This article explains how Refari protects your data. It sets out the technical, organisational and infrastructure controls we use to keep your company, hiring-manager, referrer and candidate information safe across the Refari platform, our website widgets and our integrations. It is written for anyone assessing Refari's security posture, whether you are a recruiter with a quick question, a hiring manager doing due diligence, or an IT or security team completing a vendor review.
Refari is a recruitment platform, so the data we hold on your behalf includes your account and team records, your company settings and job adverts, and candidate personal information such as names, contact details and resumes. We treat all of it as sensitive, and we protect it in layers, so that no single control has to stand on its own. We routinely assess, test and improve the technology, controls, processes and procedures that govern how our systems are managed.

How to read this article: the table below is a quick summary for a fast review. Each row is then explained in full in its own section further down, so you can go as deep as you need.Security at a glance
| Security area | What Refari does |
|---|---|
| Data in transit | Encrypted over HTTPS using TLS on every connection, so information cannot be read or altered on its way to us. |
| Data at rest | Encrypted with AES-256, including databases, backups and snapshots, with keys held in AWS Key Management Service. |
| Access control | Role-based, with every company's data separated from every other company's at the data layer. |
| Sign-in security | An enforced password policy, one-way password hashing, and optional multi-factor authentication. |
| Payments | Handled by Stripe. Full card numbers are never stored on Refari servers. |
| Hosting | Amazon Web Services, in secure, encrypted cloud regions. We can host your data in a specific region on request. |
| Monitoring | Continuous error monitoring, request rate-limiting, and a change-audit trail of sensitive actions. |
| Resilience | Automated, encrypted daily backups and tested recovery procedures. |
Access control and data separation
Refari maintains strict access controls so that users can only reach the information relevant to their role. Every user's access is governed by a structured permissions framework that takes into account both their company membership (which organisation they belong to) and their role within that company.

Roles carry different levels of access. A Company Admin can manage the account and its people, a Company Manager has broad operational access, and a Company Member works within a narrower set of permissions. Hiring managers, referrers and candidates are separate user types with their own limited access. To see exactly what each role can and cannot do, read our guide on Refari Roles ↗.
This layered approach means that:
- Users are shown only the data they need for their responsibilities.
- One company can never see another company's candidates, jobs or settings. This separation is enforced at the data-access layer on every request, not just hidden in the interface.
- Administrative functions are reserved for approved people with the right elevated role.
Where companies connect to Refari programmatically, each API key is tied to a single company and grants access only to that company's data. Access follows the principle of least privilege throughout: people and systems are given the minimum access needed to do their job, and no more.
Encryption in transit
All communication with Refari is encrypted in transit using TLS (Transport Layer Security) over HTTPS. Any request that arrives over plain HTTP is automatically redirected to the secure HTTPS version, and our servers are configured to use strong, modern encryption ciphers. This means that data moving between your browser and Refari, including login sessions, job applications and form submissions, cannot be intercepted or tampered with by anyone in between.

Widgets on your website
Refari widgets (such as your job board, search bar and registration forms) are designed to be embedded only on websites that have a valid SSL certificate. This keeps candidate and hiring-manager interactions, including sign-in sessions and application submissions, encrypted over HTTPS. It is particularly important for secure Single Sign-On (SSO), where a valid certificate is required for the exchange to be trusted.
API and internal traffic
Data exchanged between Refari's own services, and between Refari and connected systems such as your applicant tracking system, is likewise encrypted in transit. Connections to our search and storage services are made over encrypted, certificate-verified channels.
Encryption at rest
Data that Refari stores is encrypted at rest using the Advanced Encryption Standard with 256-bit keys (AES-256), applied transparently at the storage layer by Amazon RDS (our managed database service). Encryption at rest covers:
- The primary database.
- Automated backups.
- Database snapshots.
- Any read replicas, where used.
This means that even in the unlikely event of a storage-level compromise, the underlying data remains unreadable without the decryption keys.
Key management
Encryption keys are managed through AWS Key Management Service (KMS). Keys are never hardcoded or exposed in Refari's application code, access to key material is tightly controlled, and key usage is logged within KMS. You can read more about how this works in the encryption information provided by AWS.
Uploaded files and resumes
Files that candidates upload, such as resumes, are held in private cloud storage that is not publicly browsable. They are never exposed at a permanent public web address; instead they are served only through short-lived, signed links generated for an authorised request.
Application security
Beyond encryption, Refari applies a range of protections in the application itself to defend against common web attacks.
- Protection against SQL injection. Refari uses parameterised database queries throughout, so user input is always treated as data and never assembled into raw database commands. Input is also validated before it is accepted.
- Protection against cross-site scripting (XSS). Content is escaped on output so that submitted text cannot be turned into executable code in another user's browser.
- Clickjacking protection. The platform restricts where it can be framed, so it cannot be silently embedded and hijacked by a malicious site.
- Bot protection. Public-facing forms, such as candidate registration and enquiries, are protected by Google reCAPTCHA to filter out automated abuse.
- Rate limiting. Requests are automatically throttled per user and per anonymous visitor, which blunts scraping, brute-force attempts and other high-volume abuse.
Safe handling of uploaded files
Because candidates upload documents, Refari validates every file before accepting it:
- Only recognised document formats are allowed (PDF, DOC, DOCX, PPT and PPTX).
- The true file type is verified by inspecting the file's actual contents, not simply trusting its name or extension.
- File sizes are capped, so oversized uploads cannot be used to overload the service.
- Where Refari fetches a file from a link, it refuses addresses that point at private or internal systems, guarding against server-side request forgery.
Sign-in security and passwords
Refari enforces a strong password policy on every account. New and changed passwords must meet all of the following requirements:
| Requirement | Rule |
|---|---|
| Minimum length | At least 8 characters. |
| Numbers | At least 3 numeric digits. |
| Uppercase letters | At least 1 uppercase letter. |
| Special characters | At least 1 special character (for example @, !, #, $ or %). |
| Not a common password | Passwords that appear on lists of widely-used, easily-guessed passwords are rejected. |
Passwords are never stored in a readable form. They are protected with one-way, salted hashing, which means the original password cannot be recovered from what we store, and Refari staff can never see your password.
Sign-in sessions are protected too. Session cookies are marked HttpOnly (so they cannot be read by scripts running in the browser) and Secure (so they are only ever sent over HTTPS), and cross-site request forgery protection is limited to trusted Refari domains.
Multi-factor authentication
Multi-factor authentication (MFA) adds a second step to signing in, on top of a password, usually a one-time code from an authenticator app or a text message. It is one of the single most effective protections against stolen or guessed passwords.

Refari offers MFA on your accounts, and it can be configured in two ways:
- User-level MFA: an individual can turn MFA on for their own account.
- Organisation-level MFA: an administrator can enforce MFA across the whole company, with separate control over whether it applies to admins and managers, or to the wider team as well.
MFA can use either a time-based authenticator app (scanning a QR code with an app such as Google Authenticator) or SMS codes. This is an optional feature available on request, so that companies who need stricter sign-in controls can enable it for their team.
Idea: if your organisation would like MFA enforced across all of your users, email us at support@refari.co and we will enable the organisation-level policy for your account.Payment information
In line with payment-industry best practice, Refari does not store full payment card details on our servers. Card information is transmitted securely to Stripe, our payment provider, which handles storage and processing. Refari only keeps a secure reference (a token) to the card held at Stripe, along with non-sensitive details such as the card brand, expiry month and year, and the last four digits, purely so you can recognise the card on your billing screen.

Stripe is a certified PCI Service Provider Level 1, the most stringent level of payment-industry certification. You can read Stripe's own data security information here.
Secure hosting
The Refari platform is hosted on Amazon Web Services (AWS). AWS provides encryption at rest and in transit, hardware security modules, and comprehensive physical and environmental security at its data centres, all of which contribute to a secure foundation for our platform.
If your organisation needs its data hosted in a specific geographic region, for data-residency or regulatory reasons, we can arrange that. Just let us know your requirements when you get in touch.
Building on AWS also gives us the ability to control, audit and manage identity and configuration, and to meet the compliance, governance and regulatory expectations of both government and private-sector customers. You can review AWS's data-centre security controls here.
Internal access and staff security
Strong customer-facing controls are only half the picture, so Refari holds its own team to strict internal security practices as well.
- Mandatory multi-factor authentication. Every team member must use MFA to reach our critical systems, including cloud infrastructure, email delivery platforms and source-code repositories.
- Least-privilege access. Access to production systems, such as databases and internal tools, is tightly restricted by role and necessity. Only authorised people are granted it, and only at the minimum level needed to do their work.
- A strict internal password policy applies to all staff accounts.
- Secrets are never committed to source code. Credentials and encryption keys are injected through a managed secrets store and secure environment configuration, keeping them out of our codebase entirely.
Monitoring, logging and audit trail
Refari monitors its systems continuously so that problems are caught quickly and sensitive activity stays traceable.
- Continuous error monitoring surfaces faults across the platform in real time, so our engineering team can respond before issues spread.
- A change-audit trail records sensitive changes, such as edits to accounts, company settings, job adverts, candidates and applications, capturing who made the change and when, so activity can be reviewed after the fact.
- Sensitive values are kept out of logs. Passwords are never written to our logs.
Backups and disaster recovery
Refari maintains a structured disaster-recovery approach to keep the platform resilient and your data protected in the event of an unexpected disruption.

- All production data is backed up automatically on a daily schedule using encrypted snapshots, with additional manual backups taken ahead of significant platform changes.
- Our application code is version-controlled and stored in GitLab, so core systems can be rebuilt and redeployed quickly from a known-good state.
- Recovery and rollback procedures are reviewed and tested, so we can respond confidently to infrastructure issues, code-level faults or service interruptions.
Our approach prioritises both data integrity and minimal downtime, helping to ensure a reliable and consistent experience.
Your data and your control over it
Because Refari holds personal information about candidates on your behalf, it is important that you can manage it. Candidate personal data can be erased or anonymised on request: the resume is deleted and identifying details such as name, email, phone and other contact fields are cleared, so the record can no longer be tied to an individual. This helps you meet your own privacy obligations to the people in your talent pool.
For more on how candidate consent and preferences are handled, see Managing candidate consent, privacy and marketing preferences ↗.
Requesting more information
We are happy to answer questions about our data security. If you would like more information, or if your security team needs to complete a vendor assessment, you can email us to submit a request.
Note: we handle security enquiries in writing rather than in meetings. Sharing our controls openly is one thing, but discussing operational specifics live creates an avenue for information to leak and for malicious actors to use social-engineering techniques to probe for weaknesses. Handling requests in writing lets us give you a considered, vetted answer while keeping everyone's data safe. If you believe you have found a security vulnerability, please email us so we can look into it responsibly.Final Notes
Security is not a one-off exercise. We continually assess and improve our controls as the platform grows and as the threat landscape changes. The measures above describe how Refari protects your data today, and they are reviewed regularly as part of how we run the service.
Other articles you might be interested in: Refari Roles | Managing candidate consent, privacy and marketing preferences in Refari
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article