This technical report presents RefA, a reference architecture for security-compliant DevOps. RefA consists of a set of models that illustrate the artefacts and practice areas to consider when implementing secure DevOps lifecycles. In addition, RefA describes people, proceses, and technology aspects to be considered in each practice area. Practitioners can use RefA for the purposes of designing and assessing security compliance of their DevOps lifecycles, while researchers may use RefA as a reference for setting up research roadmaps. RefA models result from combining the profound analysis of the IEC 62443-4-1 standard for secure industrial products development, continuous software engineering literature review, and observations made in practice in context of a large industrial company during the past 5 years. The manuscript constitutes original, previously unpublished research.