🔀 How to untangle and manage build distribution — Webinar, May 16th — Register
🔀 How to untangle and manage build distribution — Webinar, May 16th — Register


Runway was built with security in mind from day one. We understand data security and privacy are top of mind for our customers, so we’ve worked hard to establish and maintain a strong security posture.
AICPA / SOC 2 badge
We have achieved a SOC 2 Type 2 attestation from a certified auditor with no exceptions in the final report. We work with an AICPA-certified audit firm to evaluate our information security program and controls on an annual basis. A live dashboard showing the status of all security controls is available upon request.

Integrations are an important piece of Runway, and we’re extremely security-conscious in how we implement and maintain them. We use official APIs only, authenticated with the most modern and secure option available. Where possible, access is requested granularly.

Scroll down for some additional security highlights, and feel free to reach out to security@runway.team with any questions.
Infrastructure security and availability
  • All connections to the web application are encrypted (SSL/TLS 1.2 enforced).
  • Customer data in databases and cloud storage is encrypted at rest (AES-256).
  • Full logical separation of development and production environments, with named, dedicated accounts for each.
  • Infrastructure is continuously monitored to verify that it’s configured securely and has up-to-date security patches. All activity by employees is logged.
  • Regular vulnerability scans are performed on production environment.
  • Multiple availability zones are utilized to replicate production data across different regions.
  • Databases are backed up daily.
Product security and confidentiality
  • All integrations are connected via official APIs, authenticated with most modern option offered
  • Development process adheres to industry best practices including automated and manual testing, code reviews, continuous deployments, production logging and alerts, and regular performance benchmarking.
  • Data from expired accounts is removed after 3 days, or within 24 hours of receiving a request.
Company security and trust
  • All employees and contractors undergo background screening, and complete training programs for privacy and information security annually
  • Your data is yours to own, and we will never share or sell your data.

Need a question answered?

Please feel free to get in touch. We’ll be happy to share further details upon request.
contact us