Home / Docs
Security Intermediate

Security - Data Protection & Access Control

Understand how CardRender protects your data and team access. SOC 2 compliance, encryption, and security best practices.

Last updated:

CardRender is built to keep customer data secure while making it easy for teams to collaborate. We follow industry best practices and maintain compliance with major security standards.

Data Encryption

In Transit

All data transmitted to and from CardRender is encrypted using TLS 1.3. This includes:

  • API requests and responses
  • Dashboard interactions
  • File uploads (logos, photos, documents)
  • Webhook deliveries

At Rest

All sensitive data is encrypted at rest using AES-256 encryption:

  • User credentials (hashed with bcrypt)
  • API keys and tokens
  • Payment information (processed by Stripe, not stored by CardRender)
  • Personal contact information

Access Control

Role-Based Permissions

CardRender enforces granular role-based access control (RBAC) to ensure only authorized users can access specific data and features. See Teams & Roles for details on available roles.

Two-Factor Authentication (2FA)

Workspace owners and admins can require 2FA for all members. Supported methods:

  • Authenticator apps (Google Authenticator, Authy, 1Password)
  • SMS verification (available on Enterprise plans)
  • Hardware security keys (YubiKey, Titan)

Single Sign-On (SSO)

Enterprise customers can integrate with their identity provider:

  • SAML 2.0 support for Okta, Azure AD, Google Workspace
  • Automatic provisioning and deprovisioning
  • Enforce company authentication policies

Audit Logging

All sensitive actions are logged for security auditing:

  • Member invitations and role changes
  • Card creations, updates, and deletions
  • API key generation and revocation
  • Export and data access events
  • Login attempts and authentication failures

Workspace owners can export audit logs as CSV or stream them to SIEM tools via webhooks.

Data Retention & Deletion

User Control

  • Users can delete their own cards at any time
  • Deleted cards are soft-deleted for 30 days, then permanently removed
  • Analytics data is retained for the duration of the workspace subscription
  • Users can request full data export (GDPR Article 20)

Data Residency

CardRender uses Cloudflare’s global network. Enterprise customers can request data residency in specific regions:

  • United States (default)
  • European Union (GDPR compliance)
  • United Kingdom
  • Canada

Compliance & Certifications

SOC 2 Type II

CardRender maintains SOC 2 Type II certification, audited annually by independent third parties. Enterprise customers can request a copy of our SOC 2 report.

GDPR Compliance

We comply with the EU General Data Protection Regulation:

  • Data Processing Agreement (DPA) available on request
  • Privacy by design and default
  • Right to access, rectification, and erasure
  • Data portability and objection rights

CCPA Compliance

California Consumer Privacy Act compliance:

  • Clear notice of data collection and use
  • Right to opt-out of data sharing (we don’t sell data)
  • Right to deletion and non-discrimination

Vulnerability Management

Security Updates

  • Infrastructure patches applied automatically
  • Application dependencies reviewed and updated weekly
  • Zero-day vulnerabilities addressed within 24 hours

Penetration Testing

CardRender undergoes annual penetration testing by third-party security firms. Critical and high-severity findings are remediated immediately.

Responsible Disclosure

Report security vulnerabilities to: [email protected]

We offer a bug bounty program for qualifying vulnerabilities. Details at: cardrender.com/security/bug-bounty

Incident Response

In the event of a security incident:

  1. Incident detected and contained within 1 hour
  2. Affected customers notified within 24 hours
  3. Root cause analysis completed within 72 hours
  4. Remediation and prevention measures implemented
  5. Post-mortem report published

Best Practices for Users

  • Enable 2FA on your account
  • Use unique, strong passwords (or a password manager)
  • Review member permissions quarterly
  • Rotate API keys regularly
  • Monitor audit logs for suspicious activity
  • Report phishing attempts or suspicious emails
  • Keep recovery codes in a secure location

Enterprise Security Features

Additional security features for Enterprise plans:

  • Custom session timeout policies
  • IP allowlisting for API access
  • Advanced threat detection and monitoring
  • Dedicated security point of contact
  • Custom data retention policies
  • Security training for team admins

For enterprise security documentation and compliance attestations, contact: [email protected]

Related Documentation

Getting Started Teams API