Yes, your data is secure, and is always stored by you. When a query (eg. "get all users") is ran, the Retool backend proxies the request to the database. We do this because the end-user's browser cannot connect directly to your database. None of the data returned by your database is stored. This is how all hosted analytics services work.
We also have an on-premise version of Retool that you can deploy yourself, in your own VPC, on your own VPS. That way, you are fully in control of the Retool instance, and your data never leaves your VPC.
You deploy it via Docker or Kubernetes on a Linux machine. The whole process takes around 15 minutes, and involves running 5 commands.
If you're subject to additional forms of compliance (eg. HIPAA, SOC2, PCI, etc.), we also have an on-premise version of Retool that is airgapped. It doesn't require any inbound nor outbound network connections, stores no analytics, and doesn't ping a licensing server. Contact us if you'd like to use it.
Security affects everything we do at Retool. We:
- Force HTTPS on all connections, so data in-transit is encrypted with TLS.
- Encrypt all database data at-rest with AES-256.
- Host all servers in the US, in data centers that are SOC 1, SOC 2 and ISO 27001 certified. Our data centers have round-the-clock security, fully redundant power systems, two-factor authentication and physical audit logs.
- Regularly conduct external penetration tests from third-party vendors (reports available for enterprise customers).
- Regularly conduct security awareness training sessions with all employees.
- Maintain detailed audit logs of all internal systems.
- Have a bug bounty program, in order to work with security researchers when they identify potential security vulnerabilities. We respond to all reports within 24 hours from submission.
For on-premise, air-gapped deployments, we are physically unable to access data, analytics, or anything else related to your Retool instance.
Only metadata concerning your usage, such as:
- Page view (url of page)
- Query save (type of query, name of query)
- Component creation (type of component)
- Query preview (type of query, name of query)
- Adding a resource (type of resource, name of resource)
- Users (emails, number of authorized seats, etc.)