Security FAQ
Last updated: July 4, 2026
Common questions from customers, auditors, and financial-institution partners about how CORPYO protects data and operates securely.
Is CORPYO SOC 2 or ISO 27001 certified?
Not yet. CORPYO does not currently hold SOC 2, ISO 27001, ISO 27701, or CSA STAR certification. We publish an honest roadmap of our progress toward these certifications at /trust/certifications — we would rather be transparent about where we are than imply a certification we do not hold.
How is my data encrypted?
Data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Passwords are hashed, never stored in plaintext. Full detail is on our Encryption page.
Where is my data hosted?
CORPYO's infrastructure runs on Vercel and AWS across multiple regions, behind Cloudflare's global network. See Infrastructure for architecture detail and Sub-processors for the full list of vendors involved in delivering the platform.
Who can access my data internally?
Access follows least privilege and role-based access control: only staff whose role requires it (for example, compliance review of KYC documents, or support responding to a ticket you raised) can access your records, and that access is logged. See Access Control and Audit Logging.
Do you sell my data?
No. CORPYO does not sell personal data. Our data-sharing practices are described in full in our Privacy Policy.
What happens if there's a security incident?
We follow a documented incident response process covering detection, containment, investigation, recovery, and customer notification. Where an incident affects your personal data, we notify you in line with applicable law. See Incident Response.
How do I report a vulnerability?
Email security@corpyo.com or see our Responsible Disclosure policy for scope, process, and our safe-harbor commitment to good-faith researchers.
Do you offer a Data Processing Agreement (DPA)?
Yes. Our GDPR-ready DPA is published at /trust/dpa, and customers who need a signed, entity-specific copy can request one via security@corpyo.com.
What are your backup and recovery practices?
We run automated, encrypted backups with defined recovery objectives. See Business Continuity for detail, and our live System Status page for current platform health.
How can I get more detail for my own due-diligence process?
We're glad to work directly with security and compliance teams — including at financial-institution partners — evaluating CORPYO. Email security@corpyo.com with your questionnaire or specific questions.