Retool-managed deployment security
Learn about security and restrictions for Retool-managed, self-hosted deployments.
Retool-managed, self-hosted deployments are available for invoiced customers. Contact your Retool account manager to learn more.
Retool is only provided with sufficient access to a Retool-managed, self-hosted instance while being restricted from the customer's data and infrastructure. This limited access ensures that your data remains private while enabling Retool to successfully manage your instance.
Remote access model
The Runner VM is a local agent that operates within the customer's AWS environment. Retool connects remotely to the Runner VM—with no access to any other customer infrastructure—for the sole purpose of managing the deployment.
Access restrictions
Retool uses deny-based access policies to restrict access only to the required infrastructure. To do this, the instance is deployed to a dedicated AWS account and Retool's access is restricted based on the following scopes.
| Scope | Description |
|---|---|
| User access | No user access to the Retool application by default. Access can only be explicitly granted by the customer using a support user account. |
| App-level secrets | No access to encryption keys for sensitive database columns (e.g., resource credentials and SSO secrets), JWT signing keys, and customer-provided deployment secrets. |
| Data storage access | No access to customer data stores (e.g., Amazon RDS databases or Amazon S3 buckets). |
| Privilege management | Identity and Access Management (IAM) policies prevent certain types of privilege escalation that could compromise Retool's deny-based access policies (e.g., creation of IAM roles with additional privileges). |
In some cases, Retool may request temporary elevated privileges within the customer's environment for the purpose of issue resolution. This request is made only if absolutely necessary and there are no other options to use. The customer has full control over any request and the granting of elevated privileges.
Externally processed data
A Retool-managed, self-hosted deployment instance emits certain types of data outside the customer's environment for specific operational purposes.
| Data | Description |
|---|---|
| Usage and user events | Analytics about Retool feature usage and user events, such as signing in. |
| Pricing and metering | Information related to your organization's pricing and metering, such as user count. |
| Infrastructure health | Observability metrics about the health of the instance. This does not include any customer data or personally identifiable information (PII) |
| Temporal | Temporal metadata Encrypted metadata processed in Temporal Cloud for workflow coordination. This does not include the contents of code blocks and run outputs. |
| Alerts | System alerts and notifications, such as administrative alerts and user invites. |