Security & Trust

1. Secure Infrastructure
2. Encryption
3. Continuous Security
4. IT Controls
5. Vulnerability Disclosure Program
6. DDoS Protection
7. Penetration Tests
8. Render Security Features
9. Physical Security
10. Compliance

Last Modified: February 16, 2023

At Render, we take security seriously and believe in a holistic approach across many different areas. Below, we have highlighted a number of the areas where we’ve focused our time so far and are constantly monitoring.

1. Secure Infrastructure

Render’s platform is built with security at top of mind to reduce the amount of toil you would typically have to shoulder if you were instead using an Infrastructure as a Service (IaaS) solution. We continuously monitor and validate our infrastructure against best practices to ensure that we are continuously meeting our security and reliability requirements.

2. Encryption

Render encrypts all sensitive data, both at rest and in transit. The underlying services automatically use industry standard AES-256 encryption for storage. All endpoints support TLS 1.2 and above for encryption in transit with an A+ grade from SSL Labs.

3. Continuous Security

Render focuses on continuous maintenance and monitoring of our security posture from code development through to production deployment. We implement multiple security controls including source code review, vulnerability scanning of libraries, source code and infrastructure and continuous monitoring of all cloud providers and assets.

4. IT Controls

Render relies on Google Workspace Business Apps for email, documents, and calendaring and we’ve implemented industry-standard practices including enforcing multi-factor authentication (MFA). We use MFA to protect all accounts on internal applications and third-party services such as cloud providers. Before we adopt any new service or vendor, we vet them for security using a documented approval process. Render maintains key IT policies and baseline standards to ensure that all IT devices and services meet our security standards at deployment time, and remain tracked and secure throughout their service life. Render also utilizes Jamf as the best in class Mac device management system to ensure our devices are meeting our high standards.

5. Vulnerability Disclosure Program

Render has partnered with HackerOne to maintain a private vulnerability disclosure program. All reports are triaged by HackerOne and are then forwarded on to the Render team as appropriate.

Submit report

6. DDoS Protection

Render has partnered with Cloudflare for DDoS protection. “Cloudflare’s 142 Tbps network blocks an average of 117 billion threats per day, including some of the largest DDoS attacks in history.”

7. Penetration Tests

Render undergoes annual third party application and network penetration tests with top tier independent firms. Our tests cover the primary services that Render deploys and as we host Render services on Render, we can guarantee that our customers will gain from all improvements that we make.

8. Render Security Features

Render has built in a number of security features that we encourage our customers to take advantage of. From multi factor authentication to private URLs to automatically redirecting HTTP requests to HTTPS requests, render has built in core features that we believe are table stakes for a PaaS provider.

9. Physical Security

Render has partnered with multiple underlying cloud providers that take physical security seriously and have the attestation to back it up. All vendors are reviewed for their commitment to security from their physical to their virtual controls.

10. Compliance

We take security seriously. To that end, compliance reports and agreements validate of our commitment to adhering to security best practices and providing a level of assurance to our customers around the world. Please email Support to request a standard agreement or to ask about your compliance use case.

SOC 2: Render has obtained a SOC 2 Type 2 report as of January 2023. Please email Support.

ISO 27001: We are in the process of obtaining an ISO 27001 compliance report. We are able to provide a bridge letter on request to confirm that we have partnered with Secureframe for ongoing automated security and compliance checks.

GDPR: We offer a standard data processing agreement that meets international privacy requirements, including GDPR. We’re happy to share more about how your data is processed on Render.

HIPAA: To address customer HIPAA compliance inquiries, we offer a standard business associate agreement (BAA) for convered entities with HIPAA compliance needs.