GoRefer Trust Center
Data Protection
Updated April 2026
GoRefer applies multiple layers of data protection, with particular emphasis on sensitive PII fields used in tax workflows. This page details our field-level encryption, key management practices, and data minimization controls.
Encryption at Rest
Updated April 2026
Database Encryption
MongoDB Atlas Encryption at Rest
AES-256 encryption for all data at the storage layer via MongoDB Atlas encrypted storage engine
Volume encryption
AWS EBS volumes on application servers are encrypted with AES-256
Backup encryption
All automated backups inherit the same encryption configuration
Field-Level Protection
Additional encryption on sensitive fields
PII fields are encrypted individually at the application layer, before being written to the database
Defense-in-depth
Two independent layers of encryption: storage-level and field-level. Both must be compromised for data to be readable
Keys isolated from data
Encryption keys are never stored alongside the data they protect
What We Encrypt
Updated April 2026
The following sensitive data types receive field-level encryption on top of the storage-layer encryption. Even if database storage were ever compromised, these fields remain unreadable without the separate encryption key.
| Sensitive Data | Protection Method | Who Can Access |
|---|---|---|
Social Security Number (SSN) | AES-256 (field-level) | Firm admin, system processing only |
Employer Identification Number (EIN) | AES-256 (field-level) | Firm admin, system processing only |
Bank Account Number | AES-256 (field-level) | Firm admin only |
Bank Routing Number | AES-256 (field-level) | Firm admin only |
Driver License Number | AES-256 (field-level) | Firm admin only |
Payment Card | Tokenized by Stripe — never stored on GoRefer servers | System only (via Stripe) |
API responses never return raw PII
The GoRefer API always masks or omits sensitive fields in responses. SSN is displayed as '***-**-XXXX'. Bank account shown as last 4 digits only. This applies regardless of the caller's role.
Key Management
Updated April 2026
Key Storage & Rotation
Encryption keys are stored separately from the data they protect
Keys managed via AWS Secrets Manager in production
Separate keys per environment — development keys never touch production data
Keys can be rotated without service downtime
After a key rotation, all existing encrypted data is automatically re-encrypted
Who Can Access Keys
Keys are accessible only to the application at runtime
No individual engineer has unilateral access to production encryption keys
Key access events are logged via AWS CloudTrail
Multi-party authorization required to view or rotate production keys
Data Minimization & Pseudonymization
Updated April 2026
Data Minimization
Only fields required for the tax workflow are collected
Optional PII fields (DL number) collected only when explicitly provided
Analytics data aggregated and stripped of direct identifiers
AI model inputs anonymized before external API calls where possible
Export and reporting features output only the minimum required fields
Pseudonymization Practices
Internal analytics use pseudonymous user IDs, not email or name
Error tracking (Sentry) configured to scrub PII from stack traces
Log files sanitized to remove sensitive field values
Test and staging environments use synthetic data, never production PII