Skip to content
Trust & Security

How we handle your data.

Hosting, encryption, authentication, subprocessors, retention, and compliance — documented honestly. We list what we have andwhat we don't.

Disclose a vulnerability
[email protected]
Request DPA / MSA
[email protected]
Live uptime
corpstacking.com/status

01 · Section

Infrastructure & hosting

  • Hosting: US-region cloud infrastructure with TLS 1.3 termination, HSTS enabled, and DNSSEC at the edge.
  • Encryption: Customer data is encrypted at rest and in transit. Full infrastructure detail available to Enterprise customers under NDA.
  • Backups: Automated database backups with point-in-time recovery.
  • Region pinning: All customer data is processed and stored in the United States. EU data localization is available on Enterprise contracts.

02 · Section

Data handling & encryption

  • In transit: TLS 1.3 across every customer surface — the API (/v1/*), webhook delivery (cryptographically signed), and outbound email.
  • At rest: Industry-standard encryption on the database. Sensitive secrets (Discord and Telegram tokens, webhook signing keys) are isolated per-account and never readable across tenants.
  • Secrets: API keys and webhook signing secrets are shown once at creation and stored irreversibly encrypted. We can't recover a lost key — you rotate it.
  • Payment data: Card numbers and CVCs never reach our servers. Stripe Checkout collects them directly; we receive only a tokenized customer ID and the last 4 digits for display.
  • No selling, no profiling: We don't sell, rent, or share customer data with advertisers. Product analytics is opt-in and anonymized at the user-ID level.

03 · Section

Authentication & account security

  • Multi-method sign-in: Magic-link email, OAuth (Google, GitHub, Twitter / X), or email + password. A bot-protection check guards every sign-in path against credential stuffing. Passwords are stored using one-way (irreversible) encryption — plaintext never touches the database.
  • Session management: Secure sign-in tokens that expire quickly and refresh automatically behind the scenes. Sign-out revokes the session across devices immediately.
  • Tenant isolation: Every customer-data table is gated at the database layer by your account ID — database-level isolation, so a bug in our code still can't let one customer read another's data.
  • Admin access: Tightly scoped and recorded with timestamps. Every privileged operation is logged for forensic review.
  • Security email notifications: New-device sign-in, password / MFA changes, plan changes, and API-key rotation each trigger an email so you see it the moment it happens.

04 · Section

Data integrity (the product itself)

  • The numbers add up: For every company and asset, the buys and sells we’ve recorded add up to the current holdings figure. A daily check compares the recorded moves to authoritative references and alerts the team if the gap exceeds 5%.
  • Source on every row: Every move carries a primary-source citation — the SEC filing and URL, the ETF sponsor’s daily report, a press release URL, an on-chain transaction hash, or a named third-party tracker. Each row’s “View source” link opens the underlying disclosure.
  • Audit trail: Every data update and daily check is recorded with timestamps, row counts, duration, and outcome. Available to Enterprise customers under a signed agreement.
  • Daily quality check: Each morning we compare our numbers against an independent reference and flag any disagreement before it reaches the public API.

05 · Section

Data retention & deletion

  • Account data: Retained while your account is active. Deletion is self-serve at /settings → Delete account and propagates within 30 days.
  • Billing records: Retained 7 years to comply with US tax + accounting law. Stripe is the system of record.
  • AI chat history: Retained while the account is active so you can return to past threads. Deleted with the account or on-demand from the chat UI.
  • Logs: Request logs are retained for 30 days; database logs for 7 days.
  • Public market data: Treasury holdings, purchases, and price history are public reference data and are retained indefinitely — they are not customer data.

06 · Section

Subprocessors

Every third party that processes data on our behalf is listed below. We notify customers on Team and Enterprise plans at least 30 days before adding a new subprocessor that handles their data. The full table with data categories is on the dedicated page:

View all 22 subprocessors →

07 · Section

Incident response

  • Status page: Live uptime + incident history at /status.
  • Notification: If a security incident materially affects you, we notify you promptly once it's confirmed — as fast as we can, and faster still if personal information (your name, email, or payment details) was exposed. Enterprise contracts can set firmer commitments.
  • Post-mortems: After any significant incident with customer-visible impact, we publish a post-mortem on the status page.
  • Runbooks: We keep incident-response playbooks and practice against them.

08 · Section

Responsible disclosure

Found a security issue? Email [email protected]. PGP available on request.

Our promise: we acknowledge reports within 48 hours, we will not pursue legal action against good-faith researchers who follow this policy, and we name reporters in fix announcements unless you prefer anonymity.

Out of scope: denial of service, social engineering, physical attacks, and third-party services we use (please report those to the vendor directly).

The same contact information is published at /.well-known/security.txt per RFC 9116.

09 · Section

Compliance posture

We're a small team and we don't carry compliance certifications we haven't actually earned. Here's where we are today:

  • SOC 2: Not yet. SOC 2 is on our roadmap, to be pursued once Enterprise demand justifies the engagement.
  • ISO 27001: Not yet. Will follow SOC 2.
  • GDPR: Compliant. EU residents can request access, correction, or deletion at [email protected]. Standard contractual clauses available for cross-border transfers.
  • CCPA / CPRA: Compliant. California residents can opt out of analytics and request deletion via the same channel.
  • Card payments: Compliant. We never see or store card data — Stripe handles every card detail directly (PCI DSS SAQ A). Stripe is PCI DSS Level 1 certified.
  • HIPAA: N/A. We do not process PHI.

A signed Data Processing Agreement (DPA) and Master Services Agreement (MSA) are available on request — email [email protected].

10 · Section

Business continuity

  • Operating entity: J & M Sorce Holdings, LLC, a Utah limited liability company operating the CorpStacking service.
  • Bus-factor mitigation: Source code and database backups are held by the operating entity, not tied to any single individual's personal account, so the business can keep running through staffing changes.
  • Acquisition / shutdown: If the service is acquired, customer agreements transfer to the acquirer subject to the same DPA. If we ever need to wind the service down, our intent is to give paying customers ample advance notice plus a full data export.

Procurement

Have questions procurement is asking?

We answer security questionnaires (CAIQ, SIG-Lite, custom) for any plan on request. Most come back the same week.

Send a questionnaireSee Enterprise plans →