Security & Trust

How we keep your dashboards and data safe.

Rendr builds and runs systems that sit close to safety, compliance, and money. Security is not something we add at the end – it's part of how we design and operate dashboards and integrations from day one.

Our Approach

Security in plain language

We keep things simple on purpose: clear responsibilities, sensible layers of protection, and honest communication when something goes wrong.

Clear responsibilities

You know what we manage, what you manage, and where the boundaries are.

Sensible layers

Protection at multiple levels - identity, network, application, and data.

Honest communication

When something goes wrong, you hear it from us first - not last.

The fundamentals

Our approach in plain language

These five areas cover the core of how we think about security across every project we deliver.

1

Who can get in

  • We connect to your existing sign-in setup wherever possible (e.g. Microsoft 365 / Entra ID)
  • Your own identity provider controls who can log in
  • Multi-factor authentication can be required at your end
  • People only get access to what they need for their role
2

How data is stored and sent

  • Data is encrypted when it is stored
  • Data is encrypted when it moves between systems
  • For hosted systems, environments are separated so issues in one area do not spill into another
3

How we handle important keys and passwords

  • API keys and passwords are kept in secure storage, not in code or spreadsheets
  • Keys are rotated regularly and when staff or vendors change
  • Access to these secrets is logged so we know who used what, and when
4

How the software behaves

  • We check and validate what comes into the system instead of trusting it blindly
  • We put limits on how quickly an API can be called to reduce abuse and accidents
  • Sensitive actions (like changing roles or exporting data) are written to an audit log
5

How the infrastructure is set up

  • Systems run inside private networks, not directly on the open internet
  • Only a small number of well-defined entry points are exposed
  • We avoid unnecessary sharing of infrastructure between unrelated clients

Operations

Monitoring, incidents, and recovery

Keeping an eye on things

  • Logs from the systems we manage are collected in one place
  • Alerts are raised when something looks wrong (e.g. repeated failures, unusual activity)
  • We review these alerts and either fix the issue or decide it is safe to ignore with a reason

When something goes wrong

  • We aim to notice problems quickly, not hear about them only from end users
  • Someone is clearly responsible for owning the incident and keeping you updated
  • We focus first on stopping the bleeding, then on understanding what happened
  • After major incidents, we do a short review to reduce the chance of it happening again

Backups and recovery

  • Data is backed up regularly
  • For key systems, we can restore to a point in time
  • We test restores for important systems so we do not discover issues during an emergency

Integrations

How we secure integrations

A lot of risk sits around integrations, because they join different systems together. We treat them with the same care as the dashboards themselves.

Logins and access to third-party systems

  • We use the official, recommended method (e.g. OAuth) where available
  • We ask only for the access we need, not "full admin"
  • Keys and tokens are kept in secure storage and rotated on a schedule

Webhooks and callbacks

  • We verify that callbacks really come from the expected system, not from an unknown server
  • We protect against replayed or duplicated messages
  • We apply sensible rate limits so one misconfigured system cannot overload another

Handling API changes

  • We pin to known API versions where possible
  • We add tests around important integrations so we notice breaking changes early
  • Changes are rolled out through your care plan, with a way to roll back if something misbehaves

Shared responsibility

Security works best when it is clear who looks after which parts

Rendr looks after

  • The dashboards and integrations we design and build
  • The cloud infrastructure we manage for you (where applicable)
  • Patching and updating the software we deliver
  • Monitoring, logging, and responding to issues in those systems

You look after

  • Which people in your organisation get access, and what they can see
  • How your laptops, desktops, and mobile devices are secured
  • Your internal policies for using and sharing data
  • Identity provider settings such as password rules and MFA

In short: We keep the platform and data flows secure and healthy. You control who uses them and how your organisation handles data.

Compliance

Compliance and reviews

Our security practices are shaped by well-known frameworks such as the Australian Essential Eight, SOC 2, and ISO/IEC 27001, but we explain them in plain language and in the context of your deployment.

If you need to go deeper, we can:

  • Complete security questionnaires
  • Provide written summaries of our controls and architecture diagrams
  • Join calls with your security, IT, or risk teams to walk through how a deployment will work

Let's talk security

Talking about security

Security questions usually come up early in a project and again before go-live. We expect that, and we're happy to talk through:

  • Where your data will live
  • Who can access what
  • How incidents and vulnerability reports are handled

If you have specific security or compliance needs, we can usually shape the deployment and operating model to match your organisation's standards.

Get in Touch