Security Statement

Last updated 21st June 2024

Keeping the data of our customers and their users safe is our highest priority. On this page we share our policies and the measurements we take to ensure highest security standards.

Compliance Frameworks

We are proudly adhering to the following industry-standard compliance frameworks. These frameworks ensure the effectiveness of our processes to keep your data safe at all times.

Employees & Contractors

We require all employees and contractors to sign a confidentiality agreement and comply with our cybersecurity policy. We are reviewing our cyber security policy every quater and train our team on security regularly.

We enforce a device management policy (password strength and rotation, lock screen when leaving the desk, disk encryption, remote lock).

Our employees and contractors must report all actual or suspected IT security incidents.

By default, our employees and contractors don't have access to user data. Exceptions can be made for customer support.


Our service is built using the Amazon Web Services (AWS) cloud. AWS offers robust security mechanisms to protect our infrastructure.

Our networking infrastructure (routers, load balancers, DNS servers,...) are all managed by AWS.

All communications are performed through end-to-end HTTPS encryption.

Access to our network is strictly controlled using a VPN with network access control lists (ACL) and IP whitelisting.

Our inbound and outbound network traffic is monitored and controlled using firewalls and IP whitelisting.

We are using an industry-leading solution to mitigate our risk of Distributed Denial of Service (DDoS).

We are using solutions to monitor the performance of our platform and log errors in our service.

We commit to full transparency on all outages and service degration. You can follow our system status in real time on our public status page.

We are using separate environments for testing and production.

Application Security

We are following OWASP security best practices to protect our solution.

We are restricting access to production data to authorized staff members only and protecting it by 2FA, VPN access, and IP Whitelisting.

We are reviewing our code systematically for security vulnerabilities. We welcome responsible disclosure of vulnerabilities. We are strictly controlling who has access to our source code.

We are monitoring and updating our dependencies to make sure none of them has know vulnerabilities.

We are regularly performing automated penetration tests against all our endpoints. You can contact us to request our latest penetration test report.

Data Ownership

Your data belongs to you and we will treat it that way. We don't resell or re-use data that you import into our system, or survey responses that you collect using our solution, in any way.

Data Residency

Your personal data, your imported user data, as well as data we collect on your behalf from your users, is savely stored in our AWS cloud in the EU-WEST-1 (Ireland) data center. The physical data residency of your user data is in Europe at all times.

Your user data stays within our data center at all times. We are not sending any of your user data to third party sub-processors.

We might send data about our customers (your name, company, email, ...) to third party providers, such as our CRM or email sending solution. We are committed to anonymize personal data as much as possible in that case.

We don't store any payment information and don't process payments on our own infrastructure. We are using Stripe and Chargebee for all payment related matters. Stripe and Chargebee are both PCI compliant services.

Data Encryption

All data coming to or sending from our infrastructure is encrypted in transit using Transport Layer Security (TLS 1.2). All data in our system is encrypted at rest using AES 256-bit encryption algorithm.

Service Levels

Traditionally, Refiner had an uptime of 99.9% or higher. One of our top priorities is to provide uninterupted services at all times. You can follow our system status in real time on our public status page.