Security Statement
Keeping the data of our customers and their users safe is our highest priority. On this page we share our policies and the measurements we take to ensure highest security standards.
Compliance Frameworks
We are proudly adhering to the following industry-standard compliance frameworks. These frameworks ensure the effectiveness of our processes to keep your data safe at all times.
Employees & Contractors
We require all employees and contractors to sign a confidentiality agreement and comply with our cybersecurity policy. We are reviewing our cyber security policy every quater and train our team on security regularly.
We enforce a device management policy (password strength and rotation, lock screen when leaving the desk, disk encryption, remote lock).
Our employees and contractors must report all actual or suspected IT security incidents.
By default, our employees and contractors don’t have access to user data. Exceptions can be made for customer support.
Infrastructure
Our service is built using the Amazon Web Services (AWS) cloud. AWS offers robust security mechanisms to protect our infrastructure.
Our networking infrastructure (routers, load balancers, DNS servers,…) are all managed by AWS.
All data transmissions are encrypted in transit using TLS, with a minimum of TLS 1.2.
Access to our network is strictly controlled using a VPN with network access control lists (ACL) and IP whitelisting.
Our inbound and outbound network traffic is monitored and controlled using firewalls and IP whitelisting.
We are using an industry-leading solution to mitigate our risk of Distributed Denial of Service (DDoS).
We are using solutions to monitor the performance of our platform and log errors in our service.
We commit to full transparency on all outages and service degration. You can follow our system status in real time on our public status page.
We are using separate environments for testing and production.
Application Security
We are following OWASP security best practices to protect our solution.
We are restricting access to production data to authorized staff members only and protecting it by 2FA, VPN access, and IP Whitelisting.
We are reviewing our code systematically for security vulnerabilities. We welcome responsible disclosure of vulnerabilities. We are strictly controlling who has access to our source code.
We are monitoring and updating our dependencies to make sure none of them has know vulnerabilities.
We are regularly performing automated penetration tests against all our endpoints. You can contact us to request our latest penetration test report.
Data Ownership
Your data belongs to you and we will treat it that way. We don’t resell or re-use data that you import into our system, or survey responses that you collect using our solution, in any way.
Data Residency
Your user data, as well as data we collect on your behalf from your users, is savely stored in our AWS cloud in the EU-WEST-1 (Ireland) data center. The physical data residency of your user data is in Europe.
By default, user data stays within the European Union at all times.
Certain optional features may involve authorized Subprocessors listed in our DPA or Company-configured Third Party APIs, integrations, webhooks, alerts, or digests controlled by the customer.
Data Encryption
All data coming to or sending from our infrastructure is encrypted in transit using Transport Layer Security (TLS 1.2). All data in our system is encrypted at rest using AES 256-bit encryption algorithm.
Data Retention
By default, user data is retained in your account for as long as you maintain an active paid subscription, unless you delete it or configure shorter retention settings in your account.
You can delete individual user records on demand, purge environments, or configure automatic deletion of old user data. More information about these data lifecycle options is available in our documentation.
Refiner is not intended to be used as long-term archival or backup storage. Customers are responsible for exporting and backing up data they need to retain outside the Service.
After a subscription ends, user data may remain available for export for a limited retrieval period of up to 180 calendar days, after which it may be permanently deleted in accordance with our Terms of Service and Data Processing Agreement.
Sub-processors
By default, no user data is shared with third party sub-processors other than our hosting provider AWS Europe.
Refiner uses a limited number of trusted sub-processors to operate and deliver the service, such as infrastructure and payment providers. These vendors are carefully selected and bound by strict data protection and security requirements.
If you choose to use our email alert features, user data will be shared with our email service provider Customer.io. If you choose to use IP address based geo targeting, we’ll send anonymized IP addresses to our IP geocoding provider.
A full list of our sub-processors can be found in our GDPR Data Processing Agreement template.
PCI Compliance
We don’t store any payment information and don’t process payments on our own infrastructure. We are using Stripe and Chargebee for all payment related matters. Stripe and Chargebee are both PCI compliant services.
Service Levels
Traditionally, Refiner had an uptime of 99.9% or higher. One of our top priorities is to provide uninterupted services at all times. You can follow our system status in real time on our public status page.
Authentication & Access Control
Refiner supports SAML 2.0 Single Sign-On (SSO) for secure and centralized authentication.
SAML SSO is recommended for teams with advanced security or compliance requirements. Please contact us to set up SAML SSO on your account.
Bug Bounty Program
Refiner supports responsible disclosure and values the contributions of the security research community. If you discover a potential vulnerability, please report it to us with sufficient detail to allow for timely investigation and remediation.