GoRefer Trust Center
Employee & Operational Security
Updated April 2026
The strongest technical controls can be undermined by insufficient operational security practices. GoRefer treats employee access management, training, and offboarding as first-class security controls — not HR paperwork.
This page documents the policies and procedures that govern how GoRefer's team accesses, handles, and protects the systems that process your data.
Pre-Employment & Contractor Screening
Updated April 2026
Screening Process
Background verification
Identity verification and employment history checks are conducted for all staff who will have access to production systems or customer data
Reference checks
Professional references required for senior engineering and operations roles
NDA on day one
All employees and contractors sign a confidentiality agreement before receiving any system access
Security policy acknowledgement
GoRefer's Acceptable Use Policy and Information Security Policy are acknowledged in writing before access is provisioned
Contractor & Vendor Access
No standing access for contractors
Contractors receive time-limited, scoped access that expires automatically at engagement end
Same MFA requirements
Contractors accessing production infrastructure are subject to the same MFA and VPN requirements as full-time staff
DPA or NDA required
Any third-party individual with access to systems that may process customer data must execute a DPA or NDA
Periodic access reviews
Contractor access is reviewed at 90-day intervals and revoked if no longer needed
Staff Access Controls
Updated April 2026
GoRefer applies a strict least-privilege model. Access is provisioned by role, not by individual request chain, and is reviewed quarterly. The table below shows the access boundary for each internal role.
| Staff Role | Prod DB Access | Customer Data | MFA | Notes |
|---|---|---|---|---|
Engineering (General) | No | No | Yes | Access to staging and dev environments only |
Engineering (Senior / Infra) | Read-only via VPN + MFA | No — data is always encrypted | Yes (mandatory) | All access events logged; peer approval required for certain operations |
Operations / Support | No | Pseudonymous logs only | Yes | No access to raw customer PII |
Platform Admins (super_admin) | Audited access via isolated 2FA portal | Encrypted only — cannot read PII without key | Yes — separate isolated auth system | Separate authentication system from main product; all actions immutably logged |
GoRefer staff cannot read your PII
Even staff with database access cannot read sensitive PII fields (SSN, EIN, bank details, DL numbers) — these fields are encrypted at the field level with a key that is not accessible in the database. Plaintext PII can only be decrypted by the application at runtime, scoped to the requesting firm.
Isolated Operations Portal
Updated April 2026
GoRefer operates a completely separate, isolated portal for platform administration tasks. This portal is not part of the main product and is only accessible to a small number of authorized platform administrators.
Authentication Requirements
Separate credentials from the main product — no shared passwords
Mandatory 2FA on every login, via a separate authentication system
IP allowlist enforced — access only from pre-registered networks
Session timeout after 15 minutes of inactivity
Auditability
Every admin action is logged with actor, timestamp, resource, and outcome
Logs are stored in an immutable, append-only audit trail
No action can be taken without generating a log entry
Log export available for compliance reviews
Security Training Program
Updated April 2026
All GoRefer staff complete mandatory security training. Completion is tracked and non-completion blocks access reviews. Topics are reviewed annually and updated to reflect current threat landscape.
| Training Topic | Frequency | Audience | Format |
|---|---|---|---|
Security Awareness Fundamentals | Annual | All staff | Interactive — completion tracked |
GDPR & Data Privacy Obligations | Annual | All staff | Written + assessment |
IRS Publication 4557 Requirements | Annual | Engineering, Product | Policy acknowledgement |
Secure Coding Practices (OWASP) | Annual + on-hire | Engineering | Guided course |
Incident Response Procedures | Annual + tabletop exercises | Engineering, Operations | Tabletop simulation |
Phishing & Social Engineering | Quarterly simulation | All staff | Simulated attack + debrief |
Password & Secrets Management | On-hire + annual refresh | All staff | Policy + tool training |
Offboarding & Access Revocation
Updated April 2026
Access revoked on same day as departure
GoRefer's offboarding procedure requires all system access — including third-party tools, production systems, code repositories, and cloud infrastructure — to be revoked on the employee's last day of employment, or immediately upon termination.
Day-of Revocation
All SSO and identity provider access revoked
All active sessions invalidated
SSH keys and API tokens rotated
Production system credentials changed
Within 24 Hours
All third-party tool access confirmed revoked
MFA devices deregistered
Email forwarding rules reviewed
Code signing certificates revoked
Post-Departure Review
Access audit of departing staff's permissions
Review of recent activity logs
NDA reminder and IP assignment confirmation
Checklist retained in HR records