// Trust & Security Report

    Render Services, Inc. logo

    Render Services, Inc.

    Render is a cloud application-hosting (PaaS) platform: web services, static sites, private services, background workers, cron jobs, durable workflows, managed Postgres, and a Redis-compatible key-value store, spanning a free tier up through Team/Organization and Enterprise workspace tiers with tier-gated compliance documentation.

    Certifications held

    6

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Validates an organization's security controls and their operational effectiveness via annual third-party audit. ... Pro plan and higher can access (requires NDA): SOC 2 Type 2 report

    Verify on render.com
    SOC 3
    HELD

    All workspaces can access: SOC 3 report

    Verify on render.com
    ISO/IEC 27001:2022
    HELD

    Render is ISO/IEC 27001:2022 certified.

    Verify on render.com
    GDPR (posture / DPA)
    HELD

    GDPR-DPA — Protect the personal data and privacy of EU citizens for transactions that occur within EU member states

    Verify on render.com
    EU-US Data Privacy Framework (incl. UK extension, Swiss-US DPF)
    HELD

    Certified under the EU-US Data Privacy Framework including the UK extension and Swiss-US DPF

    Verify on render.com
    HIPAA
    HELD

    Render supports HIPAA-enabled workspaces for organizations that process and store US health data. ... Build and scale healthcare applications on a compliant platform.

    Verify on render.com
    > Show 5 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    No public evidence: not mentioned on Render's security, trust, or certifications pages. Render is not a payments processor (billing is handled by a third-party payment processor), so PCI DSS scope would not apply to Render's own environment.

    source: render.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence found on render.com; only ISO/IEC 27001:2022 is claimed.

    source: render.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence. Render markets itself as infrastructure for deploying agents/AI workloads, but does not claim an AI-governance certification such as ISO 42001 or CSA STAR for AI on any of its security, trust, or certifications pages.

    source: render.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on render.com.

    source: render.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found on render.com.

    source: render.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primary hosting via subprocessors AWS and GCP (United States); no explicit customer-selectable EU/other data-residency region was found in the captured pages. Render is certified under the EU-US DPF, UK extension, and Swiss-US DPF for cross-border transfer purposes.

    Render is an infrastructure/PaaS provider (compute, storage, databases, workflows), not a model vendor or SaaS app that trains on user content. Its 'Agents'/'Render MCP' features are deploy targets for customers' own agent code, not a first-party AI product ingesting customer data for training. No page (security, trust, privacy, or certifications) references training AI/ML models on customer data; absence of any such claim is treated as a 'no' rather than a positive on-the-record confirmation from Render, since we could not fetch the full body text of the Privacy Policy itself.

    // Security controls

    Encryption at rest

    Minimum AES-128 encryption for databases, backups, and secrets

    render.com

    DDoS protection

    Built-in DDoS protection for every service, no extra configuration or add-ons

    render.com

    Private networking

    Keeps internal service-to-service traffic off the public internet

    render.com

    TLS

    Fully-managed, free TLS certificates for every domain, including wildcards

    render.com

    Access control

    Role-based access control and unique user identification for services/resources

    render.com

    Audit logging

    Built-in audit logging and monitoring for platform events

    render.com

    Vulnerability disclosure

    Public bug bounty / VDP run via HackerOne; security contact security@render.com, abuse contact abuse@render.com

    render.com

    Subprocessors

    AWS, Google Cloud Platform, Cloudflare, ClickHouse Inc. (all United States) listed as of the captured page

    render.com

    // Products & data scope

    Render (core platform, all tiers)Cloud application hosting / PaaS

    data: Customer application code, container images/build artifacts, environment variables and secrets, database contents (Render Postgres/Key Value), logs and metrics

    Base platform: web services, static sites, private services, background workers, cron jobs, workflows. Free tier available; compliance documents are still tier-gated even for paying customers below Organization tier.

    Render Organization / Pro tier and aboveTeam / enterprise workspace

    data: Same as core platform plus access to gated compliance evidence

    Only Organization-tier-and-above workspaces (with an NDA) can download the SOC 2 Type II report, ISO 27001 certificate, and Render security policy; all workspaces (including free) get the SOC 3 report and GDPR DPA.

    HIPAA on RenderHealthcare / regulated-data hosting

    data: Protected health information (PHI) for customer healthcare applications

    Marketed feature for building HIPAA-compliant apps; full BAA terms and tier requirements were not visible in the pages we could retrieve, so this remains unverified beyond Render's own marketing claim. Flag: confirm BAA availability and tier gating with Render sales before advertising HIPAA support without caveats.

    // What to watch

    • Compliance documents (SOC 2 Type II report, ISO 27001 certificate, security policy) are gated to Pro/Organization tier plus a signed NDA; free and lower-tier customers only get SOC 3 and the GDPR DPA. Listings should not imply that every Render customer can self-serve the full SOC 2/ISO 27001 evidence.
    • Could not retrieve the full body text of Render's HIPAA feature page or Privacy Policy (fetches returned only navigation/footer scaffolding), so BAA terms and exact HIPAA tier requirements are marketing-page-level claims only, not independently confirmed from primary source text.
    • A separate, unrelated third-party company named 'Render Compliance' (rendercompliance.com, a SOC 2 audit/CPA firm) surfaced in search results; this is NOT Render Services, Inc. and none of its certifications or claims were attributed to Render.com in this assessment.
    • No evidence of an AI-governance certification (ISO 42001, CSA STAR AI); Render is treated as an infrastructure vendor rather than a first-party AI product, but this should be revisited if Render's 'Agents'/MCP hosting features expand into first-party AI data processing.

    // At a glance

    Pricing model

    Usage/instance-based pricing with a free tier; paid Starter/Standard/Pro instance plans plus an Organization/Enterprise workspace tier that unlocks gated compliance documents

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Render Services, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    render.com

    > Browse all vendor trust reports