Security and trust
Refinery Security and Enterprise Trust Posture
Refinery starts read-only, minimizes access, separates tenants, and treats formal certifications as claims that must be earned. Production writeback is policy-gated, reviewable, and verified. Enterprise evaluation begins with Readiness Scan or Shadow Baseline — not uncontrolled production access.
Read-only first
Every enterprise engagement can begin with Readiness Scan or 14-day Shadow Baseline — no production writeback required. This reduces access scope and proves issue rate before any live repair.
Data minimization
Refinery is designed to govern operational metadata and decision evidence on agreed paths. Do not submit secrets, API keys, or sensitive production payloads through public website forms.
Tenant isolation
Operational data and governed decisions are scoped per tenant. Cross-tenant access is not part of the product model.
Encryption posture
Data in transit uses TLS. Storage encryption depends on deployment tier and enterprise agreement. Private runtime options are available under Enterprise Evidence Layer.
Access model
- Baseline and pilot access scoped to agreed paths and connectors
- Human review queue for risky decisions
- Policy-gated writeback only on certified paths
- Audit receipts for every governed decision
Subprocessor posture
Refinery may use infrastructure providers for hosting, email, authentication, and database services under appropriate terms. Subprocessor list: available on request; public Trust Center publish in progress.
Incident response
Security contact: security@getrefinery.nl. Responsible disclosure welcomed for good-faith reports.
Certification roadmap (honest status)
- SOC 2 Type II: Planned — not claimed until achieved
- ISO 27001: Planned — not claimed until achieved
- HIPAA mode under BAA: Planned — Enterprise Evidence Layer
Baseline safety posture
The 14-day baseline can measure a path without changing production records.
Refinery can report what would have been fixed, blocked, or reviewed before writes are enabled.
Do not send API keys, credentials, or sensitive production data through marketing forms.
Writeback controls
- Production writeback should be enabled only for approved governed paths.
- Deterministic policy handles clear and allowed cases first.
- Risky, ambiguous, or low-confidence changes should go to human review.
- Approved writes should be verified against the target state.
- Every decision should produce an inspectable receipt.
BYOK and model runtime posture
Refinery’s product doctrine favors BYOK and judge visibility where AI is used. AI should support ambiguous judgment, not become a hidden authority. Customers should be able to understand when a model was involved, what evidence was used, and why a decision was allowed or escalated.
Audit and operator controls
Record-level receipts are central to the trust model: policy, actor, timestamp, evidence, decision, writeback status, target verification, and outcome. This helps operators review what happened without relying on vague automation claims.
Roadmap posture
Tenant isolation, SSO, RBAC, deeper audit export, and compliance reporting are important enterprise requirements. Refinery should not claim SOC 2 certification unless that certification is actually achieved.
Identity and access management posture
Production deployments should support role-based access, tenant-scoped permissions, and auditable operator actions. SSO integration and finer-grained RBAC are roadmap items for Enterprise Evidence Layer — not implied as fully available on every tier today.
Data retention and deletion
Retention depends on deployment tier and enterprise agreement. Baseline and pilot engagements should define how long observation data, receipts, and review artifacts are kept. Deletion requests for lead-form data are handled under the Privacy Policy.
DPA and enterprise agreements
A Data Processing Agreement is available under enterprise agreement. Refinery processes customer operational metadata and decision evidence to govern agreed paths — not as a generic data broker. Subprocessor transparency is published in the Trust Center with honest status labels.
Responsible disclosure
Good-faith security reports are welcome at security@getrefinery.nl. Do not submit live credentials, customer PII, or exploit payloads through public marketing forms. We aim to acknowledge reports promptly and coordinate remediation for validated issues.
What Refinery does not claim
- SOC 2 Type II, ISO 27001, or HIPAA compliance unless formally achieved and contractually supported
- Universal production repair readiness for every connector in catalog
- That support visibility or readiness posture equals live runtime operability