Refchecks

Data Security

Refchecks takes the security of personal data seriously. We implement multiple layers of protection to ensure your data — and your candidates' data — is safe.

Last updated: March 2026

Infrastructure Security

Australian Data Residency

All primary data is stored in Australian data centres (Sydney, NSW). Our infrastructure provider operates SOC 2 Type II certified facilities with physical security controls including biometric access, 24/7 surveillance, and redundant power systems.

Network Security

  • All traffic encrypted with TLS 1.3 in transit
  • Database connections restricted to application-layer access only
  • DDoS protection via Vercel Edge Network with global PoPs
  • Rate limiting on all authentication and API endpoints
  • Strict Content Security Policy (CSP) headers

Data Encryption

Encryption at Rest

All data stored in our database is encrypted at rest using AES-256 encryption. This includes verification results, candidate information, and organisation data. Encryption keys are managed by our infrastructure provider with automatic rotation.

Encryption in Transit

All data transmitted between clients, our servers, and third-party providers uses TLS 1.3. We enforce HSTS (HTTP Strict Transport Security) to prevent downgrade attacks. Certificate transparency logging is enabled on all domains.

Application Security

Authentication

  • Secure cookie-based authentication with httpOnly, sameSite, and secure flags
  • Session tokens with automatic expiry and refresh
  • Multi-factor authentication available for all accounts
  • Magic link authentication for candidates and referees (no password required)

Authorisation

  • Row-Level Security (RLS) enforced at the database level — every query is scoped to the authenticated user's organisation
  • Role-based access control (admin/user) within organisations
  • Token-based access for public portals (candidate, referee, employer verification) with single-use verification

Input Validation

  • Server-side validation on all API routes using Zod schemas
  • Parameterised queries to prevent SQL injection
  • Content sanitisation to prevent XSS attacks
  • AI screening injection guard — 16 detection patterns block prompt injection attempts before content reaches AI models

AI Security

Refchecks uses AI (powered by Anthropic's Claude) for document analysis, employment cross-referencing, and screening. Our AI security measures include:

  • No data retention: AI providers do not retain or train on any data submitted through our platform
  • Strict schema validation: All AI responses are validated against Zod schemas — malformed responses are rejected
  • Injection protection: Candidate-submitted content is screened for prompt injection attempts before processing
  • Human-in-the-loop: AI screening results (adverse media, social media) require human review before finalisation — no automated adverse determinations
  • Protected attribute redaction: 27 protected attributes across 5 Australian anti-discrimination Acts are automatically redacted from AI screening inputs

Privacy by Design

  • Data minimisation: We collect only the data necessary for each verification type
  • Raw criminal text is never stored: Only the determination (clear/consider/adverse) is retained
  • Financial data as boolean indicators: Credit check results store only boolean flags (has_defaults, has_bankruptcies) — no scores or amounts
  • Consent-first: Candidates must provide explicit consent before any check is initiated. Consent is recorded with timestamp and IP address
  • Purpose limitation: Financial checks require Part IIIA consent with explicit purpose justification

Fraud Detection Security

Our global fraud database uses HMAC-SHA256 hashing for cross-organisation matching. This means:

  • No personally identifiable information is shared between organisations
  • Employment claims are compared using one-way hashes — the original data cannot be reverse-engineered
  • Only statistical discrepancies (mismatched dates, titles, or employers) are surfaced — not the underlying data from other organisations

Incident Response

Our incident response plan includes:

  • 24-hour initial assessment of any reported security incident
  • 72-hour notification to affected clients (and supervisory authorities under GDPR)
  • Post-incident review with root cause analysis and remediation plan
  • Error monitoring via Sentry with real-time alerts for anomalous behaviour

Compliance

  • Australian Privacy Act 1988: Full compliance with all 13 Australian Privacy Principles (APPs)
  • GDPR: Compliance for international clients and EEA data subjects (see our GDPR Compliance page)
  • PCI DSS: Payment processing handled by Stripe (Level 1 PCI DSS compliant) — we never store card numbers
  • Part IIIA Credit Reporting Code: Financial checks comply with the Privacy (Credit Reporting) Code 2014

Reporting a Security Issue

If you discover a security vulnerability in Refchecks, please report it to security@refchecks.com.au. We take all reports seriously and will respond within 48 hours.