Security Program
Last updated: July 4, 2026
CORPYO builds and operates a company-formation platform that handles sensitive identity, corporate, and financial information for founders around the world. Security is not a bolt-on feature — it is a design constraint across every layer of our stack, from the network edge to the code our engineers ship. This page describes the program in detail. For the certifications roadmap, see Certifications; for how to report a vulnerability, see Responsible Disclosure.
Infrastructure Security
Production infrastructure runs on Vercel (application layer, edge functions) and AWS (data storage, background processing, secrets) behind Cloudflare's global network. Every environment is provisioned through infrastructure-as- code so that configuration is versioned, reviewed, and reproducible rather than made by hand against a live system. Production, staging, and development environments are logically and network-isolated from one another; engineers do not have standing access to production data stores from local machines. See Infrastructure for architecture detail.
Network Security
All traffic enters through Cloudflare's edge network, which provides DDoS mitigation, a managed Web Application Firewall (WAF), and bot mitigation before a request ever reaches an origin server. Origins are not directly reachable from the public internet — only Cloudflare's edge IP ranges are permitted inbound. Internal service-to-service traffic is authenticated and encrypted, and administrative access to cloud infrastructure requires a VPN or zero-trust access broker plus multi-factor authentication (MFA). Network segmentation separates the application tier, database tier, and background-job tier so a compromise of one component does not automatically expose the others.
Application Security
Our engineering team follows secure coding practices informed by the OWASP Top 10 and OWASP ASVS. Every change to the application ships through code review, automated static analysis, and dependency vulnerability scanning before merge. We use parameterized queries and an ORM to prevent injection, output encoding and a strict Content-Security-Policy to reduce cross-site scripting risk, anti-CSRF tokens on state-changing requests, and rate limiting on authentication and other abuse-prone endpoints. Third-party dependencies are scanned continuously for known vulnerabilities (CVEs), and critical findings are patched on an expedited timeline.
Encryption
Data is encrypted in transit using TLS 1.2+ everywhere, and at rest using industry-standard AES-256 encryption for databases, object storage, and backups. See Encryption for full detail on our TLS configuration, key management, password hashing, and secrets management.
Access Control
Access to production systems and customer data follows the principle of least privilege: employees are granted only the access required for their role, access is reviewed periodically, and it is revoked immediately on role change or offboarding. Multi-factor authentication is mandatory for all employee accounts with access to production systems, customer data, or source code. Role-based access control (RBAC) governs both internal tooling and the CORPYO product itself. See Access Control for detail, and Audit Logging for how access is recorded and reviewed.
Vulnerability Management
We run continuous automated vulnerability scanning across our application and dependency surface, and we periodically commission independent security testing (penetration testing) of the platform. Findings are triaged by severity using a CVSS-informed scale, tracked to remediation with SLA-based targets, and re-tested before closure. We also operate a public vulnerability disclosure program — see Responsible Disclosure — so external researchers can report issues safely and in good faith.
Monitoring
Infrastructure, application, and security telemetry (logs, metrics, and traces) are centralized and monitored continuously. Automated alerting notifies on-call engineers of anomalies — unusual authentication patterns, error-rate spikes, unauthorized access attempts, and infrastructure health issues — around the clock. Security-relevant events are retained for audit purposes; see Audit Logging.
Secure Development Lifecycle (SDLC)
Security is embedded across our software delivery pipeline: design review for features touching sensitive data or authentication, mandatory peer code review, automated testing (unit, integration, and security linting) in continuous integration, staged rollouts with the ability to roll back quickly, and a formal change-management process for production infrastructure changes. Secrets are never committed to source control; they are stored in a managed secrets service and injected at runtime.
Incident Response
CORPYO maintains a documented incident response plan covering detection, triage, containment, eradication, recovery, and customer notification. See Incident Response for the full lifecycle and our approach to timely, transparent customer communication.
Employee Security
All employees and contractors complete security and privacy awareness training during onboarding and on a recurring basis thereafter, covering phishing, social engineering, secure handling of customer data, and our incident-reporting process. Background checks are performed where permitted by local law prior to granting access to production systems or customer data. Access is provisioned on a least-privilege, role-based basis and is deprovisioned immediately upon offboarding. Company-issued devices are encrypted, centrally managed, and enrolled in endpoint protection.
Physical Security
CORPYO does not operate its own data centers. All production infrastructure runs in the data centers of our cloud providers (AWS and Vercel's underlying infrastructure partners), which maintain SOC 2 / ISO 27001- aligned physical security controls including badge-controlled access, 24/7 monitoring, environmental controls, and redundant power. Our own corporate offices apply reasonable physical access controls for equipment that may connect to company systems, and remote employees are required to secure their home-office equipment per company policy.
Continuous Improvement
Our security program is reviewed and updated regularly to reflect new threats, new product surface area, and evolving best practice. We track our progress toward formal third-party certifications on our Certifications roadmap page, and we welcome inbound questions from customers, auditors, and financial-institution partners at security@corpyo.com.