GoRefer Trust Center
Compliance
Updated April 2026
GoRefer maintains a compliance program aligned with the requirements of tax industry regulators, data protection authorities, and enterprise security frameworks. Our compliance activities are continuously monitored and documented.
Compliance Roadmap
GDPR
Ongoing
Full compliance
IRS 4557
Ongoing
All controls implemented
CCPA
Ongoing
Consumer rights enforced
SOC 2 Type II
Q3 2026
All CC1–CC9 controls implemented
ISO 27001
2027
Roadmap target
SOC 2 Type II
Updated April 2026
SOC 2 Type II — all controls implemented
GoRefer has implemented all Trust Service Criteria (CC1–CC9) controls. A formal SOC 2 Type II audit engagement is in progress with a licensed CPA firm, targeting completion in Q3 2026. The table below details the specific controls in place for each criteria category.
Our security controls map to the AICPA Trust Services Criteria (TSC). The table below summarizes our coverage across all Common Criteria (CC) categories.
| Trust Service Criteria | Status | Controls in Place |
|---|---|---|
CC1 – Control Environment | Implemented | RBAC with 4 tenant + 5 platform roles, password complexity enforcement (8+ chars, upper/lower/digit/special), rate-limited auth endpoints, employee security training program |
CC2 – Communication | Implemented | 15+ page Trust Center, published privacy notices (GDPR/CCPA), subprocessor register with 9 vendors, incident notification SLAs, changelog |
CC3 – Risk Assessment | Implemented | Automated threat detection (brute force, credential stuffing, account compromise, session hijack, tenant isolation), domain reachability monitoring, vulnerability disclosure program |
CC4 – Monitoring Activities | Implemented | Tamper-proof hash-chain audit logging, daily integrity checks, Sentry error tracking (PII scrubbed), system health dashboard, real-time super admin alerting |
CC5 – Logical & Physical Access | Implemented | TOTP MFA with backup codes, session families with token rotation, cross-tenant access blocking, JWT-based least privilege, isolated super admin portal, MongoDB Atlas AES-256 at rest, TLS 1.3 in transit |
CC6 – System Operations | Implemented | Security headers (HSTS, CSP with per-request nonces, X-Frame-Options), CORS policy, scheduler health monitoring, automated session cleanup |
CC7 – Change Management | Implemented | PR-based code review, staging environment, deployment approval gates, version-controlled infrastructure |
CC8 – Incident Management | Implemented | P0-P3 severity framework with response SLAs (15min–8hr), NIST 800-61r2 aligned IRP, post-mortems within 7 days, GDPR 72-hour notification |
CC9 – Risk Mitigation | Implemented | Automated database backups with configurable retention, RTO 4hr/RPO 1hr targets, quarterly DR drills, subprocessor DPAs, 90-day data retention after cancellation |
Request SOC 2 Roadmap
Enterprise customers and prospects can request our detailed SOC 2 readiness roadmap, including gap analysis and remediation timeline, via the Trust Portal.
IRS Publication 4557 — Safeguarding Taxpayer Data
Updated April 2026
IRS Publication 4557 defines security requirements for all tax professionals who handle taxpayer data. GoRefer is designed specifically for tax firms and implements all required safeguards to support their compliance obligations.
| IRS Requirement | How GoRefer Addresses It | Status |
|---|---|---|
| IRS Rev. Proc. 2007-40 / Pub. 4557 | Data Security Plan | Implemented |
| Written Information Security Plan (WISP) | Internal security policy document, updated annually | Implemented |
| Taxpayer data encryption | AES-256 encryption at rest, TLS 1.3 in transit, and field-level encryption for PII fields | Implemented |
| Access controls | RBAC with least-privilege, MFA enforced for admin roles | Implemented |
| Incident response | Documented IR plan with IRS notification requirements | Implemented |
| Employee training | Annual security awareness training program | Implemented |
| Vendor due diligence | Subprocessor DPAs, annual security review | Implemented |
GDPR Compliance
Updated April 2026
Data Controller Responsibilities
Lawful basis documented for every data processing activity
Privacy notices served at collection points
Data minimization — only collect what is needed
Purpose limitation — no secondary uses without re-consent
Data subject rights handled within 30-day SLA
Subprocessor Management
All subprocessors have executed DPAs with SCCs where applicable
Subprocessor register maintained and published (see Subprocessors page)
Customer notification of new subprocessors with 30-day opt-out window
Annual subprocessor security review
HIPAA Readiness
Updated April 2026
HIPAA compliance for enterprise healthcare clients
While GoRefer's core use case is tax referral management (not a covered entity under HIPAA), firms that handle health-related tax matters (e.g., HSA, FSA, ACA-related work) can request a Business Associate Agreement (BAA). GoRefer's encryption, access controls, and audit logging align with HIPAA Security Rule requirements.
Technical Safeguards
AES-256 encryption at rest
TLS 1.3 in transit
MFA for all administrative access
Audit logging of all PHI access
Administrative Safeguards
Security Officer designated
Annual workforce training
Access authorization procedures
Sanction policy for violations
BAA Availability
BAA available on Growth, Scale, and Enterprise plans
Request via security@gorefer.io or Trust Portal
Standard BAA covers all GoRefer subprocessors
CCPA / CPRA
Updated April 2026
Consumer Rights (California)
Right to know what personal information is collected
Right to delete personal information
Right to opt-out of sale (GoRefer does not sell data)
Right to non-discrimination for exercising rights
Right to correct inaccurate personal information
How to Exercise Rights
Email privacy@gorefer.io with subject 'CCPA Request'
Include your name, email address, and the right you wish to exercise
Verified identity required before processing sensitive requests
Response within 45 days (extendable to 90 days with notice)