Trust & Security

Security is
not a feature.
It's the foundation.

Every line of code, every API call, every AI inference in RunAsh is built on a security-first architecture. Here's exactly how we protect your data, your sellers, and your buyers.

🛡️ SOC 2 Type II

🇪🇺 GDPR Compliant

💳 PCI DSS Level 1

🏥 HIPAA Ready

🔍 Penetration Tested

Compliance

Certifications & audits

Third-party verified. Click any certification to see the scope and details.

🛡️

SOC 2 Type II

2024

✓ Certified

Annual third-party audit of security, availability, and confidentiality controls.

🇪🇺

GDPR Compliant

2024

✓ Certified

Full compliance with EU General Data Protection Regulation for all user data.

📋

ISO 27001

2025

In progress

Information security management certification — audit scheduled Q3 2025.

💳

PCI DSS Level 1

2024

✓ Certified

Highest level payment card industry compliance for Stripe and Razorpay flows.

🏥

HIPAA Ready

2024

✓ Certified

Infrastructure meets HIPAA requirements; BAAs available on Enterprise plan.

🔍

Penetration Tested

2025

✓ Certified

Annual white-box pentest by Cobalt Security. Last report: March 2025.

Architecture

Security practices

Our security posture across data, access, AI, and infrastructure.

✓

AES-256 encryption at rest

All stored data encrypted using AES-256-GCM. Encryption keys managed via AWS KMS with automatic 90-day rotation.

✓

TLS 1.3 in transit

All data in transit protected by TLS 1.3. HSTS enforced. Certificate pinning on mobile clients.

✓

Zero-knowledge catalog storage

Your product catalog is encrypted before storage. RunAsh engineers cannot read catalog contents without your decryption key.

✓

Data residency options

Choose where your data lives: India (Mumbai), Singapore, or EU (Frankfurt). Data never crosses regions without explicit consent.

✓

Zero-trust network architecture

Every internal service call requires authentication. No implicit trust. Service-to-service auth via mTLS with short-lived certificates.

✓

Role-based access control

Granular RBAC across all platform features. Custom roles available on Team and Enterprise plans.

✓

Hardware security keys required

All RunAsh engineers use FIDO2 hardware keys for production access. TOTP is not sufficient for internal systems.

✓

Least-privilege principle

No human has standing access to production databases. All access is time-limited, logged, and requires peer review approval.

✓

Anthropic API key isolation

Your API key is never stored in our database. It lives in environment-isolated secrets and is never logged or transmitted in plaintext.

✓

Prompt injection protection

All user inputs are sanitized and bounded before reaching Claude. System prompts are hardened against injection attacks.

✓

Model output filtering

All AI responses pass through a content safety layer before delivery. No harmful outputs reach end users.

✓

Conversation data policy

By default, conversation data is not used to train any model. Opt-in sharing available for model improvement program with full consent.

✓

Multi-region failover

Active-active deployment across Mumbai, Singapore, and Frankfurt. Automatic failover in < 30 seconds. 99.99% uptime SLA.

✓

DDoS mitigation

Cloudflare Enterprise with 100 Tbps network capacity and automatic L3/L4/L7 DDoS mitigation. Rate limiting enforced at edge.

✓

Immutable infrastructure

All production deployments use immutable containers. No SSH access to running instances. Infrastructure defined as code.

✓

Audit logging

Every API call, admin action, and data access event is logged with full context. Logs are tamper-evident and retained for 1 year.

Data flow

How your data moves

Every hop in our pipeline is encrypted. No plaintext storage, ever.

💻

Your browser

🔒 TLS 1.3→

🌐

Edge / CDN

🔒 mTLS→

⚡

API Gateway

🔒 mTLS→

🤖

AI Model

🔒 AES-256→

🗄️

Encrypted storage

Responsible AI

AI ethics & safety

We build AI that earns trust by being honest about what it does and doesn't do.

Emotion data aggregation only

Our emotion recognition model only surfaces aggregate audience sentiment (e.g., 'trending positive') — never individual viewer scores. Raw signals never leave edge nodes.

Consent-based memory

AI memory features require explicit opt-in. Memory can be cleared at any time from the dashboard. Memory items are tagged with their source.

No dark patterns in CTAs

Commerce Agent CTA copy must meet our plain-language standards. We reject high-pressure patterns like false scarcity or countdown manipulation.

Model transparency

We publish the models we use (claude-sonnet-4-6), the version, and our system prompt structure. You can inspect and override the system prompt in Settings.

Disclosure

Vulnerability disclosure

We believe in responsible disclosure. If you find a security issue, please tell us before anyone else.

Security vulnerabilities

security@runash.ai

PGP available

Data requests / GDPR

privacy@runash.ai

< 72h response

Bug bounty program

bugbounty@runash.ai

Up to $10K

Trust & Security

Security is
not a feature.
It's the foundation.

Every line of code, every API call, every AI inference in RunAsh is built on a security-first architecture. Here's exactly how we protect your data, your sellers, and your buyers.

🛡️ SOC 2 Type II

🇪🇺 GDPR Compliant

💳 PCI DSS Level 1

🏥 HIPAA Ready

🔍 Penetration Tested

Compliance

Certifications & audits

Third-party verified. Click any certification to see the scope and details.

🛡️

SOC 2 Type II

2024

✓ Certified

Annual third-party audit of security, availability, and confidentiality controls.

🇪🇺

GDPR Compliant

2024

✓ Certified

Full compliance with EU General Data Protection Regulation for all user data.

📋

ISO 27001

2025

In progress

Information security management certification — audit scheduled Q3 2025.

💳

PCI DSS Level 1

2024

✓ Certified

Highest level payment card industry compliance for Stripe and Razorpay flows.

🏥

HIPAA Ready

2024

✓ Certified

Infrastructure meets HIPAA requirements; BAAs available on Enterprise plan.

🔍

Penetration Tested

2025

✓ Certified

Annual white-box pentest by Cobalt Security. Last report: March 2025.

Architecture

Security practices

Our security posture across data, access, AI, and infrastructure.

✓

AES-256 encryption at rest

All stored data encrypted using AES-256-GCM. Encryption keys managed via AWS KMS with automatic 90-day rotation.

✓

TLS 1.3 in transit

All data in transit protected by TLS 1.3. HSTS enforced. Certificate pinning on mobile clients.

✓

Zero-knowledge catalog storage

Your product catalog is encrypted before storage. RunAsh engineers cannot read catalog contents without your decryption key.

✓

Data residency options

Choose where your data lives: India (Mumbai), Singapore, or EU (Frankfurt). Data never crosses regions without explicit consent.

✓

Zero-trust network architecture

Every internal service call requires authentication. No implicit trust. Service-to-service auth via mTLS with short-lived certificates.

✓

Role-based access control

Granular RBAC across all platform features. Custom roles available on Team and Enterprise plans.

✓

Hardware security keys required

All RunAsh engineers use FIDO2 hardware keys for production access. TOTP is not sufficient for internal systems.

✓

Least-privilege principle

No human has standing access to production databases. All access is time-limited, logged, and requires peer review approval.

✓

Anthropic API key isolation

Your API key is never stored in our database. It lives in environment-isolated secrets and is never logged or transmitted in plaintext.

✓

Prompt injection protection

All user inputs are sanitized and bounded before reaching Claude. System prompts are hardened against injection attacks.

✓

Model output filtering

All AI responses pass through a content safety layer before delivery. No harmful outputs reach end users.

✓

Conversation data policy

By default, conversation data is not used to train any model. Opt-in sharing available for model improvement program with full consent.

✓

Multi-region failover

Active-active deployment across Mumbai, Singapore, and Frankfurt. Automatic failover in < 30 seconds. 99.99% uptime SLA.

✓

DDoS mitigation

Cloudflare Enterprise with 100 Tbps network capacity and automatic L3/L4/L7 DDoS mitigation. Rate limiting enforced at edge.

✓

Immutable infrastructure

All production deployments use immutable containers. No SSH access to running instances. Infrastructure defined as code.

✓

Audit logging

Every API call, admin action, and data access event is logged with full context. Logs are tamper-evident and retained for 1 year.

Data flow

How your data moves

Every hop in our pipeline is encrypted. No plaintext storage, ever.

💻

Your browser

🔒 TLS 1.3→

🌐

Edge / CDN

🔒 mTLS→

⚡

API Gateway

🔒 mTLS→

🤖

AI Model

🔒 AES-256→

🗄️

Encrypted storage

Responsible AI

AI ethics & safety

We build AI that earns trust by being honest about what it does and doesn't do.

Emotion data aggregation only

Our emotion recognition model only surfaces aggregate audience sentiment (e.g., 'trending positive') — never individual viewer scores. Raw signals never leave edge nodes.

Consent-based memory

AI memory features require explicit opt-in. Memory can be cleared at any time from the dashboard. Memory items are tagged with their source.

No dark patterns in CTAs

Commerce Agent CTA copy must meet our plain-language standards. We reject high-pressure patterns like false scarcity or countdown manipulation.

Model transparency

We publish the models we use (claude-sonnet-4-6), the version, and our system prompt structure. You can inspect and override the system prompt in Settings.

Disclosure

Vulnerability disclosure

We believe in responsible disclosure. If you find a security issue, please tell us before anyone else.

Security vulnerabilities

security@runash.ai

PGP available

Data requests / GDPR

privacy@runash.ai

< 72h response

Bug bounty program

bugbounty@runash.ai

Up to $10K

Security isnot a feature.It's the foundation.

Certifications & audits

Security practices

How your data moves

AI ethics & safety

Vulnerability disclosure

Security isnot a feature.It's the foundation.

Certifications & audits

Security practices

How your data moves

AI ethics & safety

Vulnerability disclosure

Security is
not a feature.
It's the foundation.

Security is
not a feature.
It's the foundation.