How is my data protected?
When you form an LLC, you're trusting us with sensitive personal and business information — your full legal name, social security number (or EIN), home or business address, and ownership details. Here's how we protect it.
Quick summary
Encryption: all data encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access controls: only authorized FormationHub staff can access your account; access is logged
PCI compliance: payments processed through a PCI-DSS Level 1 compliant provider (we don't store card numbers)
PII allowlist: sensitive data (EIN values, SSN, signed documents) never leaves our systems — never sent to marketing tools, never logged in plaintext
No data selling: we don't sell customer data to third parties
GDPR/CCPA compliant: you have rights to access, correct, and delete your data
Where your data lives
Production database
Hosted on US-based managed-database infrastructure
Encrypted at rest with AES-256
Daily backups, retained 7 days
Access requires VPN + 2FA for engineering staff
Database admin actions are logged and reviewable
Document storage
All uploaded documents (Articles of Organization, EIN confirmation letters, signed Operating Agreements) live in encrypted cloud storage
Encrypted at rest
Files are NOT publicly accessible — only fetchable through authenticated API endpoints
Auto-purge for orphaned files
Payment data
We use a PCI-DSS Level 1 compliant payment processor
We don't store card numbers on our infrastructure
We only see the last 4 digits of cards (for display purposes)
Customer data platform (CDP)
Lifecycle events flow to our marketing and support tools
A schema-enforced PII allowlist guarantees these forbidden keys NEVER leave our systems:
EIN values / tax IDs
SSN / ITIN
Date of birth
Signed PDF URLs
Passport / driver's license numbers
Only safe identifiers (email, phone, customer id, business name, state code) flow to destinations
Audited quarterly to confirm no leakage
Email / SMS / Phone
Transactional email via a managed email-delivery provider (auth links, receipts)
SMS via a managed SMS provider (where used)
Chat and voice via our customer-support platform — recorded for quality
All providers under data-processing agreements (DPAs)
What data we collect
Identification (required)
Full legal name
Email address
Phone number
Home address (for IRS / state filing requirements)
Business details (required to file)
Proposed business name
State of formation
Member / owner names and addresses
Business purpose
Registered Agent address (we provide this if you use our service)
Beneficial Owner Information (required for BOI filing only, if you buy that service)
Photo of government-issued ID
Date of birth
Tax identifier (SSN or ITIN)
Payment data (handled by our payment processor)
Card brand and last 4 digits (we see this)
Full card number (our payment processor sees this; we don't)
Optional
Profile photo
Communication preferences
What we DON'T collect
Browsing history outside FormationHub's domains
Social media account info (unless you opt in to share)
Bank account credentials (we don't initiate ACH withdrawals)
Health information, biometrics, or other sensitive categories beyond what's needed for filings
Who has access
Your data
You (via authenticated portal)
Authorized FormationHub support staff — only for the duration of resolving your ticket; access is logged
Engineering staff — read-only access to production for debugging, write access only via deployed code
Sub-processors (limited, contractually bound)
A PCI-DSS Level 1 compliant payment processor (payments)
A US-based cloud-storage provider (document storage)
A managed marketing-email platform (only safe attributes)
A customer-support platform for chat / help center (only safe attributes)
An error-monitoring provider (PII-stripped before transmission)
A transactional-email provider (auth links, receipts)
We can provide specific sub-processor names on request for legal / compliance purposes — email [email protected].
Who we WILL NOT share with
Marketing data brokers
Targeting / advertising networks (beyond Google Ads conversion-pixel for our OWN remarketing, not for third-party targeting)
Other service providers (CPAs, attorneys, etc.) — only with your explicit consent
Legal compliance disclosures
We may disclose data when: - Compelled by a valid US legal subpoena - Required by FinCEN for BOI reporting (this is what BOI IS) - Required by the IRS in response to a legitimate inquiry about a specific filing - Necessary to investigate suspected fraud or abuse of our service
We do NOT proactively share customer data with law enforcement without a court order.
Your data rights
Access
Download all data we have about you: portal → Account Settings → Download my data (JSON + PDF export)
Get a list of all sub-processors we use: in this article
Correct
Edit your profile info in the portal (name, email, phone, address)
Some changes (business name) require a state filing — open a chat
Delete
Request account deletion: email [email protected]
We delete most data within 30 days
Some data (formation records, tax-required records) we MUST retain by law for 7 years
Payment records stay with our payment processor per their retention policy
Portability
Download your data in machine-readable JSON format
Re-import to another service if you switch (not all competitors accept imports)
Stop marketing
Click "unsubscribe" in any marketing email
Or: portal → Account Settings → Communication preferences
Note: transactional emails (receipts, filing confirmations, support replies) are sent regardless of marketing preferences
Incidents and breaches
We've never had a data breach. We hope to never have one. If we did:
We'd notify affected customers within 72 hours of confirming the breach
We'd disclose what data was affected, what we're doing about it, and what you should do
We'd offer credit monitoring (1 year minimum) at our expense for breaches involving SSN/financial info
We'd publish a post-mortem with what went wrong and what we changed
How to report a security concern
Suspected vulnerability: [email protected] (PGP key available)
Phishing / impersonation: forward the email to [email protected]
Lost or stolen device with FormationHub access: change your password immediately, then email [email protected]
You think you've been the victim of fraud using your FormationHub account: call us toll-free at +1 (888) 695-5281 during business hours, or email [email protected] — we have a 1-hour SLA for security incidents
Two-factor authentication
We recommend enabling 2FA on your account: 1. Sign in → Account Settings → Security 2. Add 2FA via authenticator app (Authy, Google Authenticator, 1Password, etc.) 3. Save your backup codes somewhere safe
We're working on adding hardware security key (YubiKey, etc.) support as an option for high-risk accounts.
Phishing awareness
The most common attack pattern against FormationHub customers is phishing:
⚠️ Emails asking you to "verify your EIN" — we never email asking for your EIN
⚠️ Emails with urgent language ("Your LLC is about to be dissolved! Click here!") — real notices come from state Secretaries of State, not from "LLC Compliance Department"
⚠️ Calls claiming to be from the IRS asking for SSN — real IRS calls don't ask for SSN
⚠️ DMs on social media offering "expedited formation" — never legitimate
When in doubt, sign in to your portal directly (don't click email links) and check status. Or open a chat with us to verify.
Common questions
"Is my data shared with other countries?"
Primary infrastructure is US-based. Some sub-processors may process data in other countries under the EU-US Data Privacy Framework or similar safeguards.
"How long do you keep my data?"
Active customers: indefinitely (for ongoing service)
Inactive customers (no service activity for 3+ years): we email asking if you want to delete or keep
Closed accounts: most data deleted within 30 days; legal-retention-required data kept 7 years
Payment records: per our payment processor's retention policy
"Can I get my data deleted right after my LLC is dissolved?"
Yes, but we recommend waiting until any tax-record retention obligations are met (typically 7 years from the last filing). Email [email protected] to start the process.
Next steps
Download your data: https://www.formationhub.com/member/settings/data
Concerned about something specific? Email [email protected] — we respond within 1 business hour during business hours.