1. Physical Security

Run Security data centers are co-located in first-tier data center facilities that implement industry leading physical access controls. Physical security is audited using the carve-out method, meaning that we perform rigorous subservice vendor reviews, and our independent auditors validate that our co-location providers have appropriate controls in place that meet SOC 2 Type 2 physical security controls at a minimum. These controls include:

• Physical security guard services
• Battery and generator backup
• Generator fuel carrier redundancy
• Biometric readers with two-factor authentication
• Full CCTV coverage externally and internally for the facility
• Physical entry restrictions to the property and the facility

2. Logical Security

Run Security infrastructure is secured through a defense-in-depth layered approach. Access to the production network infrastructure is provided through multi-factor authentication, which restricts network-level access to infrastructure based on job function utilizing the principle of least privilege. All access to the ingress points are closely monitored and are subject to stringent change control mechanisms.

Systems are protected through key-based authentication and access is limited by Role-Based Access Control (RBAC). RBAC ensures that only the users who require access to a system are granted appropriate access. We consider any system which houses customer data that we collect, or systems which house the data customers store with us to be of the highest sensitivity. As such, access to these systems is limited and closely monitored.

3. Security and Availability Monitoring

The security and availability of our infrastructure is extraordinarily important, and we understand that our role is to protect our customers from a variety of threats, many of which are highly sophisticated. User and system behaviors are monitored for suspicious activity, and investigations are performed following our incident reporting and response procedures. Root Cause Analysis is performed on all Security or Availability incidents regardless of whether they impact customer SLAs.

Compliance

SOC 2 Type 2

Run Security has an AICPA certified auditor issued SOC 2 Type 2 Report covering Security and Availability trust services criteria. The current report and bridge letter are available to existing customers who require it for their own compliance purposes. The description of the system contains the following information:

1. The types of services provided;
2. The components of the System used to provide the services, which are the following:
   1. Infrastructure. The physical structures, IT, and other hardware (for example, facilities, computers, equipment, and networks).
   2. Software. The application programs and IT System software that supports application programs (operating Systems, middleware, and utilities).
   3. People. The personnel involved in the governance, operation, and use of the System (developers, operators, entity users, and managers).
   4. Procedures. The automated and manual procedures involved in the operation of the System.
   5. Data. Metadata and web content data used or processed by the System;
3. The boundaries or aspects of the System covered by the description;
4. For information provided to, or received from, the subservice organizations or other parties:
   1. How such information is provided or received and the role of the subservice organizations and other parties.
   2. The procedures the service organization performs to determine that such information and its processing, maintenance, and storage are subject to appropriate controls.
5. The applicable trust services criteria and the related controls designed to meet those criteria, including, as applicable, the following:
   1. Complementary user entity controls contemplated in the design of the service organization’s System.
6. The service organization presents the subservice organizations using the carve-out method:
   1. The nature of the services provided by the subservice organizations. Each of the applicable trust services criteria that are intended to be met by controls at the subservice organizations, alone or in combination with controls at the service organization, and the types of controls expected to be implemented at the carved-out subservice organizations to meet those criteria.
7. Applicable trust services criteria that are not addressed by a control at the service organization or subservice organization and the reasons.
8. Relevant details of changes to the service organization’s System during the period covered by the description;

The description does not omit or distort information relevant to the service organization’s System while acknowledging that the description is prepared to meet the common needs of a broad range of users and may not; therefore, include every aspect of the System that each individual user may consider important to his or her own particular needs.

The controls stated in the description were suitably designed throughout the specified period to meet the applicable trust services criteria.

PCI-DSS

The Run Security Web Application Firewall can be used to satisfy PCI-DSS Requirement 6.6 when deployed within a customer’s PCI environment. While the sensors do not store or transmit cardholder data (PANs, CVVs, etc..), maintaining effective security controls are the responsibility of the customer and should be validated by a QSA.

Existing customers who manage PCI compliant environments can include Run Security on-premises sensors in their audit. At customer request, Run Security can provide documentation to validate that cardholder data is not being stored or transmitted. Always follow your QSA’s guidance on implementing and testing PCI security controls.

‍