Data Processing Agreement (DPA)
Last updated: July 4, 2026
This Data Processing Agreement ("DPA") describes the terms under which CORPYO LLC ("CORPYO," "Processor") processes personal data on behalf of a customer ("Customer," "Controller") in connection with the CORPYO company formation platform. It is designed to meet the requirements of the EU and UK General Data Protection Regulation (GDPR) and complementary regimes referenced in our Privacy Policy. Where our commercial Terms of Service and this DPA conflict on data-processing matters, this DPA controls. Customers requiring a signed, entity-specific version of this DPA (for example for procurement or audit purposes) may request one via security@corpyo.com.
Roles and Scope
For personal data submitted by the Customer to CORPYO for the purpose of incorporating and administering companies (e.g. director, shareholder, and KYC data), CORPYO acts as a processor and the Customer acts as the controller. For account and billing data CORPYO collects to operate its own relationship with the Customer, CORPYO acts as an independent controller as described in our Privacy Policy.
Subject Matter and Duration
Processing covers the personal data necessary to deliver company formation, registered agent, compliance, and related services, for as long as the Customer maintains an active account plus any period required to satisfy legal retention obligations (e.g. corporate and anti-money- laundering recordkeeping requirements) thereafter.
Nature and Purpose of Processing
CORPYO processes personal data to: prepare and file incorporation documents; perform identity verification and sanctions/PEP screening required by law; maintain company registers and compliance records; provide customer support; and generate the reporting the Customer requests. CORPYO does not sell personal data and does not use Customer personal data to train third-party models without consent.
Categories of Data Subjects and Data
Data subjects typically include the Customer's directors, shareholders, ultimate beneficial owners, and authorized representatives. Categories of data may include identity documents, proof of address, date of birth, nationality, contact details, and — where relevant to a jurisdiction's filing requirements — signatures.
Processor Obligations
CORPYO shall:
- Process personal data only on documented instructions from the
- Ensure personnel authorized to process personal data are bound by
- Implement appropriate technical and organizational security measures,
- Assist the Customer, insofar as reasonably possible, in responding to
- Notify the Customer without undue delay after becoming aware of a
- Make available information reasonably necessary to demonstrate
- At the Customer's choice, delete or return personal data at the end of
Customer, including regarding international transfers, unless required to do otherwise by law (in which case CORPYO will inform the Customer of that legal requirement, unless prohibited from doing so)
confidentiality
described in detail on our Security Program and Encryption pages
data subject requests and in meeting obligations relating to security, breach notification, and data protection impact assessments
personal data breach affecting Customer personal data, consistent with our Incident Response process
compliance with this DPA, and allow for audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable confidentiality and scheduling terms
the provision of services, except where retention is required by law
Sub-processors
CORPYO uses sub-processors to deliver the platform (cloud hosting, email delivery, payment processing, identity verification, and similar functions). A current, categorized list is published at /trust/subprocessors; the underlying legal list referenced by our Terms is maintained at /legal/subprocessors. CORPYO imposes data protection obligations on sub-processors that are substantially similar to those in this DPA and remains liable for their performance. Customers entitled to advance notice of new sub-processors under their agreement are notified as described on the sub-processors page.
International Transfers
Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, CORPYO relies on recognized transfer mechanisms — including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and, where applicable, adequacy decisions and the EU-U.S. Data Privacy Framework — as the legal basis for those transfers, consistent with our Privacy Policy.
Security Measures
Full detail on encryption, access control, network security, monitoring, and incident response is published on our Security Program page and linked sub-pages, which are incorporated into this DPA by reference and updated as our program evolves (without reducing the overall level of protection).
Contact
Questions about this DPA, or requests for a signed version, can be sent to security@corpyo.com or privacy@corpyo.com.