Legal

Legal & security.

Our Privacy Notice, Terms of Engagement, and the security measures that protect every filing.

§ I · Privacy

Privacy notice.

The short version: we collect only what we need to file your company, prove your identity to the state, and keep your account secure. We don't sell your data. You can export or delete it on request.

What we collect

To form your US company we collect identifying information about you and your beneficial owners: full legal name, date of birth, country of citizenship, country and address of residence, government-issued photo identification, and an email or phone number we can reach you on. We collect company details — proposed name, state of formation, registered office, business description, and cap-table allocation — and the transactional information needed to process payment.

Why we collect it

Information is collected exclusively to (a) prepare and file your formation documents with the relevant Secretary of State, (b) complete federal tax identification (EIN) on your behalf, (c) satisfy our Know-Your-Customer and anti-money-laundering obligations, (d) provide ongoing compliance services if you elect them, and (e) operate, secure, and improve the Forma platform.

Who we share it with

  • State filing agencies, the IRS, and registered-agent partners required to complete your filing
  • Identity verification, sanctions, and payment processors operating under contract with us
  • Auditors, regulators, and counsel where required by law

We do not sell personal data, and we do not share it for third-party advertising.

How long we keep it

Most identity records are retained for seven (7) years after the close of your account, in line with US recordkeeping requirements for regulated services. You may request earlier deletion of non-statutory data at any time by writing to privacy@forma.co.

Your rights

You may request access to, correction of, or a copy of the personal data we hold about you. Residents of the European Economic Area, the United Kingdom, and California have additional rights under applicable law, including the right to data portability and the right to lodge a complaint with a supervisory authority.

★ A complete Data Processing Addendum is available on request for enterprise customers.

§ II · Terms

Terms of engagement.

The short version: Forma is a software platform and filing agent, not a law firm or tax advisor. We file your documents accurately and on time; you're responsible for the truth of what you tell us and for any ongoing obligations of your company.

What Forma is, and isn't

Forma, Inc. ("Forma") provides software and ministerial filing services that prepare, lodge, and track formation documents with the relevant Secretary of State. We are not a law firm and we do not provide legal advice, tax advice, or investment advice. Where you require those services, you should engage qualified counsel.

Your responsibilities

  • Provide accurate, complete, and current information about you, your company, and your beneficial owners
  • Comply with federal, state, and your home-country laws applicable to your business
  • Pay the fees set out in the order summary at checkout, including any non-refundable state filing fees
  • Maintain the security of your account credentials and the confidentiality of your filing materials

Fees and refunds

Platform fees are refundable in full if you cancel your filing before we lodge documents with the state. Once a document has been lodged, the state filing fee is non-refundable; the platform fee may be partially refundable at our discretion. Recurring subscriptions (Compliance+, Registered Agent renewals) may be cancelled at any time, effective at the end of your current billing period.

Limitation of liability

To the maximum extent permitted by law, Forma's aggregate liability for any claim arising out of these terms is limited to the fees you paid us in the twelve (12) months preceding the claim. We are not liable for indirect, incidental, or consequential damages.

Governing law

These terms are governed by the laws of the State of Delaware, USA, without regard to its conflict-of-laws principles. Disputes will be resolved exclusively in the state and federal courts located in New Castle County, Delaware.

★ A signed Master Services Agreement is available for customers forming five or more entities.

§ III · Security

Security posture.

The short version: SOC 2 Type II, encryption in transit and at rest, least-privilege access controls, and quarterly third-party penetration tests. Sensitive identity documents are isolated from public endpoints.

Encryption

All data in transit is encrypted with TLS 1.3 (minimum). Data at rest is encrypted with AES-256-GCM. Identity documents (passports, government IDs) are stored in an isolated, key-rotated bucket separate from the operational database, and accessed only through a separate authorisation channel.

Access controls

Access to customer data is granted on a least-privilege basis, reviewed quarterly, and revoked within twenty-four hours of role change or departure. All administrative access requires hardware-backed multi-factor authentication; all production actions are logged immutably for ninety days.

Audits and attestations

  • SOC 2 Type II — audited annually by Schroder & Co., LLP
  • Quarterly third-party penetration testing
  • Continuous vulnerability scanning
  • Incident response runbooks tested twice annually

Responsible disclosure

If you believe you've discovered a vulnerability, please write to security@forma.co with as much detail as possible. We acknowledge reports within one business day and aim to resolve verified issues within thirty days. We do not pursue legal action against good-faith researchers.

★ Auditor's letters and our latest pen-test attestation are available on request under NDA.

§ IV · Get in touch

Questions on these?

Write to legal@forma.co for any policy, contractual, or security enquiry. For account, billing, or filing questions, the team at founders@forma.co will be faster.

Contact form → Back to home