Retool takes security seriously. Our cloud infrastructure is hosted in US data centers that are SOC 1, SOC 2, and ISO 27001 certified. Our data centers have round-the-clock security, fully redundant power systems, two-factor authentication, and physical audit logs.

We also have an Self-hosted version of Retool that you can deploy yourself, in your own VPC, on your own VPS. That way, you are fully in control of the Retool instance, and your data never leaves your VPC.

Security practices

Security affects everything we do at Retool. We are SOC 2 Type 2 compliant and we:

  • Force HTTPS on all connections, so data in-transit is encrypted with TLS 1.2.
  • Encrypt all database data at-rest with AES-256.
  • Host all servers in the US, in data centers that are SOC 1, SOC 2 and ISO 27001 certified. Our data centers have round-the-clock security, fully redundant power systems, two-factor authentication and physical audit logs.
  • Regularly conduct external penetration tests from third-party vendors.
  • Regularly conduct security awareness training sessions with all employees.
  • Maintain detailed audit logs of all internal systems.
  • Have a bug bounty program, in order to work with security researchers when they identify potential security vulnerabilities. We promptly respond to all reports.

Data storage and security

Retool does not store any of your externally-connected data unless you enable query caching.

When a query is run, Retool proxies the request to the database and applies the credentials server-side. We do this because having the end-user's browser connect directly to your database would expose credentials and require you to allow every user individually, rather than just the Retool server.

If you enable query caching for a query, data is temporarily cached by Retool for the specified cache duration. You can invalidate a query's cache—or disable query caching entirely—at any time.

Provisioned data sources

For provisioned databases hosted on Retool, such as Retool Database, we store data in a Postgres cluster managed by our cloud provider.

  • The cluster is accessible by only our servers using the same stringent security applied to our external database connections.
  • End-user data may be colocated on a single Postgres instance—reach out if you are interested in having a dedicated Postgres instance.
  • Connection credentials are auto-generated using a cryptographically-strong random number generator and is stored encrypted at rest, the same as all resource credentials in Retool.
  • Backups of this cluster are stored for seven days in the event of a catastrophic failure.

Usage data stored by Retool

Retool stores metadata only related to your usage, such as:

  • Page view (url of page)
  • Query save (type of query, name of query)
  • Component creation (type of component)
  • Query preview (type of query, name of query)
  • Adding a resource (type of resource, name of resource)
  • Users (emails, number of authorized seats, etc.)

Self-hosted Retool storage and security

You deploy Self-hosted Retool using Docker or Kubernetes on a Linux machine. The whole process takes around 15 minutes. Here are some of the ways we secure our software:

  • Whenever we build a new on-premise Retool image, we pull the latest upstream version of Debian (our base operating system image) with the latest security patches.
  • We configure the Retool on-premise image with the Debian unattended-upgrades package: every day, a running Retool on-premise pulls the latest security patches. Retool users do not need to upgrade Retool to receive OS security updates.
  • We run multiple vulnerability scanners to triage and track security issues in our dependencies.

Learn more about Self-hosted Retool network requirements.

Reporting security bugs or concerns

Please contact Retool's security team, via email at security<at> We welcome reports from end users, security researchers, and anyone else!