admin roles. Role-based access via Supabase and the identity provider, with the principle of least privilege.
  • Joiners / movers / leavers. Access is provisioned and revoked on role change or departure.
  • Privileged actions. Database admin actions and production deploys are logged and reviewable.

3.6Logging and monitoring

  • Application and access logs in Supabase and Railway with retention sufficient to investigate incidents.
  • Sentry browser error monitoring helps us investigate client-side failures and regressions; PostHog product analytics is consent-gated separately.
  • Alerting on authentication anomalies, abuse signals, and security-relevant errors.
4

People and endpoint security

  • Company laptops are full-disk-encrypted and kept current.
  • Security-awareness training is provided to staff handling customer data.
  • Acceptable Use rules require unique credentials, MFA where supported, and no credential sharing.
5

Vendor management

We engage third-party processors ("subprocessors") to deliver the Services. We sign written data-protection terms with our subprocessors where they handle Personal Data, and we review them periodically for security posture, geography, and reliability. We do not transfer Personal Data outside the categories disclosed in the Privacy Policy.

5.1Current subprocessor list

SubprocessorRoleLocation
Supabase, Inc.Auth, Postgres, storage, Edge FunctionsUnited States
Railway Corp.Container hosting for the applicationUnited States
Cloudflare, Inc.Edge WAF, DDoS, bot managementGlobal edge (US controller)
Bunny.netCDN for static assetsSlovenia (EU controller)
Stripe, Inc.Payment processingUnited States
Google — reCAPTCHABot / abuse detectionGlobal (US controller)
SumsubIdentity verification (KYC / AML / sanctions; biometric face match and liveness with consent)UK + EU, global SDK
Anvil Foundry, Inc.E-signature and PDF generation for IRS Form SS-4 and related formsUnited States
Twilio Inc.Inbound SMS receipt only (signature-validated webhook). No outbound SMS today.United States
ResendTransactional emailUnited States
IntercomLive chat for supportUnited States / regional hosting as configured in Intercom
Sentry (first-party reliability monitoring)Browser error monitoring through api.corpbolt.com, with PII scrubbingUnited States
PostHog Inc. (proxied at t.corpbolt.com)Product analytics + exception trackingUnited States (EU region available)
Google Analytics 4Aggregate web analyticsGlobal (US controller)
Senja.io (consent-gated)Testimonial toast, social proof display, and CTA/review interaction analyticsGlobal
Trustpilot A/S (consent-gated)TrustBox review collector widget and review interaction analyticsDenmark / Global
Registered-agent provider (per state)Statutory registered-agent serviceUnited States (state-specific)
Business-address provider (per state)Virtual business address, mail scan, forwardUnited States (state-specific)
Google Ads / Google Tag (consent-gated)Paid-advertising delivery, measurement, conversion tracking, retargetingGlobal (US / EU controllers)
Meta Pixel + CAPI (consent-gated)Ad measurement, attribution, retargeting, audience buildingUS + Ireland
LinkedIn Insight (consent-gated)B2B ad measurement and conversion attributionUS + Ireland
Microsoft Advertising (UET) (consent-gated)Ad measurement and conversion attributionUnited States
TikTok Pixel (consent-gated)Ad measurement and conversion attributionSingapore + United States

Advertising, social-proof, and measurement platforms are used or may be used depending on active campaigns and your consent. The live status for each tool is shown in the Cookie Settings dialog and applied through Google Consent Mode v2 and the equivalent Meta / LinkedIn / Microsoft / TikTok consent signalling APIs.

5.2What's not in production today

The following are sometimes assumed in legal templates but are not currently active at CORPBOLT: Microsoft Clarity, Cloudflare Turnstile, and outbound SMS (we only receive inbound SMS via Twilio).

The advertising and measurement platforms above are disclosed forward-looking: they will be wired through the CMP and Google Consent Mode v2 (or the equivalent Meta / LinkedIn / Microsoft / TikTok consent API) before they are activated, and the live status is reflected in the Cookie Settings dialog.

We have never sent to any advertising or analytics platform: government identifiers (SSN, ITIN, passport, DL, national ID), images of government IDs, biometric / KYC files, the content of any uploaded formation / EIN / Form 8821 / BOI / operating-agreement document, payment-card numbers, the contents of support tickets / chat transcripts / mail scans, or fields masked for session replay. See Privacy Policy.

5.3Banking and fintech partners (only on Customer instruction)

Banking partners (e.g., Mercury — Mercury Technologies, Inc.; Wise — Wise Payments Ltd.; or any other partner you select) are not subprocessors of CORPBOLT. We only share data with them when you direct us to. Their privacy notices govern their processing.

5.4Change notice

Material subprocessor changes are reflected on this page. To subscribe to notice of changes, email privacy@corpbolt.com with subject SUBSCRIBE — SUBPROCESSOR UPDATES. Business customers under a DPA receive at least 30 days' prior notice of new subprocessors.

6

Incident response

We follow a documented process:

  1. Detect — alerts from monitoring, vendor notices, user reports, or security research.
  2. Triage — severity rated; communications and technical leads notified.
  3. Contain — isolate affected systems; rotate credentials and keys as needed.
  4. Eradicate — remove the root cause.
  5. Recover — restore services with monitoring.
  6. Notify — notify regulators and affected individuals per applicable law and contracts:
    • GDPR / UK GDPR: notify the supervisory authority within 72 hours of becoming aware of a personal-data breach where required; affected individuals "without undue delay" where high risk.
    • U.S. state breach-notification laws: notify per each affected state's law.
    • HIPAA: not in scope — we do not knowingly process PHI.
    • Business customers under a DPA: notified per the DPA's commitments.
  7. Learn — post-incident review with documented corrective actions.
7

Coordinated disclosure rules

We welcome reports from security researchers. Rules of engagement:

  • Test only against accounts you own, or accounts you have explicit written permission to test.
  • No DDoS, no destructive testing, no social engineering of staff or customers.
  • No accessing or downloading customer data beyond the minimum needed to demonstrate the issue.
  • No public disclosure for 90 days or until we publish a fix, whichever is earlier.
  • Provide a clear write-up at the channel in §1.

We do not currently operate a paid bug-bounty program. This may change.

8

Data Processing Addendum (DPA)

Business customers can request our DPA, which addresses:

  • our role as Processor and Customer's role as Controller (or Processor on behalf of a controller);
  • documented Customer instructions and confidentiality;
  • the technical and organizational measures we apply;
  • sub-processor authorization, change notice (≥ 30 days), and objection rights;
  • assistance with data-subject requests, security obligations, breach notification, DPIAs, and consultation with supervisory authorities;
  • audit and information-request rights;
  • international transfers (EU SCCs Module 2 / 3, UK Addendum, Swiss adjustments, transfer-impact assessment);
  • CCPA/CPRA Service Provider / Processor obligations;
  • return or deletion on termination;
  • liability allocated under the Terms of Service.

To request the DPA, email privacy@corpbolt.com with subject DPA REQUEST and a short description of your processing. We will return a signature-ready version.

9

Compliance posture

We are transparent about what we have and what we are working toward. We do not claim certifications we do not hold.

  • SOC 2 Type II: not currently certified. We track readiness internally.
  • ISO/IEC 27001: not currently certified. We track relevant controls internally.
  • PCI DSS: Stripe handles card data so CORPBOLT's PCI scope is minimised. We complete the appropriate Self-Assessment Questionnaire (SAQ) tier for our Stripe-Elements + tokenized flow.
  • HIPAA: not in scope; we do not process Protected Health Information.
  • GDPR / UK GDPR / FADP: we process Personal Data per these laws — see Privacy Policy and DPA above.
  • CCPA / CPRA + state privacy laws: see Privacy Policy.
  • OFAC / AML screening: we screen new customers against U.S. OFAC, EU, UK OFSI, and UN consolidated lists, and apply ongoing monitoring.
10

Contact

For security disclosures, privacy questions, or DPA requests, reach our team using the details below.

CORPBOLT LLC

Security & Trust

Wyoming

1309 Coffeen Ave,
Ste 1200
Sheridan, WY 82801

Florida

4283 Express Ln,
Ste 6331-140
Sarasota, FL 34249

End of Security & Trust

AskAI

How CORPBOLT forms your U.S. company from anywhere?

CORPBOLT

We handle your LLC formation, EIN filing, and corporate documents, everything international founders need to operate as a legitimate US business.

CORPBOLT LLC

Wyoming

1309 Coffeen Ave,
Ste 1200
Sheridan, WY 82801

Customer Support

Available 24 hours · 7 days a week

Company

© 2026 CORPBOLT LLC. All Rights Reserved.

Disclaimer: Services provided under the CORPBOLT brand are operated by CORPBOLT LLC, a company registered in the state of Wyoming. Neither CORPBOLT LLC nor CORPBOLT is a law firm, CPA firm, tax advisor, or financial institution, and neither provides legal, tax, or financial advice. Use of our services does not create an attorney-client relationship or any other fiduciary relationship.

We are a technology-enabled document filing service that provides general procedural assistance based strictly on your instructions. You are solely responsible for ensuring the accuracy, sufficiency, and legality of all information and documents you provide to us.

Third-Party Trademarks: All third-party names, logos, and trademarks displayed on this site are the property of their respective owners. Use of these names and logos is for identification purposes only.

Testimonials, reviews, and statistics presented on this site represent individual experiences. Your access to and use of this website and our services are governed by our Terms of Service and Privacy Policy.