Security & Compliance

Enterprise-grade security for your most sensitive deals.

RunDD is built from the ground up to handle confidential deal data. SOC 2 Type II certified, tenant-isolated, and encrypted at every layer.

Certified

SOC 2 Type II

Compliant

GDPR

Compliant

CCPA

Annual

Penetration Testing

Security Controls

Our security program is designed around the principle of defense in depth, with controls at every layer of the stack.

Encryption

  • AES-256 encryption at rest for all stored data
  • TLS 1.3 encryption in transit for all API and web traffic
  • Encrypted database credentials and integration tokens
  • Client-side encryption available for sensitive document uploads

Tenant Isolation

  • Dedicated PostgreSQL schema per client organization
  • Isolated vector database namespace per tenant
  • No data commingling across organizations
  • Row-level security policies enforced at the database layer

Identity & Access

  • Auth0-powered authentication with enterprise SSO (SAML, OIDC)
  • Multi-factor authentication (MFA) enforcement
  • Role-based access control (RBAC) with five granular roles
  • Session management with configurable timeout policies

Monitoring & Logging

  • Comprehensive audit logs for all user and agent actions
  • Real-time anomaly detection on access patterns
  • Automated alerting for suspicious activity
  • Log retention for 12 months with immutable storage

Infrastructure

  • Hosted on AWS with multi-AZ redundancy
  • Infrastructure-as-code with automated security scanning
  • Container isolation for AI agent execution
  • Automated patch management and vulnerability scanning

Personnel Security

  • Background checks for all employees with data access
  • Mandatory security awareness training
  • Principle of least privilege for internal access
  • Quarterly access reviews and deprovisioning audits

Certifications & Compliance

We maintain rigorous compliance standards and make audit reports available to customers and prospects.

SOC 2 Type II

Certified

Independently audited controls covering security, availability, and confidentiality. Our most recent report covers the 12-month period ending December 2025.

Report available under NDA upon request.

GDPR

Compliant

Full compliance with the EU General Data Protection Regulation, including Data Processing Agreements, Standard Contractual Clauses, and data subject rights.

DPA available for execution.

CCPA

Compliant

Compliance with the California Consumer Privacy Act, including consumer rights requests, data disclosure, and opt-out mechanisms.

Penetration Testing

Annual

Annual third-party penetration testing by an independent security firm. All critical and high findings are remediated within 30 days.

Executive summary available under NDA.

AI-Specific Security

Responsible AI in due diligence

Zero-retention AI inference

Customer data sent to AI models (Claude, GPT-4o) is processed under zero-retention agreements. No diligence data is used to train third-party models.

Scoped agent access

AI agents only access data within the workspace and data sources you explicitly authorize. Agents cannot cross tenant boundaries.

Human-in-the-loop

Every AI-generated finding includes a mandatory review checkpoint. Critical findings require human approval before inclusion in reports.

Audit trail for AI actions

Every agent run, finding generation, and evidence retrieval is logged with timestamps, data sources accessed, and token usage.

Need our SOC 2 report or security questionnaire?

We're happy to share our SOC 2 Type II report under NDA and complete your vendor security assessment.

Contact Security Team