⌘K
GoRefer Platformv2.0Open App ↗
Docs Security & Compliance
Security & Compliance

Security & Compliance

Enterprise-grade security built in from day one. Protect your clients' sensitive tax data with layered controls and full audit trails.

Two-Factor Authentication (2FA)

GoRefer supports time-based authenticator app 2FA for all user accounts. Admins can require 2FA for specific roles or the entire organization.

  • Authenticator app-based 2FA (TOTP standard)
  • Backup codes generated at enrollment
  • Admins can enforce 2FA for all users or specific roles
  • 2FA status visible in the user management panel
  • Recovery flow with admin-assisted account unlock

Role-Based Access Control (RBAC)

Every action in GoRefer is governed by a permission system. You can precisely control who can see, create, edit, or delete any resource.

  • Built-in roles: Admin, Preparer, Client
  • Custom roles with granular permission assignment
  • Per-feature permission toggles
  • Role preview — see what a user will be able to access before saving

Audit Logs

Every sensitive action on the platform is recorded in an immutable audit log. Ideal for SOC 2, HIPAA, and internal compliance reviews.

  • Logs every login, data access, data change, and permission change
  • Timestamped with user identity and IP address
  • Filterable by user, action type, resource, and date range
  • Logs retained for 90 days (extended retention on Enterprise)
  • Export logs for external compliance systems
  • Immutable — logs cannot be altered or deleted by any user

Security Hub

The Security Hub is a centralized dashboard for monitoring security events, reviewing active sessions, and managing security policies across your firm.

  • Active session management — revoke sessions remotely
  • Suspicious login alerts (unusual location or device)
  • Failed login attempt monitoring
  • Security event timeline
  • Security policy configuration (password strength, session timeout)

Session Management

Administrators and users can manage their active sessions — see all devices currently logged in and terminate them remotely.

  • View all active sessions with device and location info
  • Terminate individual or all sessions at once
  • Configurable session timeout duration
  • Forced logout on role or permission change

Data Protection

  • All data encrypted at rest and in transit (TLS 1.3)
  • Sensitive fields (SSNs, bank account numbers) stored with field-level encryption
  • Documents stored in isolated, encrypted storage per tenant
  • No data sharing between tenants (strict multi-tenancy)
  • PII never included in logs or error messages
  • Configurable data retention policies
SOC 2 & HIPAA Aligned

GoRefer's security infrastructure is designed to support SOC 2 Type II and HIPAA compliance requirements. Contact us for your compliance report.