Runframe

Security Policy

Last updated April 2026. Runframe.

Overview

This page describes the measures Runframe uses to protect customer data and operate the service securely. It serves as our security policy for customers, partners, and marketplace reviews.

We design the product and internal processes around least-privilege access, secure defaults, rapid response to security issues, and clear communication when something needs customer attention.

Reporting Security Issues

If you believe you have found a security vulnerability in Runframe, email security@runframe.io. The same contact is listed in our security.txt file.

Include enough detail for us to reproduce and validate the issue. Please avoid public disclosure until we have investigated and remediated the issue.

Vulnerability Management

Security reports are reviewed and triaged based on severity, affected systems, exploitability, and customer impact.

  • We validate incoming reports, determine scope, and assign remediation priority.
  • Confirmed issues are tracked through remediation, verification, and deployment.
  • We rotate credentials, revoke affected secrets or tokens, and add detection or hardening controls to prevent recurrence when needed.
  • We also address issues identified through internal review, dependency maintenance, and operational monitoring.

Security Incident Response

We maintain an incident response process for security events affecting the Runframe service or supporting systems.

  • We triage and classify the event, then take containment steps to limit impact.
  • We investigate root cause, remediate the issue, and restore normal operations.
  • We notify affected customers or partners with the information needed to understand impact and recommended next steps.
  • After material incidents, we perform a post-incident review and use the outcome to improve controls, monitoring, or process.

Access Control and Authentication

Access to production systems and customer data is restricted to authorized personnel with a business need.

  • We apply least-privilege principles to administrative access and operational workflows.
  • Authentication is handled by Clerk, which manages user login, credential handling, and session controls.
  • Role-based permissions restrict access to organization resources and administrative actions.
  • Administrative actions are recorded in audit logs available in the product.

Infrastructure and Data Protection

Runframe uses hosted infrastructure providers to operate the application and store customer data. Data is transmitted over HTTPS/TLS, and data at rest is protected through encryption from our infrastructure partners.

  • Customer data is stored in managed cloud infrastructure operated by our hosting providers.
  • Secrets and integration credentials are handled as sensitive configuration and not exposed publicly.
  • We limit direct production access and review access when operational needs change.

Application Security Controls

We use preventive and detective controls in the application.

  • Requests are served over HTTPS and include common browser security protections.
  • Authorization checks are enforced around organization and resource access.
  • Session and cookie integrity protections reduce the risk of tampering.
  • Supported integrations use scoped credentials, and some flows support webhook signature validation or secret rotation.
  • Error monitoring and operational logging help us detect and investigate service issues.

Policy Updates and Contact

We update this page as our product, infrastructure, or security practices change. The date at the top of this page reflects the last revision.

Questions about this policy can be sent to security@runframe.io or support@runframe.io.