§ 01 — Overview

Security

TheCorporation manages sensitive corporate records — formation documents, cap tables, governance resolutions, financial data. We treat security as a structural requirement, not a feature.

§ 02 — Architecture

Security by Design

Git-native audit trail

Every mutation to corporate state is an atomic git commit. This produces a cryptographically linked, append-only audit log. Commits cannot be silently altered without breaking the hash chain. You can independently verify your corporate history at any time by cloning your repo.

Data sovereignty

Your corporate data is stored as a git repository that you own. Cloud customers can clone their full repo at any time. Self-hosted customers never send data to our servers. There is no vendor lock-in — your data is portable by construction.

Encryption

In transit — all connections use TLS 1.2+ (enforced via HSTS)
At rest — repositories are stored on encrypted volumes
Secrets — API keys are hashed before storage; raw keys are shown only once at creation

Authentication

Human users — passwordless magic-link authentication via email
API access — scoped API keys with 12 permission scopes and optional entity restriction
No shared credentials — each API key is independently revocable

§ 03 — Infrastructure

Infrastructure Security

HTTP security headers

Strict-Transport-Security (HSTS)
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin

CORS

API endpoints enforce an allowlist of production origins. CORS is not permissive — requests from unauthorized origins are rejected.

Rate limiting

API endpoints are rate-limited to prevent abuse. Webhook endpoints validate signatures and enforce timestamp windows to prevent replay attacks.

Dependency management

The server is written in Rust, which eliminates entire classes of memory-safety vulnerabilities. Dependencies are audited with cargo audit and kept current.

§ 04 — Privacy

Data Handling

No tracking — no analytics scripts, no third-party trackers, no advertising pixels
No LLM training — your corporate data is never used to train language models
Minimal collection — we collect only what is necessary: email for auth, corporate data you submit, payment info via Stripe
No data selling — we do not sell, rent, or share your data with third parties for marketing

See our Privacy Policy for complete details.

§ 05 — Disclosure

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly:

Email: [email protected]
GitHub: Use GitHub Security Advisories for private disclosure

We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days. We do not pursue legal action against researchers who follow responsible disclosure practices.

§ 06 — Open Source

Open Source Transparency

TheCorporation’s core is open source under the BSL 1.1 license. You can inspect the code that handles your corporate data, verify our security claims, and self-host the entire platform on your own infrastructure. Security through obscurity is not part of our model.