Rehoboam reads metadata. Refer keeps it sealed.

The page you vet us on before you trust us with your team.

Inside Refer, Rehoboam reads the shape of how your company works together. This is the architecture that keeps it that way: a boundary enforced in code, your data held in your tenant, and controls a reviewer can verify.

Enforced, not promised.

The line is drawn in code, not in a policy doc.

Refer reads the shape

SenderTimestampChannelCadence
The line

Never collected

Message textFilesTranscriptsDMs

Every untrusted value (a name from a connector, an evidence field) is run through a prompt-injection sanitizer before it reaches the model, so text inside your data cannot rewrite Rehoboam's instructions. Each workspace sits behind Row-Level Security on every tenant table, gated by org_id and validated server-side on every request. The boundary holds because the system cannot reach across it.

I work with the shape of the week, not its words.

What we actually do

Four stances re.fer takes, every day, in code that ships.

01

Privacy

Metadata only. The content stays yours, untouched.

re.fer reads passive collaboration metadata: who works with whom, when, in which channel. Message text, call transcripts, files, and attachments are never collected. Slack OAuth scopes carry no DM access and no files access by design. Any person can opt out from their own settings and re.fer hard-deletes their derived signals on the spot. A Right to Access export and a Right to Erasure delete are one click each, no support ticket required.

  • No message, call, or file content collected
  • Slack scopes carry no DM or files access
  • Per-person opt-out that hard-deletes signals
  • One-click export and one-click delete
02

Isolation and access

One workspace cannot see another. Inside it, access is three roles.

Every tenant table has Row-Level Security on, gated by an is_org_member check on org_id. The active workspace is bound to a cookie that is validated server-side on every request. Rehoboam engine tables, memory, correlation, calibration, and synthesis, sit behind RLS with zero policies, reachable only from the server-side service role. Inside a workspace, access is exactly three roles, Owners, Admins, and Viewers; the org-level read never names a person, and person-scoped insights are gated to the people you grant. A cross-org invariant test runs in CI, so an isolation regression cannot ship. Every sensitive action lands in a customer-facing audit log at /settings/audit with 90-day retention.

  • RLS on every tenant table, gated by org_id
  • Three roles only: Owners, Admins, Viewers
  • Engine tables are service-role only
  • CI test for the org-isolation invariant
  • Audit log at /settings/audit, 90-day retention
03

Authentication

A real account, hashed credentials, and a disposable-email gate.

Sign-in runs on Supabase Auth with bcrypt-hashed passwords or Google OAuth. Every new password is checked against the Have I Been Pwned k-anonymity range before it is accepted, at signup and at reset. Signups against a 35-domain disposable-email block list and a fake-local-part check are rejected at the gate, so the people in your workspace are people you can reach.

  • Supabase Auth, bcrypt-hashed passwords
  • Google OAuth as a first-class option
  • HIBP breach check at signup and reset
  • Disposable-email block list at the signup gate
04

Production

A locked-down browser perimeter and a paper trail for everything that matters.

Every response carries a preloaded two-year HSTS policy, X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff, a strict-origin Referrer Policy, a locked-down Permissions Policy, and a same-origin COOP. A Content Security Policy ships in report-only mode while we tune it. TLS 1.2 or higher in transit, AES-256 at rest via Supabase managed Postgres. The waitlist and Ask endpoints are rate-limited with Upstash. /.well-known/security.txt points to a real inbox for responsible disclosure, and the cookie banner is honest: one strictly-necessary cookie, zero trackers.

  • HSTS preloaded, COOP same-origin, frame-deny, nosniff
  • CSP shipping in report-only
  • TLS 1.2+ in transit, AES-256 at rest
  • Upstash rate limiting on waitlist and Ask
  • security.txt for responsible disclosure

Where your data lives

Your data does not leave for a third party.

Refer processes your collaboration metadata inside your own tenant. We do not ship it to an outside memory service to make the product feel smarter. When a vendor offered exactly that, a shared memory layer that would have moved your signals onto their servers, we turned it down. The convenience was real. So was the cost: your data leaving your boundary.

On the Enterprise tier you can bring your own model key, and customer prompts run through your provider account, never our managed stack.

Enterprise controls

What a procurement reviewer needs, in one register.

  • Role-based accessThree roles. Owner, Admin, and Viewer scope what each member sees inside a workspace; the org-level read never names a person. Platform admin is decoupled from per-org roles, so the Refer team cannot grant itself owner access to your workspace.Shipped
  • Tamper-evident audit logEvery sensitive action lands in an append-only audit log at /settings/audit, and each entry is part of a hash chain, so a missing or altered row is detectable. There is no update or delete path; not for customers, not for us. Configurable retention, CSV and JSON export, readable by owners and admins.Shipped
  • Per-source consentA person can be held out of any one connected tool, not just the product as a whole. The hold-out is enforced at ingestion and again at read, so a held out source never reaches the graph. Employees can hold themselves out.Shipped
  • EU AI Act decision logEvery read about a person is recorded with the inputs it used and a standing guarantee that no emotion is inferred. The data subject can read their own entries, and anything low-confidence is flagged for human review.Shipped
  • Works-council packA consultation bundle generated from the live workspace: a per-source Article 30 record of processing, a legitimate-interest balancing test, the consent posture, and the AI Act safeguards. English or German.Shipped
  • DPIA and compliance packA Data Protection Impact Assessment and an exportable compliance bundle, both generated from the workspace as configured. Hand them to a security reviewer or a works council without waiting on us.Shipped
  • Data ownershipYour data is yours. One-click export for Right to Access, one-click permanent delete for Right to Erasure.Shipped
  • Retention and deletionRetention is set per data category and downsampled over time; deletion removes derived signals on the spot.Shipped
  • SSO and SCIMThis is on the roadmap. We will publish the target window here, and we will not list it as shipped before it is.Roadmap

A different posture

Most tools collect content. Refer collects metadata.

Privacy here is not a setting on a screen. It is the shape of the system.

Most tools
re·fer

Reads message text to rate sentiment.

Reads collaboration metadata. Who, when, in which channel.

Individual productivity grading by default.

No grading. Surfaces overload to protect people.

Person-level insights visible to everyone.

Org-level reads stay nameless. Person cards stay scoped.

Buried export. Email support to delete.

One-click export. One-click permanent delete.

What each connector reads

8 connectors, metadata only, line by line.

Every scope below is the literal OAuth scope the product requests, read straight from the connector registry in code. We list what we read, what we never read, and the one signal we derive from it.

  • Slack
    ReadsChannel membership and message metadata: who posted, when, in which channel, and which reactions landed.
    Never readsMessage text, thread bodies, or direct messages.
    Derived signalWho collaborates with whom across channels, and how that pattern shifts week to week.
    OAuth scopes
    users:readusers:read.emailchannels:readgroups:readchannels:historyreactions:read
  • GitHub
    ReadsPull-request reviews, issue comments, and assignment events: who reviewed whose work, and when.
    Never readsSource code, diffs, commit contents, or comment bodies.
    Derived signalCross-team review and handoff patterns, and where work routes around the org.
    OAuth scopes
    read:orgread:userrepo
  • Jira
    ReadsTicket assignments, transitions, and handoffs between people: who picked up what, and when it moved.
    Never readsTicket descriptions, comment text, or attachments.
    Derived signalHow cross-functional work flows between people and where handoffs cluster.
    OAuth scopes
    read:jira-workread:jira-useroffline_access
  • Google Calendar
    ReadsMeeting attendee lists and timing: who met with whom, when, and for how long.
    Never readsEvent titles, descriptions, notes, or attachments.
    Derived signalMeeting overlap and cross-team coordination load, and how it concentrates.
    OAuth scopes
    https://www.googleapis.com/auth/calendar.readonlyhttps://www.googleapis.com/auth/userinfo.email
  • Notion
    ReadsPage edit history and @-mentions: who co-edited or tagged whom, and when.
    Never readsPage content, block text, or comment bodies.
    Derived signalCross-functional document collaboration and who is pulled into whose knowledge work.
    OAuth scopes
    read_content
  • Google Drive
    ReadsFile modification metadata: who co-edited which document, and when.
    Never readsDocument content, titles, comments, or attachments.
    Derived signalCross-functional document collaboration across the Google-Workspace half of the org.
    OAuth scopes
    https://www.googleapis.com/auth/drive.metadata.readonlyhttps://www.googleapis.com/auth/userinfo.email
  • Linear
    ReadsIssue assignment handoffs and comment threads: who picked up or commented on whose issue, and when.
    Never readsIssue titles, descriptions, or comment bodies.
    Derived signalHow cross-functional issue work flows and where handoffs cluster, for Linear-native teams.
    OAuth scopes
    read
  • GitLab
    ReadsMerge-request approvals and notes: who reviewed or commented on whose work, and when.
    Never readsSource code, diffs, or note bodies.
    Derived signalCross-team review and handoff patterns for GitLab-hosted engineering.
    OAuth scopes
    read_api

Governance and compliance evidence

The evidence a reviewer asks for, already in the product.

Privacy law and an AI buyer want proof, not a promise. These all ship today, generated live from your workspace, so a security reviewer, a DPO, or a works council can verify the controls before any certificate is in hand. They are the tooling, not a badge we have not earned.

EU AI Act decision log

Every read Rehoboam writes about a person is recorded in a decision log with the inputs it used and a standing guarantee: no emotion is inferred, ever. A data subject sees their own entries, and anything low-confidence is flagged for human review rather than acted on silently.

Each employee can read their own decision log inside the product.

Per-source consent, enforced twice

A person can be held out of any one connected tool, not just the product as a whole. The hold-out is enforced at ingestion and again at read, so a held out source never reaches the graph and never reaches a read. This is a control no single-source tool can offer.

Owners set it per person and per source; employees can self-hold-out.

Works-council pack, EN and DE

The consultation bundle a Betriebsrat expects, generated from the live configuration: a per-source Article 30 record of processing, a legitimate interest balancing test, the current consent posture, and the AI Act safeguards. Exportable in English or German.

One download, generated from the workspace, not a static template.

In-product DPIA and compliance pack

A Data Protection Impact Assessment and a single compliance bundle, both built from the workspace as it is configured: connectors, metadata-only minimization, retention window, and the current naming posture. Hand it straight to a security reviewer.

Preview it in-app, then export the markdown for your reviewer.

Tamper-evident audit log

Every sensitive action lands in an append-only log, and each entry is part of a hash chain, so a missing or altered row is detectable. There is no update or delete path, not for customers, not for us. Export to CSV or JSON with configurable retention.

The chain is the evidence SOC 2 and ISO 27701 controls attest against.

Employee transparency

Each person has a plain-language page showing exactly what Refer reads about them, what it never reads, and a one-click hold-out. Privacy here is not a legal page, it is a control the person can use themselves.

Linked from each person’s Monday brief, no admin request needed.

Where we stand, plainly

Pre-revenue, pre-audit. No fake badges.

re.fer is pre-revenue and pre-audit. We have a certification path, and we name it as a path, not a badge. GDPR alignment runs through the Data Processing Agreement, the Right to Access export, and the Right to Erasure delete. CCPA alignment runs through the same flows. We do not claim a compliance badge we have not earned, and we will not invent procurement theater to make a deck look ready.

What we do ship today is the evidence those attestations would test. A tamper-evident, hash-chained audit log, and an exportable compliance pack with a per-source record of processing, a balancing test, and a DPIA, all generated live from your workspace and mapped to SOC 2 and ISO 27701 controls. So a reviewer can verify the controls now, before any certificate is in hand. The evidence above the fold is real even while the badge is still on the path.

  1. SOC 2 Type INext milestone
    Our next engagement. A point-in-time attestation that the controls on this page are designed correctly. We will publish the auditor and the target window here the day we sign.
  2. SOC 2 Type IIPlanned
    The follow-on attestation that those controls held over an observation window, not just on one day. It comes after Type I, on a window we will state honestly here.
  3. ISO 27701Targeted
    The privacy-specific certification, and the right one for a product built on collaboration metadata. It extends an information-security baseline with privacy management, which is exactly the posture this page describes.

On the Enterprise tier, customers can plug in their own Anthropic, OpenAI, or Ollama key. Customer-sensitive prompts then run through your provider account and never touch our managed model stack. Per-tier workspace limits are enforced at the database layer, and platform admin accounts are decoupled from per-org roles, so the re.fer team cannot quietly grant itself owner access to a customer workspace.

Control register

Read it for yourself.

Every claim on this page is backed by a document you can read end to end. No gated PDFs, no questionnaire dance.

Book a pilot

Refer earns the trust before it asks for it.

Book a pilot and see a calm, privacy-first read on your team, without ever reading what your people say.

We'll never share your email. Unsubscribe anytime.