Skip to main content

Data Handling & Security

This page describes how RenderDoc handles your data throughout its lifecycle - from collection to deletion.

Security Measures

Data in Transit

All connections to RenderDoc are secured via TLS through CloudFlare:

ProtocolStatus
TLS 1.3Enabled (preferred)
TLS 1.2Enabled (fallback)
TLS 1.1Disabled
TLS 1.0Disabled
SSLDisabled

Additional protections:

  • HSTS (HTTP Strict Transport Security) enforced via CloudFlare
  • DDoS protection via CloudFlare
  • Certificate transparency logging enabled

Credential Security

All sensitive credentials are hashed before storage:

Credential TypeSecurity Measure
User passwordsbcrypt hashed (12 rounds)
API keysbcrypt hashed (never stored in plain text)
OAuth access tokensHashed before storage
OAuth refresh tokensHashed before storage
info

We never store passwords or API keys in plain text. Once created, you cannot retrieve the full API key - only the first and last 4 characters are displayed in the dashboard.

Infrastructure Security

RenderDoc uses a multi-cloud infrastructure with managed security:

ComponentProviderSecurity
Database (PostgreSQL)RailwayEncrypted at rest (storage-level)
Cache (Redis)RailwayTLS connections
File StorageCloudflare R2Encrypted at rest
CDN/WAFCloudFlareTLS 1.3, DDoS protection
info

Database encryption at rest is provided by Railway's infrastructure at the storage level. Application-level encryption is not implemented in the RenderDoc codebase - we rely on infrastructure providers for encryption.

API Key Security

API keys are handled securely:

  • Keys are generated using cryptographically secure random number generators
  • Only the first and last 4 characters are displayed in the dashboard
  • Keys are hashed before storage (you cannot retrieve the full key after creation)
  • Keys can be scoped to specific permissions

Data Retention

RenderDoc implements a three-tier data retention system designed to balance functionality with data minimization and GDPR compliance:

Retention Tiers

TierPeriodDescription
Full Logs30 daysComplete document job logs with all details
Archived Data5 yearsBasic records without PII for compliance
Daily SummariesIndefiniteAggregated analytics per team/template

Full Log Retention (30 Days)

During the first 30 days, full data is available including:

  • Complete job metadata
  • Template and variable information
  • Detailed generation data (processing time, file size)
  • Full job details

Archived Data (5 Years)

After 30 days, data is archived with the following changes:

  • Variable data is removed - GDPR compliance, no PII stored
  • Basic metrics preserved (generation count, status, error category)
  • Template and batch references maintained
info

Archived records cannot be used for retry operations since variable information is not preserved.

Daily Summaries (Indefinite)

Aggregated analytics are kept indefinitely:

  • Volume metrics (generated, failed, etc.)
  • Success rates
  • Error category breakdowns
  • Template performance comparisons

Retention Periods by Data Type

Data TypeFull DataArchived DataSummary Data
Document job logs30 days5 yearsIndefinite
Webhook events30 days--
Generated PDFs/Excel30 days--
Audit logs2 years--
Soft-deleted records30 days--

Archive Process

The archiving process runs daily at 2:30 AM UTC:

  1. Summary Update: Daily summaries are updated from live data
  2. Data Archive: Records older than 30 days are moved to archive tables
  3. PII Removal: Variable data and detailed information are removed
  4. Cleanup: Original full records are deleted

What Happens at Expiration

When data reaches its retention limit:

  1. Archive First: Data is archived with PII removed (document job logs)
  2. Soft Delete: Data is marked as deleted but retained for 30 days
  3. Hard Delete: Data is permanently removed from primary storage
  4. Backup Purge: Backups containing the data expire per backup schedule

Data Deletion

GDPR Data Removal Request

If you want your data removed, you can submit a data removal request:

  1. Visit app.renderdoc.dev/data-removal
  2. Enter your email address
  3. Choose your removal type:
    • Delete All: Permanently delete all associated data
    • Anonymize: Replace PII with anonymous data
    • Export & Delete: Get a copy before deletion
  4. Verify your email by clicking the link we send
  5. Our team processes requests within 30 days
info

Data removal requests are processed for users. If you want to delete your RenderDoc account, see the Account Deletion section below.

What Gets Removed

When a data removal request is processed:

Data TypeAction
User account dataDeleted
Team membershipRemoved
Activity logsAnonymized
Document job logsAlready anonymized after 30 days

Status Tracking

You can check your request status at app.renderdoc.dev/data-removal/status

StatusMeaning
PendingAwaiting email verification
VerifiedIn queue for processing
ProcessingCurrently being processed
CompletedAll data has been removed
RejectedRequest could not be fulfilled
ExpiredVerification link expired (24 hours)

Automatic Deletion

RenderDoc automatically deletes:

  • Generated documents after 30 days
  • Soft-deleted records after 30 days
  • Document job logs (archived after 30 days, deleted after 5 years)
  • Expired OAuth tokens and authorization codes

Manual Deletion

You can manually delete data via:

API:

# Delete a specific document job
DELETE /api/v1/documents/jobs/:id

# Bulk delete document jobs
DELETE /api/v1/documents/jobs/bulk

Dashboard:

  • Go to Document Logs → Select jobs → Delete
  • Go to Templates → Select template → Delete

Account Deletion

To delete your entire account and all associated data:

  1. Go to SettingsAccountDelete Account
  2. Confirm your identity
  3. Enter "DELETE" to confirm
  4. All data is scheduled for deletion within 30 days
warning

Account deletion is irreversible. All templates, logs, and data will be permanently deleted.

Access Controls

Role-Based Access Control (RBAC)

RenderDoc implements RBAC at the team level:

RolePermissions
OwnerFull access, billing, team deletion
AdminManage members, API keys, templates
MemberCreate/edit templates, generate documents
ViewerRead-only access to logs and analytics

API Key Permissions

API keys can be scoped to specific permissions:

  • documents:generate - Generate documents
  • documents:read - Read document job logs
  • templates:read - Read templates
  • templates:write - Create/edit templates
  • analytics:read - Access analytics
  • webhooks:manage - Manage webhook subscriptions

OAuth Scopes

Third-party applications access your data through OAuth with explicit scopes:

ScopeAccess Granted
documents:generateGenerate documents on your behalf
documents:readRead your document job logs
templates:readRead your templates
templates:writeCreate and modify templates
webhooks:readRead webhook configurations
webhooks:writeManage webhook subscriptions
analytics:readRead analytics data
profile:readRead basic profile information

Audit Logging

RenderDoc maintains audit logs for security-sensitive operations:

Logged Events

Event CategoryExamples
AuthenticationLogin, logout, password change, 2FA enable/disable
API KeysCreate, revoke, update permissions
Team ManagementMember invite, role change, removal
Data AccessTemplate export, job log export
OAuthApp authorization, token revocation
SettingsRetention changes, billing updates

Accessing Audit Logs

Audit logs are available to team Owners and Admins:

  • Dashboard: Settings → Activity Log
  • API: GET /api/teams/:teamId/activity

Log Retention

Audit logs are retained for 2 years and cannot be deleted manually. This ensures accountability and supports incident investigation.

Data Processing

Where Data is Processed

ProcessProviderRegion
API requestsRailwayUS
DatabaseRailwayUS
PDF generationRailwayUS
File storageCloudflare R2US

Data Flow

  1. API Request: Your request arrives via HTTPS at our API servers
  2. Validation: Input is validated and sanitized
  3. Processing: Document is queued for generation
  4. Generation: PDF/Excel generated via PDFKit/ExcelJS
  5. Logging: Generation status logged for tracking
  6. Cleanup: Temporary files deleted after generation

Backups & Recovery

Backup Schedule

Backup TypeFrequencyRetention
Database snapshotsDaily30 days
Point-in-time recoveryContinuous35 days
Configuration backupsWeekly90 days

Disaster Recovery

  • RTO (Recovery Time Objective): < 4 hours
  • RPO (Recovery Point Objective): < 1 hour
  • Infrastructure: Railway managed PostgreSQL with automated backups

Data Recovery Requests

If you accidentally delete data, contact [email protected] within the retention period. Recovery may be possible from backups depending on timing.

Third-Party Data Sharing

We Do Not Sell Data

RenderDoc does not sell, rent, or trade your data to third parties.

Service Providers

We share data with service providers only as necessary to operate the service:

ProviderPurposeData Shared
RailwayInfrastructure (DB, API)All data (encrypted at rest)
CloudflareCDN, WAF, DNS, File Storage (R2)Request metadata, generated files
Lemon SqueezyPaymentsBilling info (not stored by us)

We may disclose data if required by law, court order, or to protect our rights. We will notify you unless legally prohibited.

Security Best Practices for Users

  1. Rotate API keys regularly (at least every 90 days)
  2. Use scoped API keys with minimum required permissions
  3. Enable 2FA for dashboard access
  4. Review connected OAuth apps periodically
  5. Monitor your document logs for unusual activity
  6. Use strong passwords (16+ characters, unique)

What to Do If Compromised

If you suspect your account or API key is compromised:

  1. Immediately revoke the compromised API key
  2. Change your password
  3. Revoke all OAuth authorizations
  4. Review recent activity in audit logs
  5. Contact support at [email protected]