My team has already been in discussion with someone at Render about this, but it raised some questions that I think could be useful for all EU customers of Render.
Our general question is: how do you ensure your EU customers remain GDPR compliant while using Render services?
One thing we have been told so far is:
Your databases are encrypted before being transferred to the US, and encryption keys are also on our US servers.
Can you confirm why our database is transferred to the US when it is created in the Frankfurt region? If this is to aid with customer support or something, can we opt out of such a transfer/replica being held in the US?
Could it be useful to have some documentation somewhere to confirm that EU customers can remain GDPR compliant while using Render? And to note any extra steps they might need to take - eg request a data processing agreement from Render? Currently a search of ‘GDPR render.com’ doesn’t yield any useful results.
I would like to second this. It’s a potential dealbreaker for us. We have clients that are very wary of GDPR and we’d need Render to provide a GDPR data processing agreement (like many other cloud providers to in a standardized fashion).
Render offers a standard data processing agreement that meets international privacy requirements. Please email support@render.com if you have questions about your specific use case and the privacy requirements for your region. We’d be happy to share more about how your data is processed on Render.
Adding documentation for this is on our list of things to do! Sorry for the confusion!
As part of our managed PostgreSQL product, we automatically backup user databases. These backups are encrypted and stored in servers in the US. With the understanding that no automatic backups will be taken for a database, we can disable backups for a database. We will eventually colocate db backups in the same region as the database.
Hi, the privacy policy continues to imply that render is not GDPR compliant yet
Data storage and transfer: We store data on servers in the U.S. or any other country in which Render or its affiliates, subsidiaries, agents or contractors maintain facilities. If you are located in the European Union or other regions with laws governing data collection and use that may differ from U.S. law, please note that your personal information may be transferred to a country and jurisdiction that does not have the same data protection laws as your jurisdiction.
We would love to use render, but unfortunately this is a blocker for us. Are there maybe any plans on changing this in the near future (e.g. end of the year/next year)?
GDPR does not limit where data can be stored and we have a data processing agreement that we are happy to sign and enter into an agreement with you which will make you compliant with GDPR.