Security & Architecture

Last updated: June 13, 2026

Enterprise-grade security for your most sensitive company documents.

Your trust is at the heart of Corply. We implement defense-in-depth security practices to protect your formation documents, founder data, and cap table — ensuring the confidentiality, integrity, and availability of everything you entrust to us.

SOC 2 Type II

Certified

256-bit Encryption

At rest & in transit

Annual Pentest

Independent audit

US Data Residency

AWS, United States

Related Documents

Terms of Service

Our service agreement

Privacy Policy

How we handle your data

DPA

Data processing

Subprocessors

Third-party processors

Data Privacy

Do you use customer data to train AI models?

No. We do not use your data to train our own models or any third-party models. Your company and founder information will never be used to train LLMs. Our AI providers contractually guarantee zero data retention and no training on your data.

Which AI providers do you use?

We use multiple AI providers to optimize for accuracy, speed, and cost when guiding your formation and generating documents. All providers guarantee not to retain or train on Corply customer data:

  • Anthropic
  • OpenAI
  • Google

What personal data do you store?

To form and maintain your company we store founder identity details, company information, formation and equity documents, EIN and tax IDs, cap table data, and billing information. Access is tightly controlled and used only to deliver the services you've requested.

Infrastructure & Security

Where is my data stored?

All customer data is stored on encrypted filesystems in PostgreSQL databases hosted on AWS cloud servers in the United States.

What exactly do you store?

  • Company & founder data: legal names, addresses, ownership percentages, and roles used to prepare your filings.
  • Formation documents: certificate of incorporation, bylaws, board and stockholder consents, stock purchase agreements, and 83(b) elections.
  • Cap table & equity: shares issued, option grants, and vesting schedules.
  • Billing data: handled by our payment processor; we never store full card numbers.

What security measures do you have in place?

We implement defense-in-depth with multiple layers of security controls:

  • Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest
  • SOC 2 Type II compliance: independently audited and certified
  • Regular security testing: annual penetration testing and continuous scanning
  • Infrastructure security: AWS provides enterprise-grade physical and network security
  • Secure authentication: SSO and OAuth 2.0, no plaintext password storage
  • Data isolation: logical separation of customer data with row-level security policies

How do you protect my legal documents?

Every document is encrypted at rest, fully versioned, and access-logged. E-signatures are captured with a tamper-evident audit trail, so you always have verifiable proof of who signed what and when.

What are your backup and disaster recovery capabilities?

  • Automated backups: daily backups of all customer data
  • Recovery Time Objective (RTO): maximum 24 hours
  • Recovery Point Objective (RPO): maximum 24 hours
  • Backup retention: 7 days, up to 14 days during active incident investigations

Compliance & Auditing

What compliance certifications do you hold?

  • SOC 2 Type II: independently audited and certified
  • GDPR & CCPA: aligned with global privacy regulations
  • Annual penetration test: conducted by an independent security firm

Can I get a copy of your penetration test results?

Yes. We conduct annual penetration testing by independent security firms. We can share the executive summary with prospective enterprise customers under NDA. Contact us at privacy@corply.dev to request a copy.

How often do you conduct security audits?

  • Annual: SOC 2 audit and third-party penetration test
  • Continuous: automated security scanning of our platform and infrastructure

How do you handle data breaches?

In the unlikely event of a data breach, we follow a strict incident response protocol:

  • Notification: affected customers notified within 72 hours of discovery
  • Containment: immediate isolation of affected systems
  • Forensics: full analysis to determine scope and root cause
  • Remediation: implementation of fixes and preventive measures
  • Cooperation: full cooperation with relevant authorities and regulators

Your Data Control

Can I export my data?

Yes, at any time. Every document we generate and all of your cap table data can be exported in standard formats — your records are always yours to take with you.

Can I delete my data?

Yes. You can request deletion of your account and data at any time. We purge your data within 30 days, except where we are legally required to retain certain corporate records.

Who can access my data?

Access is strictly limited to authorized personnel who need it to provide support, all under confidentiality obligations and with every access logged.

Data Management

How long do you retain my data?

We retain your company records for as long as your account is active and for as long as required to meet legal and corporate-compliance obligations. After a deletion request, data is purged from active systems and backups within 30 days.

Where is my data processed?

Your data is stored and processed primarily in the United States on AWS infrastructure.

Subprocessors

Who are your subprocessors?

We rely on a small set of trusted subprocessors to deliver the service:

  • Amazon Web Services: cloud hosting and database infrastructure
  • Stripe: billing and payment processing
  • Anthropic, OpenAI & Google: AI-assisted document generation and guidance
  • E-signature provider: secure, audit-logged document signing

Resources

Where can I learn more?

For anything not covered here, reach our security team at privacy@corply.dev, or review our Terms of Service, Privacy Policy, and Data Processing Agreement.