R
    RenderBeam
    Legal

    Security Overview

    Last updated May 7, 2026 · Effective immediately

    In short: Defense in depth across data, network, and application layers. Built on audited infrastructure (Supabase, Cloudflare, Vercel, Render.com) with Row-Level Security on every multi-tenant table.

    Data protection

    • Encryption in transit: TLS 1.2+ on every public endpoint.
    • Encryption at rest: AES-256 (Supabase, Cloudflare, hosting providers).
    • Row-Level Security: enforced on every multi-tenant Postgres table; users can only read or modify rows they own.
    • Hashed API keys: project API keys are stored as SHA-256 hashes; the full key is shown once at creation and only the prefix is retained.
    • Hashed IP addresses: IPs used for rate-limiting and abuse prevention are stored as SHA-256 hashes — raw IPs are not retained in application tables.

    Application security

    • Auth handled by Supabase Auth with PKCE OAuth flows; passwords are bcrypt-hashed by Supabase.
    • Edge functions use service-role credentials only server-side; the browser only ever sees the publishable anon key.
    • Strict server-side validation of redirect targets and outbound fetches in all sitemap/visibility tools to prevent SSRF.
    • HTML rendered in user-generated docs is sanitised; only safe URL schemes are permitted in links.
    • Continuous automated dependency scanning; high/critical CVEs are remediated promptly.

    Network & infrastructure

    • Cloudflare in front of customer traffic provides DDoS mitigation and WAF.
    • The Puppeteer renderer runs with bounded concurrency (3–6) and request deduplication.
    • The renderer sends an X-RenderBeam-Skip header to prevent infinite loops, and the system is designed to fail open: if any component is unavailable, traffic falls through to the customer's origin so human visitors are never blocked.

    Operational security

    • SSO + MFA on all administrative accounts.
    • Principle of least privilege for staff access; production access is logged.
    • Audited sub-processors only (see /legal/subprocessors).
    • Backups handled by Supabase with point-in-time recovery; backup retention ≤ 35 days.

    Vulnerability disclosure

    Found a security issue? Please email security@renderbeam.com with details and proof-of-concept. We commit to acknowledge within 72 hours and will not pursue legal action against good-faith researchers who follow responsible disclosure (no data exfiltration beyond what is needed to demonstrate the issue, no service disruption, reasonable time before public disclosure).

    Incident response

    We notify affected customers without undue delay (within 72 hours of confirming a personal data breach) per GDPR Art. 33 obligations, including the nature of the incident, data affected, mitigations, and recommended actions.

    Explore RenderBeam

    Learn what we do, how we price it, and how to get set up.

    Product overviewHow RenderBeam serves bots and AI crawlers your fully rendered pages.Pricing & plansSlider-based pricing with a free trial. No card required to start.DocumentationQuick start, integration guides, and best practices.Free SEO toolsrobots.txt, llms.txt, sitemap and visibility checkers.
    Start free trialContact us