Security & Trust
Last Modified: May 20, 2022
At Render, we take security seriously and believe in a holistic approach across many different areas. Below, we have highlighted a number of the areas where we’ve focused our time so far and are constantly monitoring.
Render’s platform is built with security at top of mind to reduce the amount of toil you would typically have to shoulder if you were instead using an Infrastructure as a Service (IaaS) solution. We continuously monitor and validate our infrastructure against best practices to ensure that we are continuously meeting our security and reliability requirements.
Render encrypts all sensitive data, both at rest and in transit. The underlying services automatically use industry standard AES-256 encryption for storage. All endpoints support TLS 1.2 and above for encryption in transit with an A+ grade from SSL Labs.
Render focuses on continuous maintenance and monitoring of our security posture from code development through to production deployment. We implement multiple security controls including source code review, vulnerability scanning of libraries, source code and infrastructure and continuous monitoring of all cloud providers and assets.
Render relies on Google Workspace Business Apps for email, documents, and calendaring and we’ve implemented industry-standard practices including enforcing multi-factor authentication (MFA). We use MFA to protect all accounts on internal applications and third-party services such as cloud providers. Before we adopt any new service or vendor, we vet them for security using a documented approval process. Render maintains key IT policies and baseline standards to ensure that all IT devices and services meet our security standards at deployment time, and remain tracked and secure throughout their service life. Render also utilizes Jamf as the best in class Mac device management system to ensure our devices are meeting our high standards.
Render has partnered with HackerOne to maintain a private vulnerability disclosure program. All reports are triaged by HackerOne and are then forwarded on to the Render team as appropriate. We appreciate all disclosures and ask that you email email@example.com.
Render has partnered with Cloudflare for DDoS protection. “Cloudflare’s 142 Tbps network blocks an average of 117 billion threats per day, including some of the largest DDoS attacks in history.”
Render undergoes annual third party application and network penetration tests with top tier independent firms. Our tests cover the primary services that Render deploys and as we host Render services on Render, we can guarantee that our customers will gain from all improvements that we make.
Render has built in a number of security features that we encourage our customers to take advantage of. From multi factor authentication to private URLs to automatically redirecting HTTP requests to HTTPS requests, render has built in core features that we believe are table stakes for a PaaS provider.
Render has partnered with multiple underlying cloud providers that take physical security seriously and have the attestation to back it up. All vendors are reviewed for their commitment to security from their physical to their virtual controls.
Render is in the process of obtaining both SOC 2 Type II and ISO 27001 compliance reports. We are able to provide a bridge letter on request to confirm that we have partnered with Secureframe for ongoing automated security and compliance checks. We take security seriously. To that end, these compliance reports are validation of our commitment to adhering to security best practices and providing a level of assurance to our customers around the world.