Security and trust

How Runory handles your workspace, honestly.

v0.4 is a public preview, not a production-grade SaaS with compliance certifications. This page states what is and is not in place so you can decide what to trust it with.

Posture

Runory Cloud v0.4 is a public preview. There is no production SLA, no SOC 2 / ISO 27001 certification, and no multi-region compliance claim. Do not run critical or regulated production workloads on it yet. Keep a separate copy of important data.

Authentication and sessions

Sign-in is passwordless via one-time email verification codes. Codes are short-lived, rate-limited, and hashed at rest. Sessions are token-based with a 30-day expiry and are revocable. No passwords are stored because no passwords are collected.

Tenant isolation

Every workspace is a tenant boundary. Object records, views, extensions, audit events, and membership are scoped per workspace and authorized through workspace membership checks. Cross-workspace access requires explicit membership.

Audit visibility

Workspace changes — pack installs, extensions, Agent operations, member changes — are recorded as audit events with actor, timestamp, and request ID. Workspace owners and admins can inspect the full audit timeline from the Audit page.

Data export and portability

Every workspace can export its full metadata manifest (objects, fields, views) and records as JSON or CSV from the Import / Export page. Your data is not locked behind a paywall, and export works on the free plan.

Governed Agent operations

Agent and MCP operations never apply changes directly. They go through plan, preview, validate, apply, and audit. Every applied change is reversible through rollback and is recorded in audit. High-risk operations are blocked by the safety model.

Open-source positioning

The Runory repository and architecture documentation are public. You can read the code that handles authentication, tenancy, extensions, and audit. Cloud is the managed experience; the open Runtime preserves long-term deployment and data choices.

Support and reporting

For support, feedback, or to report a security concern, open an issue on the Runory GitHub repository. There is no dedicated security SLA during public preview, but reports are reviewed.

Runory | Composable Agent-native Business Runtime