Security & Compliance

Last updated 29th July 2021

Keeping the data of our customers and their users safe is our highest priority. On this page we share our policies and the measurements we take to ensure highest security standards.

People

We require all employees and contractors to sign a confidentiality agreement and comply with our cybersecurity policy. We are reviewing our cyber security policy every quater and train our team on security regularly.

We enforce a device management policy (password strength and rotation, lock screen when leaving the desk, disk encryption, remote lock).

Our employees and contractors must report all actual or suspected IT security incidents.

By default, our employees and contractors don't have access to user data. Exceptions can be made for customer support.

Infrastructure

Our service is built using the Amazon Web Services (AWS) cloud. AWS offers robust security mechanisms to protect our infrastructure.

Our networking infrastructure (routers, load balancers, DNS servers,...) are all managed by AWS.

All communications are performed through end-to-end HTTPS encryption.

Access to our network is strictly controlled using a VPN with network access control lists (ACL) and IP whitelisting.

Our inbound and outbound network traffic is monitored and controlled using firewalls and IP whitelisting.

We are using an industry-leading solution to mitigate our risk of Distributed Denial of Service (DDoS).

We are using solutions to monitor the performance of our platform and log errors in our service.

We commit to full transparency on all outages and service degration. You can follow our system status in real time on our public status page.

We are using separate environments for testing and production.

Data Protection & Encryption

Your data belongs to you and we will treat it that way. We don't resell or re-use data that you import into our system, or survey responses that you collect using our solution, in any way.

Your personal data, your imported user data, as well as data we collect on your behalf from your users, is savely stored in our AWS cloud in the EU-WEST-1 (Ireland) data center. The physical data residency of your user data is in Europe at all times.

Your user data stays within our data center at all times. We are not sending any of your user data to third party sub-processors.

We might send data about our customers (your name, company, email, ...) to third party providers, such as our CRM or email sending solution. We are committed to anonymize personal data as much as possible in that case.

All data coming to or sending from our infrastructure is encrypted in transit using Transport Layer Security (TLS 1.2).

All data in our system is encrypted at rest using AES 256-bit encryption algorithm.

As a European company, we fully adhere to the GDPR framework and we are committed to making it easy for you to stay GDPR compliant when using Refiner. Refiner also adheres to the California Consumer Privacy Act (CCPA) data protection statute.

Service Levels

Traditionally, Refiner had an uptime of 99.9% or higher. One of our top priorities is to provide uninterupted services at all times. You can follow our system status in real time on our public status page.

Application Security

We are following OWASP security best practices to protect our solution.

We are strictly controlling who has access to our source code.

We are restricting access to production data to authorized staff members only and protecting it by 2FA, VPN access, and IP Whitelisting.

We are reviewing our code systematically for security vulnerabilities. We welcome responsible disclosure of vulnerabilities.

We are monitoring and updating our dependencies to make sure none of them has know vulnerabilities.

We are regularly performing automated penetration tests against all our endpoints. You can contact us to request our latest penetration test report.

PCI Compliance

We don't store any payment information and don't process payments on our own infrastructure.

We are using Stripe and Chargebee for all payment related matters. Stripe and Chargebee are both PCI compliant services.