Security

Protecting your affiliate program and data

Overview

Security is paramount when managing an affiliate program. This guide outlines the security measures built into Refgrow and best practices to protect your account, affiliate data, and integration points.

Account Security

Password Requirements

Refgrow enforces strong password policies to protect your account:

  • Minimum 8 characters in length
  • Must contain at least one uppercase letter
  • Must contain at least one lowercase letter
  • Must include at least one number
  • Must include at least one special character

We recommend using a password manager to generate and store unique, complex passwords.

Two-Factor Authentication (2FA)

Enabling two-factor authentication adds an essential layer of security to your account:

  1. Go to your account settings
  2. Navigate to the "Security" tab
  3. Click "Enable 2FA"
  4. Scan the QR code with an authenticator app
  5. Enter the verification code to confirm setup
  6. Save your backup codes in a secure location

With 2FA enabled, you'll need both your password and a time-based code from your authenticator app to log in.

Session Management

Refgrow includes several features to manage active sessions:

  • Automatic Timeouts: Sessions automatically expire after 30 minutes of inactivity
  • View Active Sessions: See all devices currently logged into your account
  • Remote Logout: Force logout of any suspicious sessions

To view and manage your sessions:

  1. Go to your account settings
  2. Navigate to the "Security" tab
  3. Review the "Active Sessions" section

Data Protection

Encryption

Refgrow implements multiple layers of encryption to protect your data:

  • Data in Transit: All communications between your browser and Refgrow servers use TLS 1.2+ encryption
  • Data at Rest: Sensitive information stored in our databases is encrypted using industry-standard AES-256 encryption
  • Sensitive Data: API keys, payment information, and authentication tokens are additionally protected with strong hashing algorithms

Data Retention

Refgrow follows these data retention practices:

  • Account data is retained as long as your account is active
  • Backup data is retained for 30 days
  • Access logs are kept for 90 days
  • Deleted account data is fully removed from our systems within 30 days

You can request data export or deletion at any time through your account settings.

Privacy Controls

Control what data you collect from affiliates:

  1. Go to your program settings
  2. Navigate to the "Privacy" tab
  3. Configure the following options:
    • Required affiliate profile fields
    • Optional affiliate information
    • Data visibility settings for your affiliates
  4. Save your settings

These settings help ensure you collect only the data necessary for your program and comply with privacy regulations.

API Security

API Key Management

Secure handling of API keys is essential:

  • Key Generation: API keys are randomly generated with high entropy
  • Key Storage: Never store API keys in client-side code or public repositories
  • Rotation: Regularly rotate API keys, especially if you suspect they've been compromised

To generate or rotate your API keys:

  1. Go to your program settings
  2. Navigate to the "API" tab
  3. Click "Generate New Key" or "Rotate Key"
  4. Confirm the action (note that existing keys will be invalidated)
  5. Update your integrations with the new key

Rate Limiting

Refgrow implements rate limiting on API endpoints to prevent abuse:

  • Standard plan: 60 requests per minute
  • Pro plan: 300 requests per minute
  • Enterprise plan: Customizable limits

If you exceed these limits, requests will return a 429 status code until the rate limit window resets.

IP Restrictions

Restrict API access to specific IP addresses:

  1. Go to your program settings
  2. Navigate to the "API" tab
  3. Find the "IP Restrictions" section
  4. Add approved IP addresses or CIDR ranges
  5. Save your settings

Once IP restrictions are enabled, API requests from non-approved IP addresses will be rejected.

Note: IP restrictions are available for users on Pro and Enterprise plans.

Fraud Prevention

Affiliate Verification

Verify affiliate identities to prevent fraud:

  1. Go to your program settings
  2. Navigate to the "Affiliates" tab
  3. Enable these verification options:
    • Email verification requirement
    • Manual approval for new affiliates
    • Domain restrictions for affiliate signups
  4. Save your settings

Commission Approval

Implement a commission approval workflow to prevent fraudulent commissions:

  1. Go to program settings
  2. Navigate to the "Commissions" tab
  3. Enable "Manual Commission Approval"
  4. Configure the approval rules
  5. Save your settings

With this setting enabled, commissions will be held in a pending state until manually approved.

Click Fraud Detection

Refgrow includes several mechanisms to detect fraudulent clicks:

  • IP Tracking: Identifies multiple clicks from the same IP address
  • Bot Detection: Filters out non-human traffic
  • Conversion Validation: Verifies legitimate conversions
  • Anomaly Detection: Flags unusual patterns in click activity

Configure fraud detection sensitivity:

  1. Go to program settings
  2. Navigate to the "Tracking" tab
  3. Adjust fraud detection settings
  4. Save your changes

Compliance

GDPR Compliance

Refgrow includes features to help with GDPR compliance:

  • Data processing agreements available for Enterprise customers
  • Tools for data subject access requests
  • Right to be forgotten functionality
  • Configurable cookie consent options
  • Data minimization controls

For specific GDPR guidance, please consult with a legal professional familiar with your business requirements.

PCI Compliance

For payment-related functionality, Refgrow:

  • Never stores full credit card information
  • Uses PCI-compliant payment processors for all transactions
  • Ensures secure transmission of payment data
  • Maintains separation between affiliate tracking data and payment information

Security Best Practices

Enable 2FA for All Admin Accounts

Require two-factor authentication for anyone with administrative access to your Refgrow account to prevent unauthorized account access.

Regularly Review Access

Periodically audit user access to your affiliate program and remove access for team members who no longer need it.

Secure API Integration

Keep API keys secure by storing them in environment variables or secure key vaults, never in source code or client-side applications.

Monitor for Unusual Activity

Regularly check your affiliate dashboard for unusual patterns in signups, clicks, or conversions that could indicate fraudulent activity.

Security Updates and Notifications

Refgrow regularly updates its security measures and will notify you of:

  • Critical security patches
  • Updates to security features
  • Changes to our security policies
  • Potential security concerns relevant to your account

Ensure your notification settings are configured to receive these important updates:

  1. Go to your account settings
  2. Navigate to the "Notifications" tab
  3. Ensure "Security Alerts" are enabled
  4. Verify your contact email is current

Reporting Security Issues

If you discover a security vulnerability or have concerns about your account security:

  1. Email security@refgrow.com with details
  2. Do not disclose the issue publicly until it has been addressed
  3. Include as much information as possible about the potential vulnerability

Our security team will acknowledge your report within 24 hours and work to address any valid concerns promptly.

Next Steps

Dashboard Customization Troubleshooting