GoRefer Trust Center
Sub-processors
Updated April 2026
GoRefer uses the following third-party sub-processors to deliver the service. All sub-processors are bound by Data Processing Agreements (DPAs) that restrict their use of data to the purposes listed below.
No sub-processor receives raw PII without a DPA in place. Sensitive PII fields are encrypted before leaving GoRefer's own infrastructure — even our cloud infrastructure providers store only encrypted ciphertext.
3
High Sensitivity
3
Medium Sensitivity
3
Low Sensitivity
Sub-processors by Category
Updated April 2026
Change notification
GoRefer provides 30 days notice before adding or replacing a sub-processor that processes customer personal data. Customers on Growth, Scale, or Enterprise plans can object to new sub-processors in writing. Subscribe by emailing privacy@gorefer.io.
Infrastructure
| Vendor | Data Sensitivity | Purpose | Data Processed | Region | Certifications |
|---|---|---|---|---|---|
| Amazon Web Services (AWS) | High | Application hosting, compute, and file storage | User data Firm data Uploaded documents Session data PII (encrypted at rest) | United States (us-east-1) | SOC 1 / 2 / 3 ISO 27001 HIPAA BAA eligible PCI DSS Level 1 |
| MongoDB Atlas | High | Primary database (multi-tenant, per-firm isolated databases) | User data Referral records Commission data Audit logs Encrypted PII | United States (AWS us-east-1) | SOC 2 Type II ISO 27001 GDPR compliant |
| Cloudflare | Low | DNS management, DDoS mitigation, and CDN acceleration | IP addresses Request metadata (edge-level, not persisted) | Global edge network | SOC 2 Type II ISO 27001 PCI DSS |
Payments
| Vendor | Data Sensitivity | Purpose | Data Processed | Region | Certifications |
|---|---|---|---|---|---|
| Stripe | High | Subscription billing, platform fee collection, preparer payouts via Stripe Connect | Billing information Bank account details (Stripe-hosted) Transaction records | United States / Global | PCI DSS Level 1 SOC 1 Type II SOC 2 Type II |
AI / ML
| Vendor | Data Sensitivity | Purpose | Data Processed | Region | Certifications |
|---|---|---|---|---|---|
| Microsoft Azure | Medium | AI-powered assistance and document processing | Document content (transient, processed and discarded) AI chat messages (transient) | United States (East US) | SOC 1 / 2 / 3 ISO 27001 HIPAA BAA eligible GDPR compliant |
| ElevenLabs | Low | AI voice generation for voice-enabled features | Voice interaction text (transient, not stored) | United States | SOC 2 Type II |
| Vendor | Data Sensitivity | Purpose | Data Processed | Region | Certifications |
|---|---|---|---|---|---|
| Amazon Web Services (SES) | Medium | Transactional email delivery (notifications, invitations, receipts, dunning emails) | Email addresses Email content (notification messages) Delivery metadata | United States (us-west-2) | SOC 1/2/3 ISO 27001/17/18 PCI DSS Level 1 HIPAA-eligible |
Identity / Auth
| Vendor | Data Sensitivity | Purpose | Data Processed | Region | Certifications |
|---|---|---|---|---|---|
| Medium | OAuth 2.0 sign-in (optional), Google Calendar integration for appointment scheduling | OAuth tokens Calendar event metadata (when integration enabled) | Global | SOC 1 / 2 / 3 ISO 27001 |
Error Tracking
| Vendor | Data Sensitivity | Purpose | Data Processed | Region | Certifications |
|---|---|---|---|---|---|
| Sentry | Low | Real-time application error tracking and performance monitoring | Stack traces Request metadata User ID (anonymized) Browser/OS metadata | United States | SOC 2 Type II GDPR compliant |
Data Processing Agreements
Updated April 2026
GoRefer DPA available on request
All customers can request a Data Processing Agreement (DPA) from GoRefer. Enterprise customers receive a custom DPA reviewed with their legal team. Growth and Scale plans use our standard DPA. Request via the Trust Portal or by emailing privacy@gorefer.io.