Hey all, is there any web page or info on Render.com’s security certifications or policies? Something like: https://www.heroku.com/policy/security. It could be a blocker for us to use in production, so want to see if there are any resources before moving forward – thanks!
1 Like
Hi @avimoondra,
We don’t have any published resources, but I’m happy to answer any specific questions you have.
Got it - thanks @dan. Some specific questions:
Are you using AWS or GCP as your data center?
Is Render SOC1 or SOC2 certified?
What’s Render’s strategy for pen tests, vulnerability assessments, and reporting? Do you have a bug bounty program in place?
1 Like
@avimoondra I have the same concerns you do about production. I asked @Ralph a few months ago, and he said, and I quote, “We likely won’t get SOC2 for at least another quarter.” He was kind enough to start a mailing list and add me to it; maybe you could contact him ralph@render.com and get added also?
Thanks for the question 
Answers are inline
Are you using AWS or GCP as your data center?
We are currently using AWS for our Frankfurt, Germany region and are using GCP for our Oregon, US region.
Is Render SOC1 or SOC2 certified?
No, neither. As @cjl mentioned, we are working on SOC 2 certification, but we don’t yet have it. If you want to get notified when it’s complete, we are tracking it in our public feature tracker. If you vote on it and add your email, you will get updated when it is done: SOC 2 Compliance | Feature Requests | Render
What’s Render’s strategy for pen tests, vulnerability assessments, and reporting?
Pen tests, vulnerability assessments, and reporting are all part of the SOC 2 work that we’re doing, so we’re still working through what exactly our approach will be.
Do you have a bug bounty program in place?
We don’t have an advertised bug bounty program, but we do award bounties to security reports when we receive them.
If you have any more questions, feel free to keep them coming
1 Like
Since it’s been a year, I wanted to check in on SOC 2. We’re looking at a Heroku alternative but our clients would require SOC 2 or something similar.
Hi Josh,
We have started the process of getting our SOC 2 and will make an announcement as soon as we receive it!
Hey Tyler! Any chance you have an update on this one? Totally understand this is a complicated issue, just trying to figure out our options as we’re approaching a point where we’ll need to be SOC 2 compliant.
Best,
Zach
Zach,
We’re well underway with our SOC2 work - I don’t have an ETA I can report, as like you say it’s complicated but it is very much in progress,
Regards,
John B
Got it, thanks for the reply!