Legal

Security at Rendaero

How we protect customer data โ€” infrastructure, encryption, access, monitoring, and the responsible-disclosure program for researchers.

Last updated: May 2, 2026
๐Ÿ”’

Encryption everywhere

TLS 1.2+ in transit, AES-256 at rest. No exceptions.

๐Ÿ›ก

SOC 2 Type II in progress

Audit window started Q1 2026. Report available under NDA on request.

โšก

24h SLA on incidents

Security incidents acknowledged within 24 hours, resolved fast.

Infrastructure

Rendaero runs on AWS in the us-west-2 region. We use managed services (RDS, S3, ECS Fargate) so vendor-managed patching and security baselines are applied automatically. Production is isolated from development and staging โ€” separate AWS accounts, separate VPCs, separate IAM roles.

Encryption

  • In transit โ€” TLS 1.2 or higher for all customer-facing endpoints. HSTS enforced. Internal service-to-service traffic over mTLS within a private VPC.
  • At rest โ€” AES-256 on all stored data (databases, object storage, backups). Keys managed by AWS KMS with rotation enabled.
  • Secrets โ€” credentials and API keys stored in AWS Secrets Manager, never in source control or environment files committed to git.

Access controls

Production access follows the principle of least privilege. Engineers get short-lived credentials via SSO, scoped to the specific resources they need. All production sessions are logged and reviewed quarterly.

  • SSO required for all employee accounts (Google Workspace + WebAuthn).
  • MFA enforced on every customer-facing application.
  • Customer accounts support role-based access (admin, operator, read-only) on all paid plans; SSO available on the Scale plan.

Application security

  • Dependency scanning on every PR (Dependabot + Snyk).
  • Static analysis (Semgrep) for known vulnerability classes.
  • Manual security review for changes touching auth, billing, or data export.
  • Annual third-party penetration test; summary available on request.

Monitoring and detection

We collect application logs, infrastructure metrics, and audit trails into a centralized observability stack. Alerts fire to an on-call rotation 24/7 for anomalous auth activity, error-rate spikes, and infrastructure degradation. We retain logs for at least 12 months.

Backups and disaster recovery

Production databases are backed up continuously with point-in-time recovery for 30 days. Object storage is versioned with 90-day retention. We rehearse restore procedures quarterly. Targeted RTO is 4 hours; targeted RPO is 15 minutes.

Compliance

  • SOC 2 Type II โ€” audit window started Q1 2026; report available under NDA when complete.
  • GDPR / UK GDPR โ€” DPA available for EU/UK customers; we serve as data processor.
  • CCPA / CPRA โ€” California consumer rights honored, see our Privacy Policy.
  • HIPAA โ€” not in scope; do not upload PHI to Rendaero.

Incident response

If we detect or are notified of a security incident, we acknowledge within 24 hours, contain immediately, investigate root cause, and notify affected customers without undue delay (and within any timeframes required by law). Post-incident write-ups are shared with affected accounts.

Responsible disclosure

If you believe you've found a security vulnerability in Rendaero, please report it to security@rendaero.com. We commit to:

  • Acknowledge your report within 2 business days.
  • Provide a status update within 7 business days.
  • Work in good faith with you to investigate and remediate.
  • Not pursue legal action against researchers acting in good faith and within the scope below.

Scope

In scope: rendaero.com and all subdomains; mobile or desktop clients we publish.

Out of scope: social-engineering attacks against employees or customers, physical security, denial-of-service attacks, third-party services we integrate with (report those upstream).

Subprocessors

A current list of subprocessors and their roles is available in our Privacy Policy. We notify customers of material changes to the subprocessor list at least 30 days in advance.

Contact

Security questions, vulnerability reports, or compliance inquiries: security@rendaero.com. Our PGP key is available on request.