2025 BOI rule update US entities are now exempt. Check if you still need to file →
Effective May 31, 2026. Version 4.3. All policies.
Start filing →
Home/Legal/Security Policy
Security · File.Business

Security Policy

Effective May 31, 2026 Version 4.3 Worldwide
Plain-English summary The Services handle legally and financially sensitive information. Our security program is designed to protect it using independent audits (SOC 2 Type II, ISO 27001), strong encryption, role-based access, and continuous monitoring.
$0
Free
formation service
51
Jurisdictions
filed in-house
220K+
Businesses
formed since launch
4.9★
Rating
8,200+ verified reviews
SOC 2 Type II · 2025 report 4.9 · 8,200+ reviews E&O Insured · carrier on request 51 Jurisdictions 220,000+ Formed
See disclosures + carrier names →

01Summary

File.Business is built to handle legally and financially sensitive information for tens of thousands of US businesses. Our security program is designed to protect that information using industry-recognized standards, independent audits, and continuous improvement.

02Certifications & audits

  • SOC 2 Type II annually audited (Security, Availability, Confidentiality, Processing Integrity, Privacy)
  • ISO 27001 certified Information Security Management System
  • PCI DSS compliance for payment data (we do not store full card numbers; tokenized via Stripe)
  • EU-U.S. Data Privacy Framework self-certification (and UK Extension, Swiss-U.S. Framework)
  • Annual third-party penetration testing

Audit reports and certifications are available to customers under NDA at security@file.business.

03Encryption

  • In transit: TLS 1.3 with modern cipher suites. HSTS preload. Forward secrecy required.
  • At rest: AES-256 for all stored Customer Data. Database encryption at the storage layer plus application-layer field encryption for sensitive fields (SSN, government IDs, bank account numbers).
  • Key management: AWS KMS with hardware security modules (HSMs). Customer-specific encryption keys for enterprise customers on request.

04Access controls

  • Role-based access control (RBAC) with least-privilege defaults
  • Mandatory phishing-resistant multi-factor authentication for all employee access to production systems
  • Quarterly access reviews and automatic deprovisioning on role change or termination
  • Hardware security keys for engineers with production access
  • Privileged Access Management (PAM) with session recording for sensitive operations
  • Network segmentation, zero-trust internal network, and bastion-host access patterns

05Infrastructure security

  • Production infrastructure hosted on AWS in US regions with multi-AZ redundancy
  • Web Application Firewall (Cloudflare) with custom rules and rate limiting
  • DDoS mitigation at the network edge
  • Automated vulnerability scanning on every build (SAST, dependency scanning, container scanning)
  • Patch management with SLAs based on severity (critical: 7 days; high: 30 days; medium: 90 days)
  • Immutable infrastructure with infrastructure-as-code; production changes require peer review

06Secure development lifecycle

  • Mandatory code review for all production changes
  • Static application security testing (SAST) on every pull request
  • Dependency scanning with automated upgrades for vulnerable libraries
  • Periodic threat modeling for significant features
  • Annual security training for all engineers
  • Pre-production environment separated from production

07Incident response

We maintain a documented incident response plan tested at least annually. Key commitments:

  • 24/7 on-call coverage with paged escalation
  • Internal containment within 1 hour of detection
  • Customer notification of confirmed personal-data breach within 72 hours of awareness (sooner where law requires)
  • Detailed post-incident review and remediation tracking
  • Real-time status updates at status.file.business

08Backups & business continuity

  • Encrypted backups of all production data, stored in multiple AWS regions
  • Backup integrity tested monthly; full restoration tested quarterly
  • Recovery Time Objective (RTO): 4 hours for the primary application
  • Recovery Point Objective (RPO): 1 hour
  • Business continuity plan reviewed annually and tested at least once per year

09Physical security

File.Business does not operate its own data centers. AWS data centers are SOC 2, ISO 27001, and PCI DSS certified, with physical-access controls, environmental monitoring, and 24/7 security personnel. Our offices use badged entry, camera monitoring, and require visitors to be escorted.

10Vendor risk

Every vendor that processes Customer Data is subject to a security review prior to engagement and re-reviewed annually. Vendor contracts include data-protection terms aligned with our DPA. See the Subprocessor List.

11Coordinated vulnerability disclosure

If you believe you have found a vulnerability, please email security@file.business. We commit to:

  • Acknowledge receipt within 1 business day
  • Provide an initial assessment within 5 business days
  • Coordinate disclosure timelines with you
  • Recognize researchers on our security acknowledgments page

We operate a bug bounty program with rewards based on severity and impact. Please act in good faith, avoid privacy violations and service disruption, and do not access more data than is necessary to demonstrate the vulnerability.

PGP key for sensitive reports: security@file.business with key ID 0xF1B3 5E47 available at keys.file.business.

12Contact

Security questions and reports: security@file.business. Compliance documentation requests: compliance@file.business. Service status: status.file.business.

Contact our legal team

Questions about this policy go to legal@file.business. Privacy or data requests go to privacy@file.business. Postal mail: File.Business, Inc., 101 N Monroe St, Suite 800, Tallahassee, FL 32301, USA.

$129/yr Compliance Annual Filings · penalty-free

On the $129/yr Compliance Annual Filings plan, we cover state late fees.

When you autofile your annual report through the $129/yr plan and we miss the deadline, we pay the state's late fee. The guarantee applies to that specific plan and the filings it includes. Other File.Business services are billed at the prices on this page.

See compliance plans →
Form your business for $0Start →
File.Business is a private business filing and compliance service. We are not a government agency and are not affiliated with any Secretary of State office. You may file directly with the appropriate state agency. SOC 2 Type II audited. 220,000+ businesses formed since 2017.