20% OFFCode FOUNDING20 — 20% off first year

LAUNCH OFFERApply code FOUNDING20 at checkout for 20% off your first year.Claim Offer →

GoRefer.io - Referral Management for Tax Professionals
PricingAffiliatesNEWMeet
Gio AI
BlogAbout
Log In
Book a Demo

SECURITY

Security & Compliance

Version 1.0 · Last updated: June 2025

GoRefer is built for accounting and tax professionals who handle sensitive client data every day. Security is not an add-on — it is foundational to every layer of the platform, from the database to the browser.

Encryption Everywhere

  • TLS 1.2+ for all data in transit
  • AES-256 encryption for data at rest
  • Field-level encryption for sensitive PII (SSN, EIN, bank accounts)
  • Tenant-scoped encryption keys for data isolation
  • Automated credential rotation

Tenant Data Isolation

  • Strict multi-tenant architecture — each firm's data is logically isolated
  • Every API request validated against JWT-bound firm context
  • Cross-tenant access is blocked at the middleware layer
  • Platform admin actions are separately audited

Role-Based Access Control

  • Granular roles: Owner, Admin, Preparer, Client, Agent, Affiliate
  • 5 platform admin roles with separate privilege scoping
  • Feature-gated endpoints tied to subscription plans
  • Admin impersonation with full audit trail and automatic session expiry
  • Destructive operations blocked during impersonation sessions

Authentication & Identity

  • Two-factor authentication (TOTP) support
  • Short-lived JWT access tokens with secure refresh flow
  • Password minimum-length enforcement (8+ characters)
  • Brute-force protection via rate limiting

Security Hub & Monitoring

  • Enterprise Security Hub with firm health score and threat detection
  • IP blocklist and suspicious activity alerts
  • Full audit trails for all sensitive operations with CSV export
  • Impersonation session tracking with start/stop timestamps
  • Credit usage tracking with per-operation breakdowns
  • Security event logging with IP and user-agent capture

Infrastructure & Hosting

  • Hosted on SOC 2-certified cloud infrastructure (AWS)
  • S3 storage with signed URLs — no public buckets
  • Signed URL expiry capped to 1 hour maximum
  • File uploads validated by extension, MIME type, and magic bytes

Payment Security

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. GoRefer never stores credit card numbers or bank account details on its own servers.

Compliance Posture

SOC 2-aligned
HIPAA-ready
GDPR-ready
PCI-DSS (via Stripe)

GoRefer's infrastructure and controls are designed to align with SOC 2 Type II and HIPAA requirements. While GoRefer itself is not a certified covered entity, we implement the technical safeguards — encryption, access controls, audit logging, and data isolation — that these frameworks require.

GoRefer is not a HIPAA-covered entity and does not sign Business Associate Agreements (BAAs) at this time. If your firm handles Protected Health Information, please contact us to discuss your specific requirements.

AI Data Handling (Gio)

Gio, our built-in AI assistant, processes documents and conversations using AWS Bedrock and Azure Document Intelligence. Your data is:

  • Never used to train third-party AI models
  • Processed within your firm's isolated data context
  • Subject to the same encryption and access controls as all other data
  • Billed on a credit-based system: Chat 1, Research 3, Memo 5, Content 3, OCR 5, Board Room 5 credits per operation

Questions?

If you have security questions or need to report a vulnerability, contact us at security@gorefer.io. For general inquiries, reach out at support@gorefer.io.