Security & compliance
you can rely on
RunoxAI is built on a foundation of rigorous security practices and industry-standard compliance certifications.
Certifications & Compliance
SOC 2 Type II
Independently audited by a third-party auditor. Our SOC 2 Type II report covers Security, Availability, and Confidentiality trust service criteria.
GDPR
We are compliant with the EU's General Data Protection Regulation. RunoxAI serves as a data processor under GDPR and offers DPA agreements to all customers.
CCPA
RunoxAI complies with the California Consumer Privacy Act. California residents can exercise their rights to access, delete, or opt out of data sale at any time.
HIPAA
Enterprise customers with healthcare use cases can enter into a Business Associate Agreement (BAA) to support HIPAA-compliant deployments.
Security reports and DPA templates available upon request. Contact security team โ
Security practices
Encryption at rest & in transit
All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Encryption keys are managed via AWS KMS with automated rotation.
Zero data retention option
Enterprise customers can opt into zero data retention mode. In this mode, RunoxAI processes requests without logging query content or results.
Role-based access control
Granular RBAC lets admins control which team members can access API keys, billing, and usage dashboards within an organization account.
Penetration testing
We conduct annual third-party penetration tests. Results are available to enterprise customers under NDA upon request.
Vulnerability disclosure
We maintain a responsible disclosure program. Security researchers can report vulnerabilities to security@runoxai.com.
Incident response
RunoxAI maintains a documented incident response plan with defined SLAs for detection, containment, and notification.
Privacy principles
We do not sell your data
RunoxAI never sells customer data or query logs to third parties. Your data is used solely to provide and improve our services.
Minimal data collection
We collect only the data necessary to operate the service. API request logs are retained for 30 days and can be deleted on request.
Data residency options
Enterprise customers can request data residency in the US or EU to meet local regulatory requirements.
Questions about security?
Our security team is available to answer questions, share compliance documentation, and discuss enterprise security requirements.