Security · Privacy · Compliance
Trust Centre & Legal
Trust is the foundation of every referral. Here's how Referrio keeps your customers' data — and your reputation — safe.
Encryption everywhere
All traffic is served over TLS 1.2+ and customer data is encrypted at rest using AES-256 on managed infrastructure.
Least-privilege access
Production access is restricted to a small group of engineers using SSO, MFA and time-bound, audited sessions.
Resilient by design
Daily encrypted backups, automated failover and infrastructure deployed across multiple availability zones.
Observability & monitoring
Every API call, login and admin action is logged. Anomalies page on-call engineers around the clock.
№ 02
Compliance & standards
Registered with the ICO. UK-based data controller for our own operations.
Standard Contractual Clauses with every cross-border subprocessor.
Consent-led email and SMS workflows out of the box.
Type II audit currently underway with an independent assessor.
Internal ISMS modelled on the Annex A control set.
№ 03
Subprocessors
The trusted vendors that help us run Referrio. We review each one against our security and privacy standards.
| Provider | Purpose | Region |
|---|---|---|
 Supabase | Primary database, authentication and storage | EU (Frankfurt) |
 Cloudflare | Edge network, DNS, DDoS mitigation, WAF | Global |
 Mailgun | Transactional and broadcast email delivery | EU |
 Twilio | SMS one-time codes and reward notifications | EU / US |
 Stripe | Subscription billing and payment processing | EU / US |
 OpenAI | Optional AI features (livechat, drafting assistance) | US |
SupabasePrimary database, authentication and storage
Region: EU (Frankfurt)
CloudflareEdge network, DNS, DDoS mitigation, WAF
Region: Global
MailgunTransactional and broadcast email delivery
Region: EU
TwilioSMS one-time codes and reward notifications
Region: EU / US
StripeSubscription billing and payment processing
Region: EU / US
OpenAIOptional AI features (livechat, drafting assistance)
Region: US
№ 04
Frequently asked
Where is my data stored?+
Customer data is stored in our primary EU region. Backups are encrypted and held in a second EU availability zone for disaster recovery.
Who can access my data inside Referrio?+
Only a small number of engineers, only via SSO with hardware-key MFA, and only when responding to a support ticket or production incident. Every session is logged.
How do you handle data deletion?+
You can delete a referrer, campaign or your whole workspace at any time from the dashboard. Hard deletion completes within 30 days, including from backups.
Do you have a DPA?+
Yes — our Data Processing Agreement is pre-signed for every paid plan and available on request.
How do I report a security issue?+
Email security@referrio.co.uk. We acknowledge reports within one business day and run a coordinated disclosure programme.
Policies & contact
The legal documents that govern using Referrio.
Report vulnerabilities to security@referrio.co.uk