Where is my data stored, and is it secure?

Yes, your data is secure, and is always stored by you. When a query (eg. "get all users") is run, the Retool backend proxies the request to the database, applying the credentials server-side. None of the data returned by your database is stored on our end. We do this because having the end-user's browser connect directly to your database would expose credentials and require you to whitelist every user individually, rather than just the Retool server.

We also have an on-premise version of Retool that you can deploy yourself, in your own VPC, on your own VPS. That way, you are fully in control of the Retool instance, and your data never leaves your VPC.

What's the on-premise version like?

You deploy it via Docker or Kubernetes on a Linux machine. The whole process takes around 15 minutes, and involves running 5 commands.

If you're subject to additional forms of compliance (eg. HIPAA, SOC2, PCI, etc.), we also have an on-premise version of Retool that is airgapped. It doesn't require any inbound nor outbound network connections, stores no analytics, and doesn't ping a licensing server. Contact us if you'd like to use it.

What do you do to keep Retool secure?

Security affects everything we do at Retool. We are SOC 2 Type 2 compliant and we:

  • Force HTTPS on all connections, so data in-transit is encrypted with TLS 1.2.
  • Encrypt all database data at-rest with AES-256.
  • Host all servers in the US, in data centers that are SOC 1, SOC 2 and ISO 27001 certified. Our data centers have round-the-clock security, fully redundant power systems, two-factor authentication and physical audit logs.
  • Regularly conduct external penetration tests from third-party vendors.
  • Regularly conduct security awareness training sessions with all employees.
  • Maintain detailed audit logs of all internal systems.
  • Have a bug bounty program, in order to work with security researchers when they identify potential security vulnerabilities. We promptly respond to all reports.

For on-premise, air-gapped deployments, we are physically unable to access data, analytics, or anything else related to your Retool instance.

How does Retool secure the on-premise version?

Retool's on-premise version ships as a Docker image. Here are some of the ways we secure our software:

  • Whenever we build a new on-premise Retool image, we pull the latest upstream version of Debian (our base operating system image) with the latest security patches.
  • We configure the Retool on-premise image with the Debian unattended-upgrades package: every day, a running Retool on-premise pulls the latest security patches. Retool users do not need to upgrade Retool to receive OS security updates.
  • We run multiple vulnerability scanners to triage and track security issues in our dependencies.

What sort of data does Retool store?

Only metadata concerning your usage, such as:

  • Page view (url of page)
  • Query save (type of query, name of query)
  • Component creation (type of component)
  • Query preview (type of query, name of query)
  • Adding a resource (type of resource, name of resource)
  • Users (emails, number of authorized seats, etc.)

(More about network requirements)

I found a security-related bug in Retool. What do I do?

Please contact Retool's security team, via email at security<at> We welcome reports from end users, security researchers, and anyone else!

Did this page help you?