GoRefer Trust Center
Data Processing Agreement
Updated April 2026
GoRefer's Data Processing Agreement (DPA) is compliant with GDPR Article 28 and incorporates the EU Standard Contractual Clauses (2021). This page summarizes the key provisions. The full executed DPA is available on request through the Trust Portal.
DPA Availability by Plan
Updated April 2026
Growth Plan
Standard GoRefer DPA
Covers all GDPR Article 28 requirements
SCCs pre-executed
UK IDTA addendum available
Request via Trust Portal
Scale Plan
Standard DPA + CCPA addendum
BAA available on request
Priority 5-day turnaround
Named legal contact for queries
Request via Trust Portal
Enterprise Plan
Custom DPA negotiation supported
Legal review and redlines accepted
HIPAA BAA included
Click-through or wet signature options
Dedicated Customer Success contact
Key DPA Clauses Summary
Updated April 2026
The following summarizes the key provisions of GoRefer's standard DPA. This is a summary only — the authoritative document is the executed DPA available via the Trust Portal.
Subject Matter & Duration
GoRefer processes personal data on behalf of the customer (the Controller) solely to provide the GoRefer platform services. Processing continues for the duration of the subscription agreement.
Nature and Purpose of Processing
Storage and retrieval of tax referral and commission management data; AI-assisted workflow processing; transactional email delivery; analytics.
Categories of Data Subjects
Tax professionals, their clients, and administrative staff within the customer's firm.
Categories of Personal Data
Identity data, contact information, professional credentials, tax client records (including PII), authentication data, usage logs.
Controller Instructions
GoRefer processes personal data only on documented instructions from the customer. Instructions provided via product configuration, API calls, and account settings.
Sub-processor Management
GoRefer maintains a list of authorized sub-processors. New sub-processors are notified 30 days in advance. Customers may object in writing.
Security Measures (Art. 32 GDPR)
AES-256 encryption at rest, TLS 1.3 in transit, field-level PII encryption, MFA, RBAC, penetration testing, security monitoring.
Data Subject Rights Assistance
GoRefer provides mechanisms and reasonable assistance to enable customers to respond to data subject rights requests (access, erasure, portability, restriction).
Data Breach Notification
GoRefer notifies customers without undue delay (and within 72 hours where feasible) upon becoming aware of a personal data breach affecting their data.
Return / Deletion on Termination
Upon termination of the agreement, GoRefer provides data export for 30 days, then deletes all customer personal data unless a legal retention obligation applies.
Audit Rights
Customers may request audit information (questionnaires, certifications) once per year. On-site audits require 30 days notice and cost reimbursement.
International Transfers
Transfers outside the EEA use EU Standard Contractual Clauses (2021 edition). UK IDTA addendum applies for UK personal data.
Standard Contractual Clauses (SCCs)
Updated April 2026
2021 EU SCCs (Controller-to-Processor)
GoRefer's DPA incorporates the European Commission's Standard Contractual Clauses decision of 4 June 2021 (Module Two: Controller to Processor) for transfers of EU personal data to GoRefer in the United States. A Transfer Impact Assessment (TIA) is available on request.
Request Your DPA
Updated April 2026
To receive a signed copy of the GoRefer DPA, request access to the full DPA document via the Trust Portal. Enterprise customers needing to negotiate custom terms should contact their account manager or email legal@gorefer.io.