Skip to main content
Skip table of contents

Render Security Overview

Welcome! RENDER is the education technology innovation studio within the Chan Zuckerberg Initiative (“CZI,” “we,” “us,” and “our”). Our Education team of designers, engineers, and researchers works directly with teachers and administrators early and often in the product development process, incorporating their unique insights about learning to co-build impactful educational tools. 

This document describes our commitments about data security for Render. 

Infrastructure Security

Data Protection

Render ensures secure data transmission through HTTPS, utilizing encryption to safeguard communication between our users and the platform. To guarantee exclusively secure connections, we implement HTTP Strict-Transport-Security (HSTS), mandating HTTPS for all communications.

Data storage, including personally identifiable information (PII), leverages modern encryption techniques to protect data at rest. Our robust data backup and recovery strategy is designed for rapid restoration with minimal data loss in the event of a catastrophic failure. These backups are encrypted and stored securely in a geographically separate region from our production databases to enhance disaster recovery efforts.

Access Control

Access within Render's infrastructure is strictly regulated. We grant access solely to personnel requiring it for their specific roles, including engineers, data scientists, product managers, and support staff. Entry necessitates strong passwords and multi-factor authentication (MFA), with comprehensive logging and monitored alerting of all access events.

Built-in Protections

Our infrastructure benefits from automated monitoring systems that alert us to available patches, system updates, and security enhancements. Our dedicated engineering and security teams promptly review and apply these updates, ensuring our tools and infrastructure remain up-to-date and secure.

Proactive Blocking

We utilize AWS Guard Duty for continuous monitoring, threat detection, and alerts, enabling our specialized teams to quickly evaluate and respond to potential threats. Complementing this, AWS Web Application Firewall (WAF) provides an essential layer of protection against web-based attacks by allowing us to implement customized rules to block harmful traffic. Together, Guard Duty's advanced threat detection capabilities and WAF's targeted defense mechanisms form a robust security posture, safeguarding our users and applications from a wide range of security threats, from sophisticated network attacks to common web exploits.

Physical Security

Render's infrastructure is hosted on Amazon Web Services (AWS), which enforces premier physical security measures. These include round-the-clock security personnel, video surveillance, and perimeter intrusion detection systems, all of which undergo regular audits by third-party assessors. For more information on AWS's physical security measures, visit their security page.

Application Security

Authentication

Render adopts Single Sign-On (SSO) through reputable identity providers such as Google and Canvas. This approach allows users to leverage their institution's password management policies, including multi-factor authentication (MFA), enhancing security and user convenience.

Access Control

Our application is built on robust authorization policies to ensure data is accessible only by verified entities. For example, only a student's authorized teacher has the ability to view and interact with their data. Access for Render staff is carefully regulated, restricting data access solely to what is essential for performing their job duties. We adhere to Standard Operating Procedures (SOPs) for the secure handling of sensitive data and diligently log all access activities.

Browser Security

Render employs an up-to-date Content Security Policy (CSP) to block unauthorized JavaScript execution. We also implement standard defenses against Cross-Site Request Forgery (CSRF) to further secure the browser environment.

Secure Software Development Lifecycle (SDLC)

From inception, our systems are designed with a focus on privacy and security. We utilize both manual and automated processes to uncover vulnerabilities, incorporating mandatory code reviews, automated source code analysis, dependency scanning, and regular external security assessments. Our Vulnerability Disclosure Program encourages security researchers to report vulnerabilities responsibly to security@buildwithrender.org.

Security Governance and Policies

Incident Response

Render has a structured process for addressing suspicious or abnormal activities potentially affecting security. Our engineering and security teams operate on-call rotations, ensuring availability to tackle such issues promptly. Following an incident, we conduct thorough post-incident reviews to extract learnings and implement necessary enhancements, aiming to prevent recurrence.

Underlying Infrastructure

Our infrastructure is powered by Amazon Web Services (AWS), which consistently meets rigorous security standards through external audits. AWS's adherence to standards such as ISO 27001, SOC 2, PCI DSS Level 1, and FISMA is detailed in their Compliance Programs, underscoring their commitment to security excellence.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.