Security

How Rune protects your data

We build security tools — so we take our own security seriously. Here's how we handle your data, protect your infrastructure, and maintain trust.

Security Architecture

Rune's architecture is designed so your sensitive data stays local:

SDK (your app) — Scanning happens here. Locally. In-process.

↓ event metadata only

Worker (Cloudflare Edge) — Authenticates, routes, rate-limits.

↓

ClickHouse (analytics) + Convex (state)

The SDK runs inside your application process. L1 regex scanning, L2 vector similarity, and policy evaluation all execute locally. Only event metadata (threat type, risk score, pattern ID, latency) is sent to the cloud — never the raw content being scanned.

Data Handling

What we collect

Event metadata: timestamp, agent ID, event type

Scan results: risk score, threat category, pattern IDs

Performance: scan latency, layers executed

Policy outcomes: allow/block decision, rule matched

What we do NOT collect

Raw prompts: never sent to cloud by default

User content: stays in your application

LLM responses: scanned locally, not transmitted

Tool parameters: only argument hashes, not values

Encryption

In transit: TLS 1.3 enforced on all API endpoints. HSTS enabled. No plaintext fallback.

At rest: ClickHouse Cloud encrypts data at rest with AES-256. Convex encrypts all stored data.

API keys: Hashed with SHA-256 before storage. Raw keys are never persisted.

Authentication

SDK authentication: API key header (X-Rune-Key) on every request. Keys are scoped per organization.

Dashboard auth: OAuth 2.0 (GitHub, Google) or email/password with bcrypt hashing. Session tokens are JWTs signed with RSA keys.

Worker auth: API keys validated against Cloudflare KV with constant-time comparison.

Infrastructure

Edge compute: Cloudflare Workers — runs in 300+ locations worldwide. No single point of failure.

State management: Convex — SOC 2 Type II compliant, real-time sync, automatic backups.

Analytics: ClickHouse Cloud — SOC 2 compliant, encrypted storage, configurable retention.

DNS & CDN: Cloudflare — DDoS protection, WAF, bot management included.

Compliance Roadmap

Rune is pursuing SOC 2 Type I certification. Our infrastructure providers (Convex, ClickHouse Cloud, Cloudflare) are independently SOC 2 certified.

SOC 2 Type I: In progress. Target completion: Q3 2026.

GDPR: We process event metadata as a data processor. No PII is collected by default. DPA available on request.

Data residency: ClickHouse cluster region configurable on Growth plan and above.

Responsible Disclosure

If you discover a security vulnerability in Rune, we want to hear about it. We appreciate responsible disclosure and will work with you to understand and address the issue promptly.

Report to: security@runesec.dev

Response time: We acknowledge reports within 48 hours and aim to resolve critical issues within 7 days.

Safe harbor: We will not pursue legal action against security researchers who report vulnerabilities responsibly.

Frequently Asked Questions

Does Rune see my users' prompts?

No. Scanning runs locally in the SDK. Only metadata (risk score, threat type, scan latency) is sent to the cloud. Raw content never leaves your infrastructure.

What happens if the Rune cloud is unreachable?

The SDK continues scanning locally. L1 and L2 scanning work entirely offline. Events are queued and flushed when connectivity resumes. Your agents are never blocked by our infrastructure.

Can I run Rune entirely on-premises?

The scanner package (@runesec/scanner) is fully open source and runs anywhere with zero dependencies. For the full platform with dashboard and alerting, contact us about self-hosted deployment options.

How do you handle data retention?

Retention periods are plan-dependent: 30 days (Community), 90 days (Starter), 180 days (Pro), 365 days (Growth). Data is automatically purged after the retention period.

Questions about security? security@runesec.dev