Security
Last updated: 4 June 2026
Retainr holds your agency's most sensitive numbers — payroll, invoices, the general ledger. Here is how we protect them.
Hosting
Your data is hosted on Railway, our managed cloud platform, currently in the US West region (Oregon, USA). Backups run regularly and are encrypted.
Encryption
All traffic is encrypted in transit over TLS. Data is encrypted at rest. Passwords are never stored in plain text — only as salted hashes.
Tenant isolation
Every workspace is a separate tenant. Access is scoped to your tenant on every request at the application layer, with a database-level row-security backstop being rolled out as defence in depth. Authentication cookies are isolated per host so sessions never bleed between workspaces.
Account protection
- Two-factor authentication (TOTP) available on every account.
- Rate limiting on authentication endpoints to blunt brute-force attempts.
- Role-based permissions so teammates see only what they should.
- Full audit log of sensitive actions for accountability.
Resilience
Encryption keys are persisted durably, so deployments and scaling never sign your team out or break access to encrypted data.
Reporting a vulnerability
Found something? We want to know. Email help@retainr.tech with details and we'll respond promptly. Please give us reasonable time to remediate before any public disclosure.