Security Policy & Data Protection

Last Updated: March 2, 2026

CORPIUS is committed to maintaining the highest standards of data protection, cybersecurity, privacy, and regulatory compliance across all services delivered through https://corpius.net. This Security Policy and Data Protection Statement describes how we secure client data, protect uploaded documents, operate our infrastructure, manage internal access, monitor risks, and ensure compliance with applicable U.S. and international standards.

1. Purpose and Scope

This Policy applies to all business formation services, income tax filing & planning services, EIN applications, document processing, identity verification, compliance checks, and all internal and external systems used to store or process client data.

The Policy covers all users, employees, contractors, consultants, and any authorized individuals who interact with CORPIUS systems.

2. Data Security Principles

Confidentiality

Client information is accessible only to authorized personnel with a legitimate business need.

Integrity

Client data remains accurate, complete, unaltered, and protected against unauthorized modification.

Availability

We maintain secure, stable infrastructure designed for continuous access with minimal downtime.

Accountability

All employees and contractors must comply with strict internal security controls and logging policies.

Minimum Necessary Rule

We collect and use only the minimum amount of data required to provide our services.

3. Data Collection and Retention

3.1 Data We Collect

  • Identity information and business formation documents
  • Uploaded IDs and verification documents
  • Bank statements and financial records
  • Tax documents and prior returns
  • Contact information and communication logs
  • Service usage data

3.2 Data Retention

  • Tax documentation: minimum 7 years
  • Corporate documents: permanent retention
  • Communications & support logs: as long as operationally required

4. Technical Safeguards (Cybersecurity Controls)

CORPIUS uses a multilayered cybersecurity framework:

4.1 Encryption

  • Data in transit: encrypted via HTTPS/TLS 1.2+
  • Data at rest: stored in encrypted environments
  • Sensitive data (IDs, tax documents): stored using additional encryption layers

4.2 Secure Infrastructure

  • Hardened cloud architecture with firewalls and network segmentation
  • Encrypted storage systems and secure backup procedures
  • DDoS protection and geo-redundant data replication

4.3 Access Control

  • Strict role-based access (RBAC)
  • Multi-factor authentication (MFA) for admin systems
  • Logged and monitored access sessions
  • Automatic access revocation upon personnel changes
  • "Least privilege" principle enforced at all levels

4.4 Monitoring & Threat Detection

  • Continuous system monitoring and automated threat detection
  • Tamper detection and intrusion alerts
  • Real-time event logging and audit trails for sensitive actions

4.5 Backup & Disaster Recovery

  • Daily encrypted backups and redundant data centers
  • Tested recovery procedures and incident simulation drills

5. Organizational & Administrative Safeguards

5.1 Employee Training

All personnel undergo mandatory training on data protection, security protocols, phishing prevention, secure document handling, and privacy laws.

5.2 Confidentiality Obligations

Employees and contractors sign NDAs, access agreements, and security compliance acknowledgements.

5.3 Internal Audits

We perform routine audits, quarterly reviews, random compliance checks, document accuracy audits, and system integrity assessments.

5.4 Vendor & Third-Party Compliance

Vendors must meet strict security requirements including confidentiality obligations, encryption standards, and SOC-2 / ISO-27001 compliant environments where applicable.

6. Document Upload & File Protection

When users upload documents (IDs, bank statements, IRS forms, corporate records):

  • Files are transmitted via secure encrypted channels
  • Stored in encrypted form and accessible only by authorized staff
  • Logged for traceability and monitored for unauthorized access
  • Never shared with third parties outside service necessity

Documents are not used for training AI models. Documents are never sold or disclosed outside the scope of work.

7. AI & Automation Security Compliance

CORPIUS uses AI systems for document analysis, OCR extraction, expense categorization, data verification, and workflow optimization. Security guarantees include: AI does not access client data beyond scope of service, no autonomous decisions without human review, no sensitive data used for training external AI systems, and all AI processing remains internal and compliant with privacy requirements.

8. Fraud, Abuse & Identity Theft Prevention

CORPIUS employs multi-layer protection including identity verification checks, anomaly detection in document uploads, device fingerprinting, transaction risk scoring, manual compliance review for high-risk cases, enhanced verification for suspicious activity, secure audit trail retention, KYC (Know Your Customer) standards, and AML (Anti-Money-Laundering) checks.

9. Data Sharing & Disclosure

9.1 Permitted Sharing

Filing state agencies for formation, IRS for EIN or tax filings, third-party service providers (e-signing systems, secure storage, payment processors), and legal advisors, accountants, auditors.

9.2 Prohibited Sharing

We never share, sell, or disclose client data for marketing by third parties, for unrelated commercial purposes, for AI model training, or without lawful justification.

9.3 Disclosure For Legal Reasons

We may disclose information only when required by court order, required by government request under applicable law, or necessary to protect CORPIUS from fraud or security threats.

10. Physical Security

  • Restricted facility access and video monitoring
  • Locked storage for sensitive documents
  • Secure shredding of retired documents
  • Visitor logs and badge controls
  • Environmental protection (fire/flood controls)

11. Incident Response & Breach Management

If a suspected or confirmed security incident occurs, CORPIUS will:

11.1 Immediate Actions

Isolate affected systems, activate incident response team, and secure vulnerable environments.

11.2 Investigation

Determine scope, assess data affected, identify root cause, and document findings.

11.3 Mitigation

Patch vulnerabilities, prevent recurrence, and restore systems from secure backups.

11.4 Notification

If required by law, affected users will be notified within the legally mandated timeframe. We may provide assistance with mitigation steps following a breach. See our full Incident Response Policy for details.

12. User Responsibilities

To maintain system security, clients must:

  • Upload accurate, legitimate documents
  • Use strong passwords and keep login credentials confidential
  • Notify CORPIUS of suspicious account activity
  • Avoid using public Wi-Fi for sensitive uploads
  • Refrain from fraudulent or illegal activities

13. Compliance With Global Standards

13.1 GDPR (EU) / UK GDPR

Lawful basis for processing, rights of access, correction, deletion, secure cross-border transfer mechanisms, and data minimization.

13.2 CCPA / CPRA (California)

Transparency, limited use of personal data, right to access & delete, and "Do Not Sell or Share" compliance if triggered.

13.3 IRS Data Protection Requirements

Including requirements specific to tax-document handling, EIN applications, identity verification, and secure storage of tax records.

14. Policy Updates

We may update this Policy at any time due to legal or regulatory changes, security upgrades, new service features, updated compliance controls, or internal workflow changes. All updates become effective immediately upon posting on the Site.

15. Contact Information

CORPIUS — Security & Compliance Department

Email: [email protected]

Website: https://corpius.net