Security

Built for biometric data,
from the start.

Facial scans are some of the most personal data a person can share. We treat it that way — with the controls, audits and accountability you'd expect from a medical product.

Encryption — everywhere.

Your data is encrypted in transit and at rest, end to end.

  • TLS 1.3 for every connection between your device and our servers
  • AES-256 encryption at rest for all stored scans and personal data
  • Encrypted backups with the same standards as production

Strict access controls.

Only the people who need to see your data ever do.

  • Role-based access with least-privilege defaults
  • Mandatory two-factor authentication for all internal accounts
  • All access events logged and reviewed
  • Quarterly access reviews and immediate revocation on offboarding

Compliance & alignment.

We design against the frameworks that matter for medical-adjacent data.

  • HIPAA-aligned controls for US workflows
  • GDPR & UK GDPR compliant for the EU and UK
  • PDPA (Singapore) compliant; processor-side BAAs available where required
  • SOC 2 Type II — on our roadmap for 2026

Minimize, then minimize again.

We collect the smallest amount of data needed to do the job.

  • Scans are tied to anonymized internal IDs, never your name in our systems
  • Biometric data deleted within 90 days of last activity by default
  • You can request deletion at any time — and we honor it
  • No selling, no sharing for advertising, ever

Incident response.

We hope we never need this — but we're ready.

  • 24/7 incident response process with clear severity tiers
  • Mandatory user notification within 72 hours of any confirmed breach
  • Postmortems published for any incident affecting customer data

Independent eyes.

We don't grade our own homework.

  • Annual third-party penetration testing
  • Open vulnerability disclosure program — see below for contact
  • Continuous dependency and infrastructure scanning
Found something?

Responsible disclosure.

If you believe you've found a security vulnerability in Refrakt, please reach out before publishing. We'll respond within 24 hours and credit researchers who report in good faith.

Email the security team