20% OFFCode FOUNDING20 — 20% off first year

LAUNCH OFFERApply code FOUNDING20 at checkout for 20% off your first year.Claim Offer →

GoRefer.io
PricingAffiliatesNEWMeet
Gio AI
BlogAbout
Log In
Get Started Free

GoRefer Trust Center

Access Control

Updated April 2026

GoRefer enforces a least-privilege access model so every user can only see and do exactly what their role allows. No user can access another firm's data, and within a firm, access is scoped by role.

MFA Enabled
RBAC Enforced
Least Privilege
Audit Logged

Role-Based Access Control (RBAC)

Updated April 2026

Every GoRefer account operates on a permission-based role system. Each role is granted the minimum access needed for the job — nothing more. Permissions are enforced server-side on every request; they cannot be bypassed by the client.

RoleWhat They Can DoRestrictions
Admin
Full firm accessManage users, commission settings, billing, and all firm data
Preparer
Own clients & referralsCan only view and manage their own assigned clients and referrals
Client
Client portal onlySubmit referrals, check reward status, update profile
Agent
Recruiting pipelineLimited to the preparer enrollment workflow

Complete firm isolation

Your firm's data is completely isolated from every other GoRefer customer. No user — regardless of role — can access data belonging to a different firm. Cross-firm access is blocked and flagged as a security event.

Multi-Factor Authentication (MFA)

TOTP

Updated April 2026

Authenticator App Support

  • Time-based one-time passwords (TOTP) — industry-standard 2FA

  • Works with Google Authenticator, Authy, 1Password, and Microsoft Authenticator

  • 8 one-time backup codes generated on enrollment

  • Simple QR-code setup — takes under a minute

  • MFA secrets never exposed in API responses

Privileged Access MFA

  • GoRefer operations staff use a separate, isolated authentication process

  • Mandatory MFA for all staff with any access to production systems

  • Staff sessions expire automatically after inactivity

  • All staff access events are recorded in an immutable audit log

Session Management

Updated April 2026

Session Security

  • Short-lived session tokens

    Sessions use short-expiry tokens to minimize exposure if a token is ever intercepted

  • Secure, browser-only session cookies

    Session cookies cannot be accessed by JavaScript — protected against XSS attacks

  • Automatic session expiry

    Sessions expire after inactivity and on password change or account deactivation

  • Session tokens are never stored in plaintext

    Cryptographically hashed before storage

Session Controls

  • View all active sessions with device, browser, and location in Security Hub

  • Log out any individual device remotely — no IT help required

  • One-click logout from all devices simultaneously

  • Admin-assisted access sessions are time-limited and fully logged

  • Sensitive actions are restricted during assisted access sessions

Rate Limiting & Brute Force Protection

Updated April 2026

IP-Based Rate Limiting

  • Per-IP rate limiting on all authentication endpoints

  • Login endpoint: configurable threshold with exponential backoff

  • Registration endpoint: rate limited to prevent account farming

  • Password reset: rate limited with cooldown periods

  • API endpoints: per-user rate limits on compute-intensive operations (AI, exports)

IP Blocklist

  • Admin-managed IP blocklist per tenant (Security Hub)

  • Platform-level blocklist for known malicious actors

  • Automatic IP flagging on repeated failed login attempts

  • Blocklist entries logged in audit trail with timestamp and actor

  • Cloudflare WAF provides edge-level blocking before reaching application