To understand our content security policy, we first have to look at how Prerender.io works.
Render Request - Data Flow
What data do we receive?
Our service provides a middleware solution, which acts as an extension to your content processing flow. When your servers receives a request the middleware will decide if the request coming from a bot or a normal visitor. If it's a bot, then reaches out to us and asks for a rendered HTML-only version of the page to be served to the bot.
We do not receive any information about your visitors or any identifying data in this chain. Our service only receives an URL that you wish to serve as an HTML response.
Customer, Private Data Management
We do not receive any private data, cookie, identification header, or IP address from your system. To ensure that we are not hiding anything, you can check the implementation in our open-source Github Repositories.
What We See
Our system can only see the data that you already share with everyone on the internet. We do not bypass any authentication our open connection toward your inner systems. The architectural concept ensures that we can only visit your website as an unauthenticated standard visitor.
What Data We Collect
We store the sent
User-Agent string with every request, but this string is arbitrary and does not identify any person, only used to identify which kind of bot initiated the request.
We store the server's IP address, which requests the prerendering to be able to rate limit or block malicious requests toward our system. In short, it's used for quality assurance.
We render each page with a new isolated browser instance that does not have any cookie or data about your website. We do not store cookies or any resources between two renderings, so each execution is stateless in our system.
The traffic between your system and our service request endpoint is encrypted through a TLS secured channel.
Your website's rendered HTML is not encrypted at rest but does not contain any data which a normal visitor could not access without us. Our choice is not to encrypt public data in our encapsulated system because our system is hermetically isolated from the public internet. The data can only be accessed through already secured communication channels.
Our services prioritize the HTTPS encrypted channels to reach your website, but if your web server is not capable of responding with an encrypted response, we will degrade the connection to an HTTP non-encrypted one to complete the rendering.
This request flow does not contain any personal data and only involves our rendering server and your website.