Trust & Security

How we handle your data.

Hosting, encryption, authentication, subprocessors, retention, and compliance — documented honestly. We list what we have and what we don't.

Disclose a vulnerability
contact@corpstacking.com
Request DPA / MSA
contact@corpstacking.com
Live uptime
corpstacking.com/status

Infrastructure & hosting

  • Application + edge: Vercel, US regions. TLS 1.3 terminated at the edge; HSTS enabled.
  • Database + auth: Supabase (Postgres 15) hosted in us-east-1. Customer data is encrypted at rest (AES-256) and in transit (TLS 1.3).
  • Backups: Daily Postgres backups retained 7 days; point-in-time recovery available within the same window.
  • DNS: Vercel + Cloudflare. DNSSEC enabled.
  • Region pinning: All customer data is processed and stored in the United States. EU data localization is available on Enterprise contracts.

Data handling & encryption

  • In transit: TLS 1.3 across all customer surfaces, including the API (/v1/*), webhook delivery (HMAC-signed), and email (STARTTLS via Resend).
  • At rest: Postgres-level AES-256 encryption (Supabase managed). Application-level encryption is not used; sensitive secrets (Discord webhooks, Telegram tokens) are stored in dedicated columns under Postgres row-level security.
  • Secrets: Webhook signing secrets and API keys are returned to the user once at creation, then hashed (HMAC-SHA-256) and stored as digests. We cannot recover a lost key — you rotate it.
  • Payment data: Card numbers and CVCs never reach our servers. Stripe Checkout collects them directly; we receive only a tokenized customer ID and the last 4 digits for display.
  • No selling, no profiling: We do not sell, rent, or share customer data with advertisers. PostHog product analytics is opt-in and anonymized at the user-ID level.

Authentication & account security

  • Passwordless by default: Magic-link email + OAuth (Google, GitHub, Twitter / X). Passwords are not stored — there is no password to phish.
  • Session management: JWT-based, 60-day rolling expiry, immediate revocation on sign-out across devices.
  • Row-level security: Every customer-data table is gated by Postgres RLS keyed on auth.uid(). A SQL injection at the application layer cannot read another tenant's rows.
  • Admin access: Two named operators with break-glass Supabase service-role access. Every privileged operation is logged in cron_run_log.
  • Security email notifications: New-device sign-in, password / MFA changes, plan changes, and API-key rotation each trigger an email so you see it the moment it happens.

Data integrity (the product itself)

  • Reconciliation invariant: For every (company, token) pair, the sum of purchases.amount equals holdings.amount. A nightly cron repairs any drift via a synthetic reconciliation row and pages an operator if the gap exceeds 0.5%.
  • Provenance per row: Every purchase carries a tier — SEC filing accession + URL, board press release URL, on-chain treasury txn hash, or a clearly-labeled aggregate baseline.
  • Audit trail: Every backfill, ingest, and reconciliation run lands in cron_run_log with row counts, duration, and outcome. Available to Enterprise customers under MSA.
  • Daily audit: A scripted data-quality check (scripts/data-audit.ts) runs against bitbo as the working source and flags any discrepancy before it reaches the API.

Data retention & deletion

  • Account data: Retained while your account is active. Deletion is self-serve at /settings → Delete account and propagates within 30 days.
  • Billing records: Retained 7 years to comply with US tax + accounting law. Stripe is the system of record.
  • AI chat history: Retained while the account is active so you can return to past threads. Deleted with the account or on-demand from the chat UI.
  • Logs: Vercel request logs retained 30 days. Supabase Postgres logs retained per their plan (currently 7 days).
  • Public market data: Treasury holdings, purchases, and price history are public reference data and are retained indefinitely — they are not customer data.

Subprocessors

Every third party that processes data on our behalf is listed below. We notify customers on Team and Enterprise plans at least 30 days before adding a new subprocessor that handles their data. The full table with data categories is on the dedicated page:

View all 13 subprocessors →

Incident response

  • Status page: Live uptime + incident history at /status.
  • Notification SLA: Customers materially affected by a security incident are notified within 72 hours of confirmation (within 24 hours if PII was exposed). Enterprise contracts may shorten this further.
  • Post-mortems: Every incident producing customer-visible impact lasting 5+ minutes gets a public post-mortem on the status page within 7 business days.
  • Runbooks: Operators rehearse the playbook quarterly.

Responsible disclosure

Found a security issue? Email contact@corpstacking.com. PGP available on request.

Our promise: we acknowledge reports within 48 hours, we will not pursue legal action against good-faith researchers who follow this policy, and we name reporters in fix announcements unless you prefer anonymity.

Out of scope: denial of service, social engineering, physical attacks, third-party services we use (please report those to the vendor), and findings on staging.corpstacking.com (test environment, not production data).

The same contact information is published at /.well-known/security.txt per RFC 9116.

Compliance posture (honest)

We're a small team and we don't carry compliance certifications we haven't actually earned. Here's where we are today:

  • SOC 2: Not yet. Type 1 audit targeted for H2 2026 once Enterprise revenue justifies the engagement.
  • ISO 27001: Not yet. Will follow SOC 2.
  • GDPR: Compliant. EU residents can request access, correction, or deletion at contact@corpstacking.com. Standard contractual clauses available for cross-border transfers.
  • CCPA / CPRA: Compliant. California residents can opt out of analytics and request deletion via the same channel.
  • PCI DSS: SAQ A eligible. We never touch card data — Stripe Checkout handles it end-to-end. Stripe is PCI DSS Level 1 certified.
  • HIPAA: N/A. We do not process PHI.

A signed Data Processing Agreement (DPA) and Master Services Agreement (MSA) are available for any plan on request — email contact@corpstacking.com.

Business continuity

  • Operating entity: J & M Sorce Holdings, LLC, a Utah limited liability company operating the CorpStacking service.
  • Bus-factor mitigation: Code is in a private GitHub repository with named co-owners. Database snapshots replicate to a separate region. Customer data and contracts are escrowed with the operating entity, not a single individual's account.
  • Acquisition / shutdown: If the service is acquired, customer agreements transfer to the acquirer subject to the same DPA. If we ever need to shut the service down, paying customers receive at least 90 days notice plus a full data export.

Have questions procurement is asking?

We answer security questionnaires (CAIQ, SIG-Lite, custom) for any plan on request. Most come back the same week.

Send a questionnaireSee Enterprise plans →
Trust & Security — CorpStacking | CorpStacking