// Trust & Security Report
Render Services, Inc.
Render is a cloud application-hosting (PaaS) platform: web services, static sites, private services, background workers, cron jobs, durable workflows, managed Postgres, and a Redis-compatible key-value store, spanning a free tier up through Team/Organization and Enterprise workspace tiers with tier-gated compliance documentation.
Certifications held
6
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on render.com“Validates an organization's security controls and their operational effectiveness via annual third-party audit. ... Pro plan and higher can access (requires NDA): SOC 2 Type 2 report”
Verify on render.com“GDPR-DPA — Protect the personal data and privacy of EU citizens for transactions that occur within EU member states”
Verify on render.com“Certified under the EU-US Data Privacy Framework including the UK extension and Swiss-US DPF”
Verify on render.com“Render supports HIPAA-enabled workspaces for organizations that process and store US health data. ... Build and scale healthcare applications on a compliant platform.”
> Show 5 unconfirmed / not-held certifications
source: render.comNo public evidence: not mentioned on Render's security, trust, or certifications pages. Render is not a payments processor (billing is handled by a third-party payment processor), so PCI DSS scope would not apply to Render's own environment.
source: render.comNo public evidence found on render.com; only ISO/IEC 27001:2022 is claimed.
source: render.comNo public evidence. Render markets itself as infrastructure for deploying agents/AI workloads, but does not claim an AI-governance certification such as ISO 42001 or CSA STAR for AI on any of its security, trust, or certifications pages.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primary hosting via subprocessors AWS and GCP (United States); no explicit customer-selectable EU/other data-residency region was found in the captured pages. Render is certified under the EU-US DPF, UK extension, and Swiss-US DPF for cross-border transfer purposes.
Render is an infrastructure/PaaS provider (compute, storage, databases, workflows), not a model vendor or SaaS app that trains on user content. Its 'Agents'/'Render MCP' features are deploy targets for customers' own agent code, not a first-party AI product ingesting customer data for training. No page (security, trust, privacy, or certifications) references training AI/ML models on customer data; absence of any such claim is treated as a 'no' rather than a positive on-the-record confirmation from Render, since we could not fetch the full body text of the Privacy Policy itself.
// Security controls
DDoS protection
Built-in DDoS protection for every service, no extra configuration or add-ons
render.comAccess control
Role-based access control and unique user identification for services/resources
render.comVulnerability disclosure
Public bug bounty / VDP run via HackerOne; security contact security@render.com, abuse contact abuse@render.com
render.comSubprocessors
AWS, Google Cloud Platform, Cloudflare, ClickHouse Inc. (all United States) listed as of the captured page
render.com// Products & data scope
data: Customer application code, container images/build artifacts, environment variables and secrets, database contents (Render Postgres/Key Value), logs and metrics
Base platform: web services, static sites, private services, background workers, cron jobs, workflows. Free tier available; compliance documents are still tier-gated even for paying customers below Organization tier.
data: Same as core platform plus access to gated compliance evidence
Only Organization-tier-and-above workspaces (with an NDA) can download the SOC 2 Type II report, ISO 27001 certificate, and Render security policy; all workspaces (including free) get the SOC 3 report and GDPR DPA.
data: Protected health information (PHI) for customer healthcare applications
Marketed feature for building HIPAA-compliant apps; full BAA terms and tier requirements were not visible in the pages we could retrieve, so this remains unverified beyond Render's own marketing claim. Flag: confirm BAA availability and tier gating with Render sales before advertising HIPAA support without caveats.
// What to watch
- Compliance documents (SOC 2 Type II report, ISO 27001 certificate, security policy) are gated to Pro/Organization tier plus a signed NDA; free and lower-tier customers only get SOC 3 and the GDPR DPA. Listings should not imply that every Render customer can self-serve the full SOC 2/ISO 27001 evidence.
- Could not retrieve the full body text of Render's HIPAA feature page or Privacy Policy (fetches returned only navigation/footer scaffolding), so BAA terms and exact HIPAA tier requirements are marketing-page-level claims only, not independently confirmed from primary source text.
- A separate, unrelated third-party company named 'Render Compliance' (rendercompliance.com, a SOC 2 audit/CPA firm) surfaced in search results; this is NOT Render Services, Inc. and none of its certifications or claims were attributed to Render.com in this assessment.
- No evidence of an AI-governance certification (ISO 42001, CSA STAR AI); Render is treated as an infrastructure vendor rather than a first-party AI product, but this should be revisited if Render's 'Agents'/MCP hosting features expand into first-party AI data processing.
// At a glance
Pricing model
Usage/instance-based pricing with a free tier; paid Starter/Standard/Pro instance plans plus an Organization/Enterprise workspace tier that unlocks gated compliance documents
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Render Services, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
render.com