Skip to main content
Please submit potential vulnerabilities or any security-related questions to security@ref.tools. While many teams and individuals already trusting Ref, please note that we are still in the journey of growing our product and improving our security posture. If you’re working in a highly sensitive environment, you should be careful when using Ref (or any other AI tool). We hope this page gives insight into our progress and helps you make a proper risk assessment.

Overview

Ref is built with security and privacy as core principles. This page outlines our security architecture, data handling practices, and compliance efforts. Key areas include:
  • MCP Implementation: Local and remote server protocols with API key authentication
  • Data Protection: End-to-end encryption, isolated multi-tenant architecture, and comprehensive audit logging
  • Compliance: Active SOC2/ISO27001 certification process with subprocessor disclosure
  • Monitoring: Real-time health checks and public status updates

MCP

Protocols

Ref provides an open-source stdio server that can be run locally and a streamable-http that is connected to remotely.

Authentication

Ref uses API keys for authentication. MCP supports OAuth however the spec has been influx and there is a recent report of sever vulnerabilities due to client implementations. The complexity of a system is itself a risk factor so we’ve chosen to stick to the simple API key pattern for now.

Data Handling

Encryption

  • In Transit: All data is encrypted during transit. Ref uses MCP streamable-http transport.
  • At Rest: Documents and search indices are encrypted at rest in our database.
  • Customer Managed Keys: Turbopuffer supports customer managed encryption keys (available upon request).

Data Isolation

We take data isolation very seriously in our multi-tenant environment:
  • Each team and user has their own isolated namespace in Turbopuffer.
  • Indexing jobs run in single, transient, isolated containers. Your documents and credentials are never present at the same time as another team’s data.
  • All application data reads go through Firestore rules that enforce user access at the database level.

Audit Logging

  • Complete activity logging for users and teams available at ref.tools/activity
  • Logs include user identity, tool calls, and arguments

Incident Response

  • Internal monitoring via Sentry and Google Cloud alerting tools
  • Status updates published at ref.tools/status during incidents

Compliance

Certifications

  • SOC2 and ISO27001: Currently in progress with vendor support
  • Updates will be provided as certifications are completed

Subprocessors & Data Access

Our security model includes the following subprocessors with specific data access patterns:
  • Turbopuffer: Stores docs Turbopuffer is the primary search store used by Ref. It is also used by Cursor and Notion. Stores documents, descriptions, and vector embeddings with encryption at rest and isolated namespaces.
  • Firebase: Sees and stores docs Temporarily processes search results through Functions and temporarily caches results in Firestore with database-level access controls. All data is encrypted at rest.
  • Google Cloud Run: Sees docs Processes indexing jobs in isolated, transient containers. User docs will be loaded
  • Google Vertex AI: Sees docs Generates document description with zero-data retention policy.
  • VoyageAI: Sees docs Creates vector embeddings of docs with zero-data retention policy
  • OpenAI: Sees docs Powers research agent functionality with zero-data retention policy. User data will be included in prompts sent to OpenAI.
  • Anthropic: Sees no docs Powers evals on public documentation sets with zero-data retention policy. User data will be included in prompts sent to OpenAI.
  • Stripe: Sees no docs Processes payment information with PCI-compliant security standards.
  • Postmark: Sees no docs Delivers transactional emails with user contact information.
  • Mailchimp: Sees no docs Manages marketing communications and newsletter subscriptions.
  • Mixpanel: Sees no docs Analyzes product usage analytics.
  • Sentry: Sees no docs Monitors errors and performance with anonymized telemetry data.
  • Google Workspace: Sees no docs Used for communication and coordination.
  • Slack: Sees no docs data Used to communicate with partners.
  • GitHub: Sees no docs data Used for version control.

Monitoring & Health Checks

  • Health check endpoint: api.ref.tools/ping
  • Internal monitoring and alerting infrastructure
  • Status page: ref.tools/status