Guides

Security

CorpNet, Inc. is SOC 2 Type II compliant, with independent attestation by Insight Assurance covering the Security, Availability, and Confidentiality Trust Services Criteria. The CorpNet API enforces TLS 1.2 or higher in transit, encrypts customer data at rest, and is scoped so that Social Security Numbers and similar high-sensitivity identifiers are not collected through the partner API.

Is CorpNet SOC 2 Type II compliant?

Yes. CorpNet maintains SOC 2 Type II attestation, independently audited by Insight Assurance. The audit covers three of the AICPA Trust Services Criteria:

  • Security — controls protecting against unauthorized access, both physical and logical.
  • Availability — controls ensuring the system is available for operation and use as committed.
  • Confidentiality — controls protecting information designated as confidential.

A Type II report attests to the operating effectiveness of these controls across a defined audit period — not just their design at a point in time. To request CorpNet's most recent SOC 2 Type II report under NDA, contact your CorpNet account manager.

AICPA SOC for Service Organizations badge
CorpNet SOC 2 Type 2 Compliant 2025 — issued by Insight Assurance

How is data protected in transit and at rest?

  • In transit — all CorpNet API endpoints require TLS 1.2 or higher. Connections negotiating older protocol versions are rejected at the transport layer.
  • At rest — customer data submitted through the partner API is encrypted at rest within CorpNet's systems. The encryption controls are validated as part of CorpNet's SOC 2 Type II audit.
  • In use — access to production data is restricted to authorized personnel with documented business need, and access is logged and reviewed under CorpNet's internal access-control policies.

What data does the CorpNet API collect — and what does it not?

The partner API is intentionally scoped to non-secret business information. It collects:

  • Business name, entity type, and formation state
  • Business addresses (mailing, registered-agent, principal-office)
  • Contact-person name, email, and phone
  • Responsible-party name and contact details

It does not collect through the partner API:

  • Social Security Numbers (SSN) — the recommended integration pattern is to set responsibleParty.ssnStatus: "No" on order creation, so that SSN collection occurs through CorpNet's own portal flow rather than through a third-party integration. See the responsible-party guidance on Create a Business Formation Order.
  • Employer Identification Numbers (EIN) before issuance — CorpNet obtains the EIN from the IRS on the partner's behalf during formation.
  • Bank-account or payment details — payment is reconciled through CorpNet's billing relationship with the partner, not through per-order API submissions.

This scoping is deliberate. By keeping high-sensitivity identifiers off the partner-API surface, partners integrating with CorpNet inherit a smaller PII footprint and a narrower compliance scope on their own side.

How should partners secure their API keys?

  • Treat your API key like a password. See API Key for storage and rotation guidance.
  • Keep API calls server-side. Never embed your token in client-side JavaScript, mobile-app binaries, or any artifact a customer can decompile.
  • Use distinct keys for staging and production. A staging key authenticates only against staging hosts, and a production key only against production hosts — see Authorization for the host list.
  • Rotate on suspected compromise. Report any suspected leak to your CorpNet account manager. Keys can be rotated on request; old keys stop working as soon as a replacement is issued.

Who do I contact for security or compliance questions?

For security questions, compliance-documentation requests (including the SOC 2 Type II report under NDA), or to report a suspected vulnerability in the CorpNet API, contact your CorpNet account manager. Reports affecting partner data confidentiality, integrity, or availability are triaged by CorpNet's Compliance and Security team.