Trust center

Built for cautious enterprise evaluation

Refinery starts read-only, minimizes access, treats formal certifications as claims that must be earned, and produces receipt-backed evidence for governed decisions. Status labels below are honest — not marketing defaults.

Security overview

Read-only or shadow mode for baseline and evaluation
Tenant isolation for operational data
Policy-gated production writeback only on approved paths
Audit logs and receipt ledger for governed decisions

GDPR posture

Refinery is designed for data minimization on governed paths. Lead forms collect only information needed to respond to baseline requests. Do not submit secrets or sensitive production payloads through public website forms.

This page is product posture, not legal advice. GDPR posture is ready for customer review, not a claim of legal compliance.

Enterprise controls — status

Control	Status
GDPR posture	Ready for customer review - data minimization, DPA review, and retention scoping
DPA (Data Processing Agreement)	Available under enterprise agreement
Subprocessor list	Available on request — In progress for public Trust Center publish
BYOK for external AI	Available — see BYOK page
SSO / SAML	Planned — Enterprise Evidence Layer
Advanced audit export	In progress
SOC 2	Planned — not claimed until achieved
ISO 27001	Planned — not claimed until achieved
HIPAA mode under BAA	Planned — Enterprise Evidence Layer
Responsible disclosure	Available — contact security@getrefinery.nl

Data retention and deletion

Retention depends on offer tier and enterprise agreement. Baseline and pilot engagements define scope upfront. Enterprise customers can configure retention and export requirements under the Evidence Layer.

FAQ

Does Refinery claim SOC 2 compliance?

No. SOC 2 is on the roadmap and will not be claimed on the website until formally achieved and supported by evidence.

Contact enterprise trust

Start read-only. No production writeback required. Do not submit secrets through public website forms. Privacy