When you are rendering client work, you are sending someone else's intellectual property to a third-party server. That is a conversation worth having clearly. This article covers how Drop & Render handles your files: where they are stored, how they are encrypted, who can access them, and what happens to them after your render is done. If you are a studio evaluating whether a render farm is safe enough for confidential projects, this is written for you.
How are your project files protected on a render farm?
Every file you upload to Drop & Render is protected at two points: in transit and at rest.
In transit: all uploads travel over HTTPS with TLS encryption. For high-speed transfers using HDT (our local network transfer protocol), connections use TLS with RSA 2048-bit certificates and Bearer token authentication. Nothing is transmitted as plaintext.
At rest: files are stored with AES-256 encryption. AES-256 is the same standard used by financial institutions and government agencies. It is the strongest commercially available symmetric encryption.
Your credentials are never stored in plaintext. Studio tokens used for job authentication are hashed with SHA-256 using constant-time comparison, which prevents timing-based attacks. File integrity is verified on every transfer using SHA-256 and MD5 checksums.
Where are your files actually stored?
Your files are processed and stored at Previder's datacenter in the Netherlands. Previder is certified by the Dutch Data Center Association (DCA) and operates to ISO 27001 standards. Backups are synced to Amazon Cloud.
All data stays within EU jurisdiction. This matters for two reasons: your files are subject to GDPR protections, and they are never routed through servers outside the EU without your knowledge.
Physical access to the datacenter requires multi-factor authentication: a digital key, a biometric fingerprint scan, and a PIN for machine-rack areas. CCTV and motion detection monitor all critical zones around the clock.
What happens to your files after rendering is done?
All project files and rendered outputs are automatically deleted after 7 days. This is not a manual process you have to request. Deletion runs automatically on the backend and removes files irrecoverably from the RAID 10 NAS storage.
No action needed on your end. The 7-day window gives you time to download your outputs. After that, nothing remains.
Can Drop & Render employees see your project files?
Access to user data is restricted to a strictly limited number of trained staff, and only for operational reasons. All access is governed by role-based authorisation and logged. If someone accesses your files, there is an audit trail.
This is not a general access policy. It is a narrow exception for situations like diagnosing a failed render. It does not apply to the general employee base.
Do render farms sign NDAs for confidential projects?
Drop & Render offers a Non-Disclosure Agreement for studios and freelancers working on confidential projects. You can review and sign it directly on the website, without needing to contact support or request a custom document.
This is particularly relevant for studios working on unreleased commercial campaigns, broadcast work, or anything under client confidentiality. An NDA with your render farm is a standard part of that chain of custody.
Is a render farm GDPR compliant?
Drop & Render is fully GDPR compliant. Data is processed and stored exclusively in the Netherlands, within EU jurisdiction. Your data is never sold or shared with third parties for advertising purposes. The only data collected is what is needed to run your renders.
You have the right to request access, correction, or deletion of your data at any time. The full details are in the privacy policy and terms of service.
The security policy is reviewed annually and updated after any significant change, overseen by the CEO and Head of Security.
How does Drop & Render test and maintain its security?
Security is not a one-time setup. Drop & Render runs an ongoing programme:
Quarterly security audits. Internal and external auditors review network security, data handling, physical controls, and GDPR compliance every three months.
Monthly penetration testing. Web applications and network infrastructure are pen-tested every month. Vulnerabilities are escalated with prioritised remediation plans.
30-minute disaster recovery target. The disaster recovery plan is tested monthly. Software-related issues target restoration within 30 minutes. Hardware spares are pre-staged for rapid swap.
Annual policy review. The full security policy is formally reviewed each year by the CEO and Head of Security.
How does access control work for a studio team?
Role-based access is built into every team account. Admins can see all jobs, usage, and billing across the studio. Members can only see their own activity. Neither role can access another member's credentials or job files.
All access events are logged. If you need to demonstrate to a client that their project was handled under controlled access conditions, that audit trail exists.
Drop & Render security at a glance
| Layer | What it covers |
|---|---|
| Encryption in transit | HTTPS/TLS on all uploads. RSA 2048-bit + Bearer token for HDT transfers. |
| Encryption at rest | AES-256 on all stored files. |
| Credential storage | No plaintext credentials. SHA-256 hashed tokens, constant-time comparison. |
| File integrity | SHA-256 and MD5 checksums on every transfer. |
| Data location | Netherlands, EU. ISO 27001 and Dutch DCA certified datacenter. |
| Physical security | MFA access (key, biometric, PIN). 24/7 CCTV and motion detection. |
| Auto-deletion | All files removed after 7 days. Irrecoverable, automatic, no request needed. |
| Access logging | All staff access to user data is role-gated and logged with full audit trail. |
| GDPR compliance | EU-hosted. Data not sold or shared. Deletion and access rights honoured. |
| NDA | Available to sign directly on the website. No request or negotiation needed. |
| Audits | Quarterly security audits. Monthly penetration testing. |
| Disaster recovery | 30-minute restoration target. Tested monthly. |
Frequently asked questions
Can I get a copy of the security policy? Our security page covers the full technical and organisational detail. For enterprise inquiries, contact support.
Do you offer an NDA? Yes. You can review and sign it directly on our NDA page.
Where exactly is my data stored? At Previder's datacenter in the Netherlands. Backups sync to Amazon Cloud. All data stays within EU jurisdiction.
How long are my files kept? A maximum of 7 days. After that, files are deleted automatically and irrecoverably. No manual request is needed.
Can your staff see my project files? A strictly limited number of trained staff can access user data, and only for operational reasons. All access is logged.
Is Drop & Render GDPR compliant? Yes. Data is processed and stored in the EU. You have the right to access, correct, or delete your data. Full details in our privacy policy and terms of service.
What encryption standard do you use? AES-256 at rest, HTTPS/TLS in transit. RSA 2048-bit with Bearer token authentication for HDT transfers.
Do you do penetration testing? Yes, monthly. Results are reviewed by the internal security team with prioritised remediation.
What happens if there is a system failure? The disaster recovery plan targets restoration within 30 minutes for software-related issues and is tested monthly. Hardware spares are pre-staged.
Rendering confidential work?
Drop & Render is built to handle it. Encrypted transfers, EU-hosted storage, automatic file deletion, and an NDA ready to sign.
