Legal & Compliance

On this page
At a glance
Legal Framework
Terms of Service
Roles & Responsibilities
Data Protection (GDPR, CCPA, …)
Data Security (SOC 2)
Consent & Tracking
Data Lifecycle
Data Collected
Data Residency
Data Retention
Sub-processors
Third-Party Integrations
Security & Access
Infrastructure
Application Security
Service Levels
Data Encryption
Authentication & Access Control
Employees & Contractors
Bug Bounty Program

Last reviewed: 2026-03-19

At a glance

Refiner is designed to help you collect user feedback in a privacy-conscious and compliant way. This page outlines how Refiner handles data and what you need to consider when using the product.

When using Refiner, you may send and process user data such as identifiers, attributes (traits), and survey responses. Depending on your use case and location, this data may be subject to data protection regulations.

Refiner is designed to operate as a data processor under your instruction. You define what data is collected, how long it is retained, and when it is deleted. We provide the infrastructure, security controls, and compliance framework to ensure that data is handled in accordance with modern regulatory and enterprise standards.

Here is a quick overview of what Refiner provides to help you stay compliant:

  • Data hosting: AWS (eu-west-1, Ireland)
  • Data residency: All user data is stored and processed within the European Union
  • Data processing role: Refiner acts as a data processor; you remain the data controller
  • Sub-processors: By default, no user data is processed by third-party sub-processors other than our hosting provider
  • Compliance: GDPR-ready (supports data access and deletion requests)
  • Security: SOC 2 Type II certified infrastructure and controls
  • Encryption: All data is transmitted securely via HTTPS
  • Authentication: SAML 2.0 Single Sign-On (SSO) supported
  • Data control: Full control over data retention, deletion, and export
  • Integrations: Data sharing with third-party tools is fully controlled by you

If you require additional documentation, security questionnaires, or compliance attestations, please contact our team.

Legal Framework

Terms of Service

When you create an account with Refiner, you agree to our Terms of Service and Privacy Policy. Both documents are designed with a strong emphasis on data protection, regulatory compliance, and information security.

For Enterprise customers, we offer the option to execute custom agreements, including tailored Data Processing Agreements (DPAs) and additional contractual safeguards as required.

Roles & Responsibilities

Refiner provides the tools and infrastructure to support compliance, but you are responsible for configuring your implementation in accordance with applicable laws.

Generally speaking

  • You (the customer) act as the data controller, deciding what data is collected and how it is used.
  • Refiner acts as the data processor, processing data on your behalf.

This means you are responsible for:

  • Defining the legal basis for data collection
  • Informing users about how their data is used
  • Handling user rights requests (access, deletion, etc.)

Data Protection (GDPR, CCPA, …)

Refiner supports compliance with major international data protection regulations and healthcare standards. Our platform is designed to help you meet your regulatory obligations while maintaining full administrative control over your data.

If you operate in the European Union or process data of EU residents, the General Data Protection Regulation (GDPR) applies.

To stay compliant, you should:

  • Establish a valid legal basis for processing (e.g. legitimate interest or consent)
  • Inform users about data collection in your privacy policy
  • Provide mechanisms for users to access or delete their data

Refiner supports:

  • Data access requests
  • Data deletion requests

We provide multiple technical and organizational mechanisms to support lawful data processing, subject access requests, deletion workflows, and controlled data retention.

For detailed information, please refer to:

Data Security (SOC 2)

Refiner applies industry-standard security measures to protect your data, including:

  • Encrypted data transmission (HTTPS)
  • Secure infrastructure and access controls
  • Ongoing monitoring and best practices for data protection

As of June 2024, Refiner has successfully completed a SOC 2 Type II audit, which validates the operational effectiveness of our security controls over a defined audit period.

For additional details on our security posture and to request a copy of our SOC 2 report, please refer to:

Consent & Tracking

Depending on how you use Refiner, you may need to obtain user consent before collecting data.

This is especially relevant when:

  • Using the JavaScript SDK in combination with cookies or tracking technologies
  • Operating in jurisdictions with strict consent requirements (e.g. EU ePrivacy Directive)

Refiner’s JavaScript SDK stores an anonymous user token in the browser’s Local Storage to ensure consistent user recognition and correct survey delivery.

No sensitive personal data is stored in Local Storage or cookies by default—only the minimal technical identifiers necessary to operate the SDK.

For more details, please refer to the dedicated documentation page.

You are responsible for:

  • Integrating Refiner with your consent management solution (if applicable)
  • Respecting user preferences regarding tracking and data collection

Data Lifecycle

Data Collected

Refiner may process the following types of data:

  • User identifiers (e.g. user ID, email address)
  • User traits (e.g. plan, role, custom attributes)
  • Events (user actions, if tracked)
  • Survey responses (including free-text feedback)

We recommend only sending data that is necessary for your use case. Avoid sending sensitive personal data unless absolutely required.

Data Residency

Your personal data, your imported user data, as well as data we collect on your behalf from your users, is safely stored in our AWS cloud in the EU-WEST-1 (Ireland) data center. The physical data residency of your user data is in Europe at all times.

Your user data stays within our data center at all times. We are not sending any of your user data to third party sub-processors.

We might send data about our customers (your name, company, email, …) to third party providers, such as our CRM or email sending solution. We are committed to anonymize personal data as much as possible in that case.

We don’t store any payment information and don’t process payments on our own infrastructure. We are using Stripe and Chargebee for all payment related matters. Stripe and Chargebee are both PCI compliant services.

Data Retention

By default, user data remains stored in your account environment until:

  • You cancel your subscription
  • You delete the environment
  • You manually delete user records

You maintain full administrative control over data retention. We recommend:

  • Regularly reviewing stored data
  • Deleting data that is no longer needed
  • Aligning retention policies with your legal requirements

We provide various mechanism allowing you to delete individual user records on demand or delete old user profiles automatically after a certain time of inactivity.

At any given moment you can choose to delete individual user profiles or groups of users. You can do this on the User Segments page.

Sub-processors

By default, no user data is shared with third party sub-processors other than our hosting provider AWS Europe.

Refiner uses a limited number of trusted sub-processors to operate and deliver the service, such as infrastructure and payment providers. These vendors are carefully selected and bound by strict data protection and security requirements.

If you choose to use our email alert features, user data will be shared with our email service provider Customer.io. If you choose to use IP address based geo targeting, we’ll send anonymized IP addresses to our IP geocoding provider.

A full list of our sub-processors can be found in our GDPR Data Processing Agreement template.

Third-Party Integrations

Refiner can send data to third-party tools (e.g. Slack, CRM systems, data warehouses).

When using integrations:

  • Ensure those tools meet your compliance requirements
  • Understand what data is being shared and why
  • Update your privacy policy accordingly

Security & Access

Infrastructure

Our service is built using the Amazon Web Services (AWS) cloud. AWS offers robust security mechanisms to protect our infrastructure.

Our networking infrastructure (routers, load balancers, DNS servers,…) are all managed by AWS.

All communications are performed through end-to-end HTTPS encryption.

Access to our network is strictly controlled using a VPN with network access control lists (ACL) and IP whitelisting.

Our inbound and outbound network traffic is monitored and controlled using firewalls and IP whitelisting.

We are using an industry-leading solution to mitigate our risk of Distributed Denial of Service (DDoS).

We are using solutions to monitor the performance of our platform and log errors in our service.

We commit to full transparency on all outages and service degradation. You can follow our system status in real time on our public status page.

We are using separate environments for testing and production.

Application Security

We are following OWASP security best practices to protect our solution.

We are restricting access to production data to authorized staff members only and protecting it by 2FA, VPN access, and IP Whitelisting.

We are reviewing our code systematically for security vulnerabilities. We welcome responsible disclosure of vulnerabilities. We are strictly controlling who has access to our source code.

We are monitoring and updating our dependencies to make sure none of them has know vulnerabilities.

We are regularly performing automated penetration tests against all our endpoints. You can contact us to request our latest penetration test report.

Service Levels

Traditionally, Refiner had an uptime of 99.9% or higher. One of our top priorities is to provide uninterupted services at all times. You can follow our system status in real time on our public status page.

Data Encryption

All data coming to or sending from our infrastructure is encrypted in transit using Transport Layer Security (TLS 1.2). All data in our system is encrypted at rest using AES 256-bit encryption algorithm.

Authentication & Access Control

Refiner supports SAML 2.0 Single Sign-On (SSO) for secure and centralized authentication.

With SAML SSO, you can:

  • Manage user access through your identity provider (IdP)
  • Enforce company-wide security policies (e.g. MFA)
  • Simplify user provisioning and access management

SAML SSO is recommended for teams with advanced security or compliance requirements. Please contact us to set up SAML SSO on your account.

Employees & Contractors

We require all employees and contractors to sign a confidentiality agreement and comply with our cybersecurity policy. We are reviewing our cyber security policy every quater and train our team on security regularly.

We enforce a device management policy (password strength and rotation, lock screen when leaving the desk, disk encryption, remote lock).

Our employees and contractors must report all actual or suspected IT security incidents.

By default, our employees and contractors don’t have access to user data. Exceptions can be made for customer support.

Bug Bounty Program

Refiner supports responsible disclosure and values the contributions of the security research community. If you discover a potential vulnerability, please report it to us with sufficient detail to allow for timely investigation and remediation.

Was this helpful? Let us know with a quick a vote

Still got questions? We are here to help!

The best way to contact us and get help is to fill out our support form. You can also send an email to contact@refiner.io. We usually reply within a few hours.