Trust program v1 · April 2026

The trust center.

Incorporator issues seals to other organizations that pass our Trust, Privacy, and Editorial programs. Our own posture has to pass the same rubric. This page is that posture, in public, with enough detail for a reader to verify what we're claiming.

Self-certification

Incorporator is certified against its own Trust program, v1. The live seals are issued by scripts/issue-founding-seals.mjs; once that script has run against this environment, the three seals will appear here with links to their /verify/:id pages. Until then, treat this page as the authoritative record.

Infrastructure

One stack, one vendor, public config.

The entire site runs on Cloudflare. No third-party SaaS sits in the hot path of a request. TLS 1.3 is terminated at the edge; HSTS is preloaded; DDoS mitigation and the WAF are Cloudflare's platform defaults. The Worker configuration is checked into the repository as wrangler.jsonc, so anyone can read what we bind where.

Runtime

Astro 6 compiled to a single Cloudflare Worker. Zero Node runtime, zero container orchestration, zero long-lived servers.

Database

Cloudflare D1 (SQLite at the edge), schema managed by Drizzle migrations. One primary region, read replicas follow the request.

Object storage

Cloudflare R2 for article images, generated seals, PDF exports. No public listing; URLs are signed or proxied through a Worker.

Key-value

Three Cloudflare KV namespaces: SESSION (short-lived admin session state), IDEMPOTENCY (dedupe keys for write APIs), CACHE (hot-path response cache).

Vector search

Cloudflare Vectorize for article similarity and related-reading recommendations. Embeddings generated by Workers AI.

Images

Cloudflare Images for resize and format negotiation. Original assets live in R2.

Cloudflare's send_email binding for newsletter delivery and transactional mail. No third-party ESP.

Durable state

Two Durable Object classes: EditorAgent (long-running editorial workflows) and RateLimiter (per-IP and per-key windows).

Editorial walls

Revenue separated from judgement.

All affiliate revenue flows through /go/:slug, a swappable Worker redirect. The editorial ranking of any service is locked in the repository before we contact that service about an affiliate relationship. We do not accept payment for placement, we do not adjust rankings in response to a partnership discussion, and the full methodology is published at /methodology.

The editorial policy lays out the fact- check cadence and corrections discipline. The affiliate disclosure names every partner and the commission structure in plain numbers.

Security posture

The headers we send, verbatim.

Every response is stamped by src/middleware.ts with the headers below. The Content-Security-Policy is the current source of truth; the wider CSP string (font and style origins) is checked into the middleware file.

Strict-Transport-Security max-age=63072000; includeSubDomains; preload

Content-Security-Policy default-src 'self'; object-src 'none'; frame-ancestors 'self'; upgrade-insecure-requests

Referrer-Policy strict-origin-when-cross-origin

Permissions-Policy geolocation=(), microphone=(), camera=()

X-Content-Type-Options nosniff

X-Frame-Options SAMEORIGIN

Cross-Origin-Opener-Policy same-origin

A human-readable security contact is kept at /.well-known/security.txt, refreshed alongside this page.

Responsible disclosure

How to tell us we got something wrong.

Report a vulnerability to security@incorporator.org. A PGP key for that inbox is published at /.well-known/security.txt; encrypt anything sensitive. We acknowledge receipt within 48 hours and publish a fix or a plan within 90 days of the report, unless we agree a longer window with you. We credit researchers on a hall-of-fame list below once the disclosure is closed. We don't threaten legal action against researchers acting in good faith under this policy.

Scope: incorporator.org and www.incorporator.org, including all API routes and the admin surface. Out of scope: social-engineering of staff, physical intrusion, denial-of-service testing, anything that would affect a third party hosted alongside us on Cloudflare.

Audit

Dogfood, on purpose.

The controls we apply to every applicant in the Trust program are the same controls we apply to ourselves: privacy posture, tracker surface, security headers, incident response. When the rubric changes, our own seal is re-run against the new version. If we fail a control, it shows up here before it shows up anywhere else.

The seal, once issued, will be verifiable at /verify/[seal-id] and embeddable as a badge from the same path. The HMAC signature on each seal lets an outside verifier confirm the payload without reading our database.

Incident communication

Four channels, one source of truth.

A breach notice goes up within 72 hours of confirming an incident. The four channels below are where it lands; the trust-center entry is the canonical record, and every other channel links back to it.

Trust center

A dated entry on this page, updated as we learn more. This is the canonical record.
Newsletter

An out-of-band issue to every subscriber whose data was materially affected. Separate from the regular editorial cadence.
RSS

/rss.xml carries a dedicated <incident> item when one is open, so automation can pick it up.
Social

A cross-post on @incorporator with a link back here. Social is a pointer, not a source.

Compliance

What we are, what we aren't.

Most trust pages list a pile of logos. Ours lists what's actually in place today, in plain language.

Role

Incorporator is a data controller for its subscribers and applicants. We are not a data processor for any third party.
SOC 2

Not yet audited. The cost of a formal audit is not justified at current scale. We apply the CIS Controls v8 Implementation Group 1 subset as a working baseline and plan to move to IG2 before pursuing an audit.
GDPR / UK GDPR

We rely on Cloudflare's Data Processing Addendum and its Standard Contractual Clauses for transfers. Our own response to data subject rights is documented on the privacy page.
CCPA / CPRA

We do not sell personal information. The notice and opt-out language required by California law lives on the privacy page.

Data exports

Ask and we send the file.

For now, data portability runs through email. Send a request to privacy@incorporator.org referencing this page and we reply with a JSON export of everything on file. A self-service API endpoint will follow in a later release; when it ships, it ships here with the date.

Updated April 2026.