RenderDoc
RenderDoc
Sign InGet Started

Security at RenderDoc

Your data security and privacy are our top priorities. Learn about the measures we take to protect your information.

Our Security Commitment

At RenderDoc, we implement industry-leading security practices to protect your data. Our platform is built with security as a foundational principle, not an afterthought.

We undergo regular security audits, maintain compliance with industry standards, and continuously monitor our systems for potential threats.

Security Features

Data Protection

All connections secured via TLS (CloudFlare). Passwords and API keys are hashed with bcrypt. Document content is processed securely with configurable retention.

Secure Infrastructure

Hosted on Railway with encrypted storage, CloudFlare DDoS protection, and AWS S3 for secure document storage. Regular security patches and updates applied.

Access Controls

Role-based access control (RBAC), two-factor authentication (2FA), and API key management with granular permissions.

24/7 Monitoring

Real-time security monitoring, intrusion detection systems, and comprehensive audit logs for all system activities.

Data Protection

Data Security

  • In Transit: All connections to our API are secured via TLS through CloudFlare
  • Passwords: User passwords are hashed using bcrypt (12 rounds) - never stored in plain text
  • API Keys: API keys are hashed using bcrypt before storage and never stored in plain text
  • OAuth Tokens: OAuth access tokens are securely hashed before storage

Document Content Privacy

Important: Your document content is handled securely:

  • Generated documents are stored temporarily with signed URLs
  • Download URLs expire after a configurable time period
  • Documents are automatically deleted based on your retention settings
  • Template variables are never logged in plain text

We retain generation metadata (template ID, timestamp, status) for 90 days for operational purposes.

Data Isolation

Each customer's data is logically isolated using tenant IDs. Database queries are scoped to prevent cross-tenant data access.

Infrastructure Security

Cloud Hosting

  • Railway: Hosted on Railway with managed infrastructure and encrypted storage
  • High Availability: Automatic health checks, restarts, and zero-downtime deployments
  • DDoS Protection: CloudFlare protection against distributed denial of service attacks
  • Firewall: CloudFlare Web Application Firewall (WAF) to block malicious traffic

Network Security

  • Private networking between services within Railway
  • Database access restricted to internal services only
  • All external traffic routed through CloudFlare proxy
  • Regular vulnerability scanning and penetration testing

Disaster Recovery

  • Automated daily backups with 30-day retention
  • Point-in-time recovery capabilities
  • Tested disaster recovery procedures
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 1 hour

Application Security

Authentication & Authorization

  • JWT Tokens: Secure, stateless authentication with short expiration times
  • Two-Factor Authentication: Optional 2FA using TOTP (Time-based One-Time Password)
  • API Keys: Cryptographically secure API keys with configurable permissions
  • OAuth 2.0: Support for Google and Microsoft OAuth providers
  • Password Requirements: Minimum 8 characters with complexity requirements

Input Validation

  • All API inputs validated against strict schemas
  • Protection against SQL injection, XSS, and CSRF attacks
  • Template variable validation and sanitization
  • Document size and type restrictions

Rate Limiting

  • API rate limits to prevent abuse and ensure fair usage
  • Exponential backoff for failed authentication attempts
  • IP-based throttling for suspicious activity

Compliance & Certifications

Data Privacy

  • GDPR Ready: Core features implemented - data export, account deletion, 90-day retention policies
  • CCPA Aligned: Privacy controls available - delete account requests honored within required timeframes
  • Security Audits: Regular internal security reviews and vulnerability assessments

Payment Processing

  • PCI DSS Compliant: All payment processing handled via Cashfree - we never store credit card data

Document Security

  • Signed URLs: All document download URLs are cryptographically signed and time-limited
  • Access Control: Documents can only be accessed by authorized users with valid tokens
  • Secure Storage: Documents stored in encrypted AWS S3 buckets with server-side encryption

Security Practices

Employee Access

  • Principle of least privilege - employees have minimal necessary access
  • Background checks for all employees with data access
  • Mandatory security training for all staff
  • NDA agreements for all employees and contractors

Code Security

  • Automated security scanning in CI/CD pipeline
  • Dependency vulnerability monitoring with Snyk
  • Code review required for all changes
  • Regular security updates and patches

Incident Response

  • 24/7 security monitoring and alerting
  • Documented incident response procedures
  • Security incident communication plan
  • Post-incident reviews and improvements

Responsible Disclosure

We welcome security researchers to report vulnerabilities responsibly. If you discover a security issue:

How to Report

  • Email us at security@renderdoc.dev
  • Include detailed steps to reproduce the issue
  • Allow us reasonable time to address the issue before public disclosure
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it

Our Promise

  • We will acknowledge your report within 24 hours
  • We will provide regular updates on our progress
  • We will credit researchers who report valid vulnerabilities (with permission)
  • We will not pursue legal action against researchers acting in good faith

Best Practices for Customers

While we implement strong security measures, you can help protect your account:

  • Enable two-factor authentication (2FA) on your account
  • Use strong, unique passwords for your account
  • Rotate API keys regularly and revoke unused keys
  • Use environment variables for API keys, never commit them to code
  • Monitor your account activity and usage regularly
  • Report any suspicious activity immediately
  • Keep your integration libraries and dependencies up to date
  • Implement proper error handling to avoid leaking sensitive information

Questions About Security?

If you have questions about our security practices or need additional information for your security review:

RenderDoc Security Team

Security Inquiries: security@renderdoc.dev

Vulnerability Reports: security@renderdoc.dev

We're happy to provide additional security documentation, answer specific security questionnaires, or discuss our security practices in detail.

← Back to Home