Security at Refyle

Built from the ground up to handle sensitive business documents — without storing them.

Files are never stored permanently.

When you upload a document to Refyle, it is processed by Claude AI to extract naming information — then permanently deleted. We never store the contents of your files beyond the active processing session. This is not a policy choice; it is how the system is architected.

Security Architecture

🔒

Encryption in Transit

Active

All data transmitted to and from Refyle is encrypted using TLS 1.2+. Your files travel to our servers over an encrypted connection and are never transmitted in plain text.

🗑️

Automatic File Deletion

Active

Uploaded files are automatically purged within 48 hours of upload. Renamed files and ZIP archives are deleted after 7 days. There is no manual step required and no recovery path after deletion. Rename records and metadata are retained permanently to power your batch history.

🛡️

PHI Screening

Active

Every upload is automatically screened for Protected Health Information (PHI) before processing. Documents containing patient names, SSNs, medical record numbers, or other identifiers are automatically rejected. This prevents accidental processing of HIPAA-regulated documents.

🔑

Access Controls

Active

Refyle uses row-level security on all database tables. Your account data is only accessible to you — no other user can see your files, configurations, or usage data. Administrative access is strictly limited.

🏗️

Infrastructure Security

Active

Refyle is built on Supabase (hosted on AWS) and Netlify CDN. Both platforms maintain SOC 2 Type II certification. Our servers are never directly accessible from the public internet.

🔍

Monitoring and Alerts

Active

We monitor for unusual access patterns, failed authentication attempts, and anomalous usage. Security events trigger automated alerts for immediate review.

What We Don't Do

PHI Screening in Detail

When you upload a file, Refyle runs a pre-processing scan for common PHI patterns before the full AI analysis begins. If PHI is detected:

  1. The file is immediately flagged and rejected
  2. No filename is generated
  3. The file is never transmitted to the AI
  4. You receive a notification that the file was rejected
  5. The file is deleted from our servers

This protects users who accidentally upload documents containing patient information — and it protects Refyle from being used outside its intended scope. Refyle is not HIPAA-certified and is not designed for patient medical records.

Responsible Disclosure

If you discover a security vulnerability in Refyle, please report it responsibly to security@refyle.com. We review all reports and respond within 48 hours. We do not pursue legal action against good-faith security researchers.

Contact

Security questions or concerns? Contact us at security@refyle.com.