Posture
Runory Cloud v0.4 is a public preview. There is no production SLA, no SOC 2 / ISO 27001 certification, and no multi-region compliance claim. Do not run critical or regulated production workloads on it yet. Keep a separate copy of important data.
Authentication and sessions
Sign-in is passwordless via one-time email verification codes. Codes are short-lived, rate-limited, and hashed at rest. Sessions are token-based with a 30-day expiry and are revocable. No passwords are stored because no passwords are collected.
Tenant isolation
Every workspace is a tenant boundary. Object records, views, extensions, audit events, and membership are scoped per workspace and authorized through workspace membership checks. Cross-workspace access requires explicit membership.
Audit visibility
Workspace changes — pack installs, extensions, Agent operations, member changes — are recorded as audit events with actor, timestamp, and request ID. Workspace owners and admins can inspect the full audit timeline from the Audit page.
Data export and portability
Every workspace can export its full metadata manifest (objects, fields, views) and records as JSON or CSV from the Import / Export page. Your data is not locked behind a paywall, and export works on the free plan.
Governed Agent operations
Agent and MCP operations never apply changes directly. They go through plan, preview, validate, apply, and audit. Every applied change is reversible through rollback and is recorded in audit. High-risk operations are blocked by the safety model.
Open-source positioning
The Runory repository and architecture documentation are public. You can read the code that handles authentication, tenancy, extensions, and audit. Cloud is the managed experience; the open Runtime preserves long-term deployment and data choices.
Support and reporting
For support, feedback, or to report a security concern, open an issue on the Runory GitHub repository. There is no dedicated security SLA during public preview, but reports are reviewed.