Database security

tjcrowder · May 31, 2021, 12:30pm

Hi,

Can you point me at some information about managed Postgres operational security? Render has all of the information necessary to access the data in the database. What technical protections and/or policies are in place to prevent access by Render staff?

It’s not that we don’t trust Render staff. It’s “just” a matter of due diligence.

I found this topic, but it was only tangentially related.

Thanks in advance,

– T.J. Crowder

J_Buckley · June 7, 2021, 4:07pm

Same question regarding API keys, etc.

tjcrowder · June 10, 2021, 9:26am

(For lurkers, Render has reached out privately twice so far to say that while they don’t have a reply yet, they are working on one.)

jennifer · June 17, 2021, 8:28pm

Hi @tjcrowder,

You can refer to our Terms of Service, Section 7 (Security) and our Privacy Policy, Section 6.3 (Keeping your information safe) for Render’s policies on security and securing user data.

Render does not access user data, which is usually logs and configuration, unless given explicit approval by the user when they reach out for help debugging issues. Our support team will suggest alternative methods for resolution before requesting such permission. Additionally, we have authentication controls for access. Render customers can also install tools with auditing and alerting functions to monitor access to user data.

@J_Buckley For api keys, they are encrypted in our db, so we cannot see them.

tjcrowder · June 18, 2021, 10:46am

Hi @jennifer,

Thanks for that. Those sections seem to be mostly about account information, not the managed databases Render provides.

For instance, suppose employee X wanted to look at the data in our PostgreSQL database. What procedural and technical protections would they have to defeat or circumvent to do that?

Can you point me at anything that could be used for those purposes with your PostgreSQL managed databases?

Thanks,

– T.J.

Ashwin_Pai · December 6, 2022, 4:13pm

@jennifer We are currently using Render for postgres dB provisioning and we are wondering the same as well…I have worked at startups before where employees could easily access data in the dB. So making sure that is not the case here?

al_ps · December 8, 2022, 12:37pm

Hi Ashwin,

As a managed service provider, access to your database would be possible. However, any access would only be made under request from the service owner.

Alan

Topic		Replies	Views
Permissions Setting in Postgresql Database	4	1353	December 9, 2022
What technical controls to limit data exfiltration from servers?	7	1288	April 14, 2021
Permissions to UPDATE postgres extensions on managed database	3	767	April 23, 2023
Sharing access to databases	3	1517	November 10, 2022
GDPR compliance for EU customers	12	2855	November 9, 2023

Database security

Related topics