Trust & Security

Our security philosophy

ReferU2 is built on a simple principle: customers trust us with information about their relationships, partners and pipeline, and we treat that as a duty of care. We design, build and operate the platform with security and privacy as core requirements rather than afterthoughts.

We follow the principle of least privilege, defence in depth and secure-by-default configuration across every layer of the platform.

Hosting and infrastructure

ReferU2 runs on enterprise-grade cloud infrastructure operated by reputable providers with their own independent security certifications, including SOC 2, ISO 27001 and similar standards.

• Global edge network with built-in DDoS mitigation and Web Application Firewall protection
• Physically secure data centres with 24/7 monitoring, biometric access controls and environmental safeguards managed by our infrastructure providers
• Application and data services are isolated from public networks where possible and accessed only through controlled pathways
• Production environments are separated from development and testing environments

We deliberately do not publish detailed network diagrams, internal hostnames or specific configuration details, as this information would only assist someone attempting to attack the platform.

Encryption

• In transit
  All traffic between you and ReferU2, and between our internal services, is protected with modern TLS. We follow current industry guidance on cipher suites and certificate management.
• At rest
  Customer data, backups and file uploads are stored on encrypted storage managed by our infrastructure providers.
• Secrets and credentials
  API keys, tokens and credentials are stored in dedicated secret stores and are never committed to source code or shared in plain text.

Authentication and account security

Authentication is handled by a dedicated, independently certified identity platform. This means passwords, sessions and security-sensitive flows are managed by specialists who focus solely on identity.

• Industry-standard password hashing (we never see or store your password in plain text)
• Support for multi-factor authentication, where enabled by you or your organisation
• Session and device management, with the ability to sign out of other sessions
• Brute-force protection, suspicious sign-in detection and rate limiting on authentication endpoints
• Single sign-on options for eligible plans

We strongly encourage all customers to enable multi-factor authentication on their accounts.

Access control and tenancy

• Role-based access
  Within the platform, users are granted access based on the role assigned in their organisation. Administrative actions are restricted to designated administrators.
• Data segregation
  Each organisation's data is logically separated and queries are scoped to the relevant organisation. Users only see data for organisations they belong to or have been explicitly given access to.
• Sharing is opt-in
  Information is only shared between users, partners or organisations when you (or another authorised user) explicitly take an action to share it.

Internal access by ReferU2 staff

We restrict internal access to customer data to the minimum number of people needed to operate, support and improve the platform.

• Internal access requires multi-factor authentication and individual accounts (no shared logins)
• Staff access is granted on a least-privilege basis and reviewed when roles change
• Privileged actions on production systems are logged
• Access is removed promptly when staff or contractors no longer require it

Our staff will only access customer data when reasonably necessary to provide support, investigate an issue, comply with a legal obligation or protect the integrity of the platform.

Secure software development

• Code is reviewed before being deployed to production
• We use automated checks and dependency scanning to identify known vulnerabilities in the libraries we rely on
• User input is validated and sanitised on the server, with protections in place against common web vulnerabilities such as injection, cross-site scripting and cross-site request forgery
• Our build and deployment pipelines are automated, repeatable and run from controlled, authenticated environments
• We follow modern web framework best practices and keep our core dependencies on supported, current versions

Logging and monitoring

We maintain operational and security logs that help us detect, investigate and respond to unusual activity. These include authentication events, administrative actions, errors and key system events.

Logs are retained for a reasonable period in line with our internal retention standards and applicable law, and are protected with the same controls as other sensitive data.

Backups and continuity

• Customer data is backed up regularly using managed backup services from our infrastructure providers
• Backups are encrypted and stored separately from production systems
• We periodically review our ability to restore from backup as part of our continuity practices

Our cloud infrastructure providers offer high-availability services that allow the platform to remain operational even when individual components fail.

Incident response

We have an internal incident response process that defines how we triage, contain, investigate and communicate about security incidents. If we become aware of a security incident that affects your data, we will:

• Investigate the cause and scope of the incident
• Take reasonable steps to contain and remediate it
• Notify affected customers and, where required, regulators in line with applicable law (such as the Australian Notifiable Data Breaches scheme and GDPR)
• Apply lessons learned to reduce the likelihood and impact of similar incidents in future

Privacy and data handling

Security and privacy are closely linked. We comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth) and, where applicable, GDPR and UK GDPR.

• We collect only the personal information we need to operate the Services
• We do not sell personal data
• You retain control over the data in your workspace and can export or delete it in line with our terms and applicable law
• We process data on behalf of customers as a data processor where required, subject to appropriate contractual terms

Full details are available in our Privacy Policy.

Subprocessors and third parties

We use a small, carefully selected set of subprocessors to help us deliver the platform, including providers for hosting, authentication, email delivery, payments and customer support. We choose providers with strong, independently verified security practices and contractually require them to handle data appropriately.

Customers on eligible plans can request a current subprocessor list and a Data Processing Addendum by contacting us at the address below.

Email security

Email sent from ReferU2 is delivered via a reputable transactional email provider and is signed and authenticated using current standards (SPF, DKIM and DMARC) to help recipients verify that the message genuinely came from us.

Your role in keeping data safe

Security is a shared responsibility. There are a few simple things you can do to keep your account and your organisation's data safe:

• Use a strong, unique password and enable multi-factor authentication
• Keep your devices, browsers and operating systems up to date
• Only invite users who genuinely need access, and remove access promptly when it is no longer needed
• Review the roles and permissions assigned within your workspace
• Be cautious of phishing emails. ReferU2 will never ask you for your password or for codes from your authenticator app

Responsible disclosure

If you believe you have found a security vulnerability in ReferU2, we would genuinely like to hear from you. Please email us at security@referu2.com with as much detail as you can provide so we can reproduce and assess the issue.

We ask that researchers:

• Give us a reasonable opportunity to investigate and remediate before disclosing publicly
• Avoid privacy violations, destruction of data, interruption of service or degradation of the experience for other users
• Only interact with accounts you own or have explicit permission to test
• Do not run automated scanners that generate large amounts of traffic

We will acknowledge legitimate reports, keep you informed of our progress and credit researchers who follow responsible disclosure where they wish to be credited.

Contact