20% OFFCode FOUNDING20 — 20% off first year

LAUNCH OFFERApply code FOUNDING20 at checkout for 20% off your first year.Claim Offer →

GoRefer.io
PricingAffiliatesNEWMeet
Gio AI
BlogAbout
Login
Get Started Free

GoRefer Trust Center

Security

Updated April 2026

Security is a foundational pillar of the GoRefer platform — not a compliance afterthought. This page documents the technical security controls we have in place to protect your firm's data.

AES-256
TLS 1.3
MFA Enabled
Field-Level PII
Tenant Isolated
SOC 2-Aligned

Encryption in Transit

Enforced

Updated April 2026

All data transmitted between clients and GoRefer services is encrypted using TLS. Unencrypted HTTP connections are redirected to HTTPS at the network edge.

Transport Security

  • TLS 1.3 preferred; TLS 1.2 minimum

  • HTTP Strict Transport Security (HSTS) — 2-year max-age with preloading

  • Perfect Forward Secrecy (PFS) via ECDHE key exchange

  • Weak cipher suites disabled (RC4, DES, 3DES, MD5, SHA-1 deprecated)

  • Certificate managed by AWS Certificate Manager (ACM)

Scope of Coverage

  • All API endpoints (/api/*) — client → server

  • All webhook delivery and OAuth callbacks

  • S3 signed URL requests (HTTPS-only, no public bucket access)

  • Internal service-to-service communication (where applicable)

  • Database connections (MongoDB Atlas TLS enforced)

Encryption at Rest

AES-256

Updated April 2026

All persistent data is encrypted at rest using AES-256 across all storage layers.

Storage LayerAlgorithmKey ManagementNotes
MongoDB Atlas (primary DB)AES-256Atlas-managed CMKEncryption at rest enabled by default on all clusters
AWS S3 (file storage)AES-256 (SSE-S3)AWS-managed keysServer-side encryption on all buckets. SSE-KMS available.
Database backupsAES-256Atlas backup encryptionAutomated backups encrypted before storage
Local application uploads (dev)Filesystem encryptionOS-levelDev only; production uses S3 exclusively

Field-Level PII Encryption

AES-256-GCM Field Encryption

Updated April 2026

Sensitive PII fields are encrypted at the application layer before being written to storage. Even with direct database access, these fields are unreadable without a separate encryption key that is stored independently.

We apply a second, independent layer of AES-256-GCM encryption to every sensitive data field. This means your clients' SSNs, EINs, and bank details are protected by two separate encryption layers working together. AES-256-GCM provides both confidentiality and authenticated integrity — any tampering with ciphertext is detected.

Sensitive fields are always masked in API responses — SSN shown as ***-**-XXXX, bank accounts as last 4 digits only.

PII FieldProtectionHow It’s Stored
Social Security Number (SSN)AES-256-GCM (field-level)Encrypted before write — plaintext never persisted
Employer Identification Number (EIN)AES-256-GCM (field-level)Encrypted before write — plaintext never persisted
Bank Account NumberAES-256-GCM (field-level)Encrypted before write — plaintext never persisted
Bank Routing NumberAES-256-GCM (field-level)Encrypted before write — plaintext never persisted
Driver License NumberAES-256-GCM (field-level)Encrypted before write — plaintext never persisted

Authentication & Identity

TOTP + JWT

Updated April 2026

Session Security

  • Short-lived session tokens — minimizes exposure if a token is intercepted

  • Secure, browser-only session cookies (inaccessible to JavaScript)

  • Sessions invalidated on logout and password change

  • Complete firm isolation: sessions are cryptographically bound to your firm

  • Session tokens are cryptographically hashed before storage

Multi-Factor Authentication

  • TOTP-based MFA — compatible with Google Authenticator, Authy, 1Password

  • Backup codes generated on MFA enrollment, stored securely

  • GoRefer operations staff require mandatory MFA on a separate authentication system

  • Brute force protection: automatic lockout after repeated failed attempts

  • Password minimum: 8 characters

Security Hub & Monitoring

Enterprise

Updated April 2026

All GoRefer tenants have access to a real-time Security Hub with event logs, session management, threat detection, and exportable audit trails.

Security Hub Features

  • Firm security health score (composite risk metric)

  • Real-time suspicious activity alerts (unusual login times, locations, volumes)

  • IP blocklist — manually or automatically block known bad actors

  • Active session listing with device/browser/IP metadata

  • Session revocation (individual or all-device logout)

  • Admin impersonation tracking with immutable start/stop logs

Audit Logging

  • All sensitive operations logged: authentication, CRUD on critical resources, admin actions

  • Log fields: actor (user ID, email, role), timestamp, IP, user-agent, resource, action, outcome

  • Tamper detection: log integrity verification on export

  • 365-day retention by default

  • CSV export for integration with SIEM tools

  • SOC 2 and HIPAA compliance tagging on relevant events

Secure Development Practices

Updated April 2026

Code & Input Safety

  • All user inputs are validated and sanitized before processing

  • All database queries are parameterized — injection attacks are not possible

  • File uploads are validated by type, content, and size — not just file extension

  • Automated dependency scanning in the CI/CD pipeline

  • Signed URLs for all files — no direct public file access, expiry enforced

Access & Operations

  • Principle of least privilege for all internal accounts and service roles

  • Production database access requires VPN and MFA — restricted to authorized staff

  • No production credentials in code or version control

  • All secrets managed via a dedicated secrets manager at runtime

  • GoRefer operations staff use a dedicated, isolated authentication system with 2FA

For penetration testing details, see Penetration Testing. To report a vulnerability, see Vulnerability Disclosure.

Security Incident History

Clean Record

Updated April 2026

No data breaches to date

GoRefer has never experienced a confirmed data breach or unauthorized disclosure of customer data. This record is maintained in this Trust Center and will be updated immediately if that status changes. Transparency is non-negotiable.

All security incidents — including near-misses and minor service disruptions — are logged in our Incident Response process and reviewed in post-mortems. Our goal is to learn from every event, however small, to continuously improve our security posture.

HTTP Security Headers

Updated April 2026

GoRefer serves a comprehensive set of security response headers. Security reviewers can verify these independently using tools such as securityheaders.com.

HeaderProtectionStatus
Strict-Transport-SecurityForces HTTPS for 2 years; preloaded in browser HSTS lists — prevents protocol downgrade attacksEnforced
Content-Security-PolicyRestricts allowed script, style, and media sources — primary XSS mitigationEnforced
X-Frame-OptionsPrevents embedding in iframes — blocks clickjacking attacksDENY
X-Content-Type-OptionsDisables MIME-sniffing — prevents content type confusion exploitsnosniff
Referrer-PolicyPrevents full URL from leaking to cross-origin sites via the Referer headerEnforced
Permissions-PolicyDisables camera, microphone, geolocation — prevents browser feature hijackingEnforced
Cross-Origin-Opener-PolicyIsolates the browsing context — prevents cross-origin window attackssame-origin

For full network security details including WAF, DDoS protection, and rate limiting, see Network Security.