This data security policy outlines the measures Refraction takes to ensure the security of all data, including customer data and the company's internal data.
Scope
This policy applies to all data processed, stored, or transmitted by Refraction, including all customer data and the company's internal data. It also applies to all employees, contractors, and third-party service providers who have access to this data.
Responsibilities
Refraction is committed to protecting all data processed, stored, or transmitted by our product, and to that end, we have implemented a number of measures to ensure data protection. The following are the key responsibilities of Refraction in exercising data protection:
- Restricting and monitoring access to sensitive data
- Developing transparent data collection procedures
- Training employees in online privacy and security measures
- Building secure networks to protect online data from cyberattacks
- Establishing clear procedures for reporting privacy breaches or data misuse
- Including contract clauses or communicating statements on how we handle data
- Establishing data protection practices
All employees who use Refraction are responsible for adhering to these data protection responsibilities, and for reporting any potential security incidents to the appropriate authorities. Refraction will periodically review and update these responsibilities to ensure that they remain relevant and effective in addressing emerging security threats and changes to the company's IT environment.
Data Acquisition
Refraction will only collect and process data necessary for its intended purpose. We will obtain consent from customers before collecting any personal data and will use secure transmission protocols to protect data in transit.
The Refraction app is hosted on Vercel, a SOC2 Type-2 and GDPR-compliant static hosting environment. All traffic is encrypted with SSL by default and is encrypted at rest (AES-256) and in transit (HTTPS / TLS), including sensitive information like access tokens and secrets. Learn more about Vercel's security policies on the Vercel website.
Our payments are processed by Stripe, the PCI-compliant global standard for financial infrastructure for the internet. Stripe uses HTTPS for all services using TLS (SSL), and HSTS to enforce this. All card numbers are encrypted at rest with AES-256 and they have very secure policies around decryption keys, stored data and credentials. Learn more about their security policies on the Stripe Website. They also use HackerOne for ongoing third-party vulnerability testing.
Additionally, Refraction collects behavioural, usage and error data for improving our platform, utilising third-party products such Sentry — you can read more about their security policy on their website.
Data Storage
Refraction will implement strict access control procedures to ensure that only authorized personnel can access the data. Data will be stored on secure servers located in facilities with appropriate physical and environmental controls. Sensitive data will be encrypted at rest to prevent unauthorized access.
Our data is hosted on PlanetScale, SOC2 Type-2 compliant serverless MySQL platform. PlanetScale databases and client communications are AES-encrypted both in transit and at rest. Encrypted data is transmitted with TLS. Learn more about their security policies here.
All user-generated data collected is stored security in our database and is only accessible to the team or user who generated them. Input prompts and AI responses are not shared publicly and the contents are not sent to third parties, other than OpenAI for the initial creation. The data is stored solely to enable the History page for individuals and teams.
Data Classification
All data will be classified based on its sensitivity and value. Refraction will define access controls and security measures for each category of data. Access to sensitive data will be restricted only to authorized personnel who need it for business purposes.
Data Backups
Refraction maintains daily backups of all data to ensure its availability in the event of a system failure or other unexpected event. These backups are stored in a secure location and will be encrypted to prevent unauthorized access.
Data Disposal
When implemented, Refraction will securely dispose of all data that is no longer needed. This will include the permanent deletion of data from storage devices and the secure destruction of any physical media containing sensitive data.
Data Processing
Refraction will only process data necessary for its intended purpose. We will implement secure coding practices to prevent injection and other attacks that may lead to data leakage. All data processing will be logged and monitored to ensure that it is consistent with this policy.
Third-Party Access
Refraction will only grant access to data to third-party service providers who have agreed to abide by this policy and have demonstrated the ability to provide adequate security controls. All third-party access will be logged and monitored to ensure that it is consistent with this policy.
Report a Security Issue
We take security very seriously at Refraction due to sensitivity of our customers input. We review security issues as soon as possible and you can report them by emailing security@refraction.dev. In case of a potential severe security incident, we're committed on informing any affected users.
This policy is subject to review and update as needed, and all employees who use Refraction are responsible for complying with this policy.