GoRefer Trust Center
Compliance
Updated April 2026
GoRefer maintains a compliance program aligned with the requirements of tax industry regulators, data protection authorities, and enterprise security frameworks. Our compliance activities are continuously monitored and documented.
SOC 2 Type II
Updated April 2026
SOC 2 audit scheduled for Q3 2026
GoRefer is actively working toward SOC 2 Type II certification. The controls below represent our current implementation aligned with the SOC 2 Trust Service Criteria. A formal audit engagement is in progress with a licensed CPA firm.
Our security controls map to the AICPA Trust Services Criteria (TSC). The table below summarizes our coverage across all Common Criteria (CC) categories.
| Trust Service Criteria | Status | Controls in Place |
|---|---|---|
CC1 – Control Environment | In Scope | Security policies, RBAC, code of conduct, training programs |
CC2 – Communication | In Scope | Incident communication, privacy notices, system change notifications |
CC3 – Risk Assessment | In Scope | Threat modeling, vendor risk assessments, vulnerability scanning |
CC4 – Monitoring Activities | In Scope | Continuous uptime monitoring, security alerting, SIEM events |
CC5 – Logical & Physical Access | In Scope | MFA, RBAC, session management, least privilege, physical data center (AWS) |
CC6 – System Operations | In Scope | Change management, incident response, patch management |
CC7 – Change Management | In Scope | PR reviews, staging environment, deployment approval gates |
CC8 – Incident Management | In Scope | P0-P3 severity framework, post-mortems, customer notification SLAs |
CC9 – Risk Mitigation | In Scope | Business continuity planning, disaster recovery, subprocessor contracts |
Request SOC 2 Roadmap
Enterprise customers and prospects can request our detailed SOC 2 readiness roadmap, including gap analysis and remediation timeline, via the Trust Portal.
IRS Publication 4557 — Safeguarding Taxpayer Data
Updated April 2026
IRS Publication 4557 defines security requirements for all tax professionals who handle taxpayer data. GoRefer is designed specifically for tax firms and implements all required safeguards to support their compliance obligations.
| IRS Requirement | How GoRefer Addresses It | Status |
|---|---|---|
| IRS Rev. Proc. 2007-40 / Pub. 4557 | Data Security Plan | Implemented |
| Written Information Security Plan (WISP) | Internal security policy document, updated annually | Implemented |
| Taxpayer data encryption | AES-256 encryption at rest, TLS 1.3 in transit, and field-level encryption for PII fields | Implemented |
| Access controls | RBAC with least-privilege, MFA enforced for admin roles | Implemented |
| Incident response | Documented IR plan with IRS notification requirements | Implemented |
| Employee training | Annual security awareness training program | Implemented |
| Vendor due diligence | Subprocessor DPAs, annual security review | Implemented |
GDPR Compliance
Updated April 2026
Data Controller Responsibilities
Lawful basis documented for every data processing activity
Privacy notices served at collection points
Data minimization — only collect what is needed
Purpose limitation — no secondary uses without re-consent
Data subject rights handled within 30-day SLA
Subprocessor Management
All subprocessors have executed DPAs with SCCs where applicable
Subprocessor register maintained and published (see Subprocessors page)
Customer notification of new subprocessors with 30-day opt-out window
Annual subprocessor security review
HIPAA Readiness
Updated April 2026
HIPAA compliance for enterprise healthcare clients
While GoRefer's core use case is tax referral management (not a covered entity under HIPAA), firms that handle health-related tax matters (e.g., HSA, FSA, ACA-related work) can request a Business Associate Agreement (BAA). GoRefer's encryption, access controls, and audit logging align with HIPAA Security Rule requirements.
Technical Safeguards
AES-256 encryption at rest
TLS 1.3 in transit
MFA for all administrative access
Audit logging of all PHI access
Administrative Safeguards
Security Officer designated
Annual workforce training
Access authorization procedures
Sanction policy for violations
BAA Availability
BAA available on Growth, Scale, and Enterprise plans
Request via security@gorefer.io or Trust Portal
Standard BAA covers all GoRefer subprocessors
CCPA / CPRA
Updated April 2026
Consumer Rights (California)
Right to know what personal information is collected
Right to delete personal information
Right to opt-out of sale (GoRefer does not sell data)
Right to non-discrimination for exercising rights
Right to correct inaccurate personal information
How to Exercise Rights
Email privacy@gorefer.io with subject 'CCPA Request'
Include your name, email address, and the right you wish to exercise
Verified identity required before processing sensitive requests
Response within 45 days (extendable to 90 days with notice)