Legal

Data Processing Agreement

Last updated: June 2026 · Aligned with Article 28 GDPR. Plain English.

This DPA describes how re.fer handles personal data on a customer’s behalf. It forms part of the main subscription contract. A real customer should be able to read this and understand exactly what we will and will not do.

1. Definitions

Controller means the customer organization that signs up for re.fer and decides which collaboration metadata to send us. Processor means re.fer, which handles that data on the controller’s behalf. Personal data, data subject, processing, and supervisory authority carry the meanings given in the GDPR (EU 2016/679) and equivalent terms in the UK GDPR and the CCPA.

2. Subject matter

This DPA governs all processing of personal data that re.fer performs on the customer’s behalf when the customer uses the re.fer service. It applies to the production application, the Rehoboam engine, and any subprocessors listed at /legal/subprocessors.

3. Duration

This DPA is in force for the entire term of the customer’s subscription, plus a 30-day deletion grace period after termination, as described in section 11. Sections on confidentiality and liability survive termination.

4. Nature and purpose of processing

re.fer reads collaboration metadata to produce organizational insights. We compute network shape, response latency, overload signals, and team coupling. We do not read message content, document content, or call recordings. The purpose is limited to surfacing those insights inside the customer’s workspace and supporting Rehoboam, which writes the human-readable summary the customer sees.

5. Types of personal data

Workplace collaboration metadata only. This includes: employee names, work email addresses, role titles where the customer chooses to upload them, channel and group identifiers, interaction timestamps, message counts per channel per user, response latency, and workspace membership. Free-text message content, file content, and direct-message metadata are out of scope and re.fer will not request them.

6. Categories of data subjects

Workforce members of the customer organization who use the customer’s connected tools (Slack, GitHub, Jira, Google Calendar, Google Drive, Notion, Linear, GitLab). Where the customer enables a connector that reaches contractors or external collaborators, those individuals may also be in scope. The customer is responsible for notifying its workforce that re.fer is in use, as required by the customer’s local employment and privacy laws.

7. Obligations and rights of the controller

The customer is the controller. The customer warrants that it has a lawful basis to send each category of personal data to re.fer, that it has given any required notice to its workforce, and that the data it sends is accurate. The customer issues instructions through its workspace settings and through written requests to privacy@userefer.app. re.fer processes personal data only on documented instructions from the controller.

8. Processor obligations

re.fer commits to the following. Confidentiality: every person who handles customer data is bound by a written confidentiality obligation. Security: re.fer maintains the technical and organizational measures described in the security whitepaper at /security/whitepaper, including row-level isolation, TLS 1.2 or higher in transit, AES-256 at rest, role-based access, and a 90-day audit log. Subprocessor authorization: re.fer engages only the subprocessors listed at /legal/subprocessors and will notify the customer of any addition with at least 30 days’ notice, during which the customer may object. Data subject rights assistance: re.fer will help the controller respond to access, correction, deletion, and portability requests from data subjects within reasonable timeframes. Breach notification: re.fer will notify affected controllers without undue delay and in any event within 72 hours of confirming a personal data breach. Deletion on termination: re.fer will delete or return all customer personal data within 30 days of termination, unless retention is required by law.

9. Subprocessors

The current list of approved subprocessors is published and kept current at /legal/subprocessors. The customer authorizes re.fer to use those subprocessors and agrees that re.fer remains liable for their acts and omissions under this DPA.

10. International transfers

re.fer’s primary infrastructure is hosted in the United States. Where personal data of EU, UK, or Swiss data subjects is transferred outside the EEA, the transfer is governed by the European Commission’s Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Addendum, and the Swiss FDPIC adaptations as applicable. The customer and re.fer enter into those clauses by signing this DPA. re.fer applies supplementary measures: encryption in transit and at rest, access controls, and a documented response to government access requests.

11. Deletion and return

On termination of the subscription, the customer may export its data through the in-app export. After the 30-day grace period described in /legal/retention, re.fer permanently deletes all customer personal data from primary storage. Backups are overwritten on the standard backup rotation and any residual copies are isolated from production.

12. Audit rights

On reasonable notice and no more than once per year, the customer may request a summary of re.fer’s security posture, recent third-party audit reports once available, and answers to a security questionnaire. Once SOC 2 Type I is complete, re.fer will share the report under NDA in place of a custom audit.

13. Governing law

This DPA is governed by the law of the customer’s main contract with re.fer. Where the customer is established in the EEA, UK, or Switzerland, this DPA is read alongside the Standard Contractual Clauses and the law that applies to those clauses prevails for the cross-border transfer sections.

14. Contact

All privacy, DPA, and security questions go to privacy@userefer.app. We respond within 5 business days for general requests, and within the SLAs set out in the incident response policy at /legal/incident-response for confirmed incidents.