20% OFFCode FOUNDING20 — 20% off first year

LAUNCH OFFERApply code FOUNDING20 at checkout for 20% off your first year.Claim Offer →

GoRefer.io
PricingAffiliatesNEWMeet
Gio AI
BlogAbout
Log In
Get Started Free

GoRefer Trust Center

Security

Updated April 2026

Security is a foundational pillar of the GoRefer platform — not a compliance afterthought. This page documents the technical security controls we have in place to protect your firm's data.

AES-256
TLS 1.3
MFA Enabled
Field-Level PII
Tenant Isolated
SOC 2-Aligned

Encryption in Transit

Enforced

Updated April 2026

All data transmitted between clients and GoRefer services is encrypted using TLS. Unencrypted HTTP connections are redirected to HTTPS at the network edge.

Transport Security

  • TLS 1.3 preferred; TLS 1.2 minimum

  • HTTP Strict Transport Security (HSTS) — 2-year max-age with preloading

  • Perfect Forward Secrecy (PFS) via ECDHE key exchange

  • Weak cipher suites disabled (RC4, DES, 3DES, MD5, SHA-1 deprecated)

  • Certificate managed by AWS Certificate Manager (ACM)

Scope of Coverage

  • All API endpoints (/api/*) — client → server

  • All webhook delivery and OAuth callbacks

  • S3 signed URL requests (HTTPS-only, no public bucket access)

  • Internal service-to-service communication (where applicable)

  • Database connections (MongoDB Atlas TLS enforced)

Encryption at Rest

AES-256

Updated April 2026

All persistent data is encrypted at rest using AES-256 across all storage layers.

Storage LayerAlgorithmKey ManagementNotes
MongoDB Atlas (primary DB)AES-256Atlas-managed CMKEncryption at rest enabled by default on all clusters
AWS S3 (file storage)AES-256 (SSE-S3)AWS-managed keysServer-side encryption on all buckets. SSE-KMS available.
Database backupsAES-256Atlas backup encryptionAutomated backups encrypted before storage
Local application uploads (dev)Filesystem encryptionOS-levelDev only; production uses S3 exclusively

Field-Level PII Encryption

AES-256 Field Encryption

Updated April 2026

Sensitive PII fields are encrypted at the application layer before being written to storage. Even with direct database access, these fields are unreadable without a separate encryption key that is stored independently.

We apply a second, independent layer of AES-256 encryption to every sensitive data field. This means your clients’ SSNs, EINs, and bank details are protected by two separate encryption layers working together.

Sensitive fields are always masked in API responses — SSN shown as ***-**-XXXX, bank accounts as last 4 digits only.

PII FieldProtectionHow It’s Stored
Social Security Number (SSN)AES-256 (field-level)Encrypted before write — plaintext never persisted
Employer Identification Number (EIN)AES-256 (field-level)Encrypted before write — plaintext never persisted
Bank Account NumberAES-256 (field-level)Encrypted before write — plaintext never persisted
Bank Routing NumberAES-256 (field-level)Encrypted before write — plaintext never persisted
Driver License NumberAES-256 (field-level)Encrypted before write — plaintext never persisted

Authentication & Identity

TOTP + JWT

Updated April 2026

Session Security

  • Short-lived session tokens — minimizes exposure if a token is intercepted

  • Secure, browser-only session cookies (inaccessible to JavaScript)

  • Sessions invalidated on logout and password change

  • Complete firm isolation: sessions are cryptographically bound to your firm

  • Session tokens are cryptographically hashed before storage

Multi-Factor Authentication

  • TOTP-based MFA — compatible with Google Authenticator, Authy, 1Password

  • Backup codes generated on MFA enrollment, stored securely

  • GoRefer operations staff require mandatory MFA on a separate authentication system

  • Brute force protection: automatic lockout after repeated failed attempts

  • Password minimum: 8 characters

Security Hub & Monitoring

Enterprise

Updated April 2026

All GoRefer tenants have access to a real-time Security Hub with event logs, session management, threat detection, and exportable audit trails.

Security Hub Features

  • Firm security health score (composite risk metric)

  • Real-time suspicious activity alerts (unusual login times, locations, volumes)

  • IP blocklist — manually or automatically block known bad actors

  • Active session listing with device/browser/IP metadata

  • Session revocation (individual or all-device logout)

  • Admin impersonation tracking with immutable start/stop logs

Audit Logging

  • All sensitive operations logged: authentication, CRUD on critical resources, admin actions

  • Log fields: actor (user ID, email, role), timestamp, IP, user-agent, resource, action, outcome

  • Tamper detection: log integrity verification on export

  • 365-day retention by default

  • CSV export for integration with SIEM tools

  • SOC 2 and HIPAA compliance tagging on relevant events

Secure Development Practices

Updated April 2026

Code & Input Safety

  • All user inputs are validated and sanitized before processing

  • All database queries are parameterized — injection attacks are not possible

  • File uploads are validated by type, content, and size — not just file extension

  • Automated dependency scanning in the CI/CD pipeline

  • Signed URLs for all files — no direct public file access, expiry enforced

Access & Operations

  • Principle of least privilege for all internal accounts and service roles

  • Production database access requires VPN and MFA — restricted to authorized staff

  • No production credentials in code or version control

  • All secrets managed via a dedicated secrets manager at runtime

  • GoRefer operations staff use a dedicated, isolated authentication system with 2FA

For penetration testing details, see Penetration Testing. To report a vulnerability, see Vulnerability Disclosure.