I. SOC 2 TYPE II

RunInfra is SOC 2 Type II attested. SOC 2 Type II is an independent audit, conducted under AICPA standards, that evaluates the operating effectiveness of our security, availability, and confidentiality controls over a defined audit window rather than at a single point in time.

Our most recent attestation, the auditor's identification, the period covered, and the full report are available to current customers and to qualified prospects under NDA at trust.rightnowai.co. Enterprise procurement teams can request the report directly at security@runinfra.ai.

Our SOC 2 controls cover the platform components RunInfra operates directly. Sub-processors carry their own independent attestations: AWS (via Supabase), Vercel, Fly.io, Stripe, and Modal each maintain SOC 2 Type II or equivalent. The combined posture is documented in our vendor management program.

II. ENCRYPTION

• In transit. All traffic to runinfra.ai and to deployed inference endpoints is TLS 1.2 or higher with modern cipher suites. HSTS is enabled with preload. Internal service-to-service traffic on Fly.io uses encrypted private networking.
• At rest.The primary database (Supabase Postgres on AWS) uses AES-256 encryption at rest. Object storage (Vercel Blob, Supabase Storage) is encrypted at rest with AES-256. Model weights cached on GPU compute providers are encrypted at rest using each provider's native storage encryption.
• Secrets. API keys, OAuth tokens, and other credentials are stored encrypted with envelope encryption. Application code accesses secrets through environment-bound secret managers; no plaintext secrets in repository, in build artifacts, or in logs.

III. ACCESS CONTROLS

• Customer-facing. Sign-in is SSO via Supabase Auth with OAuth providers (Google, GitHub). Sessions are scoped per workspace with role-based access control. Tenant isolation is enforced at the database layer through Supabase row-level security policies, so a bug in application code is designed to fail closed rather than leak data across workspaces.
• Production access. Engineering access to production is gated by SSO and multi-factor authentication, logged, least-privilege, and reviewed on a recurring cadence in accordance with our SOC 2 program. The specific MFA controls in force are documented in the current SOC 2 Type II report available at trust.rightnowai.co.
• Customer data. Engineers do not access customer prompts or pipeline outputs in normal operation. When access is required to investigate an incident the customer reports, the access is logged, scoped to the relevant records, and annotated with the ticket number.

IV. NETWORK AND INFRASTRUCTURE

• The web tier is hosted on Vercel with DDoS protection at the platform edge.
• The API engine runs on Fly.io in a private network with public ingress only on the documented HTTPS endpoints.
• The optimization engine submits profiling and serving jobs to Modal and RunPod over authenticated APIs. Each integration uses scoped, rotatable credentials.
• Inbound traffic is rate-limited and bot-checked. Suspicious patterns trigger automatic mitigation.
• We do not operate any open SSH or RDP surfaces; production hosts are managed through the cloud providers' control planes only.

V. SECURE DEVELOPMENT

• All production changes ship through pull requests with mandatory code review.
• Static analysis, dependency scanning, and secret-scanning run on every CI build. Builds with high-severity findings are blocked from merging until resolved.
• Dependencies are pinned with lockfiles and updated on a regular cadence. Security advisories on direct dependencies are triaged within 7 days for critical, 30 days for high.
• Database schema changes ship through versioned migrations with backward-compatible rollouts. Destructive migrations require explicit review.
• Engineering staff complete security training during onboarding and annually thereafter.

VI. MONITORING AND LOGGING

• Application logs are streamed to centralized log management with structured search and alerting.
• Authentication events, administrative actions, and access to customer data are logged separately and retained per the audit-log retention policy described in the Privacy Policy.
• Application errors are captured by an APM that masks request bodies and headers known to contain secrets.
• Service health is monitored continuously with synthetic checks against the public API surface.

VII. VULNERABILITY MANAGEMENT

We operate a continuous vulnerability management program:

• Automated dependency and container scanning on every build.
• Internal review and testing on major releases.
• Third-party penetration testing on a recurring cadence covered by our SOC 2 program; the current schedule and the most recent report are available under NDA at trust.rightnowai.co.
• Remediation is prioritized by severity in line with our SOC 2 controls; target windows for critical, high, medium, and low findings are documented in the operational runbook and reflected in the audit report.

VIII. INCIDENT RESPONSE

We maintain a documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. Severity is classified on a four-tier scale and drives the response timeline.

Breach notification. In the event of a Personal Data Breach affecting customer data, we will notify the affected customers without undue delay, and in any case within 72 hours of becoming aware of the breach. The notification will identify, to the extent known at the time, the nature of the breach, the categories and approximate number of records concerned, the likely consequences, and the measures we are taking to contain and remediate.

Post-incident, we publish a customer-facing summary through trust.rightnowai.co with the timeline, root cause, and the corrective actions taken.

IX. COMPLIANCE

• SOC 2 Type II: independent attestation, updated annually. See Section I.
• GDPR. Compliance documented in the Privacy Policy and contractual processor terms in the DPA.
• UK GDPR. Covered through the same controls; cross-border transfers governed by the UK IDTA referenced in the DPA.
• CCPA / CPRA. California rights are honored as described in the Privacy Policy. We do not sell personal information and do not share it for cross-context behavioral advertising.
• HIPAA. The Service is not currently offered for the processing of protected health information. Customers in healthcare contexts should contact us before sending PHI to confirm scope and any required BAA arrangements.

X. RESPONSIBLE DISCLOSURE

We welcome responsible disclosure of security vulnerabilities. To report a vulnerability:

• Email security@runinfra.ai with a description of the issue, reproduction steps, and any proof-of-concept material.
• Allow us a reasonable window to remediate before public disclosure (typically 90 days, shorter for actively exploited issues).
• Do not test against customer data, deployed customer endpoints, or accounts other than your own. Do not perform DoS testing.

We commit to acknowledging receipt within 2 business days, providing a triage assessment within 5 business days, and crediting reporters on the trust center where desired.

XI. CONTACT US

Security inquiries and vulnerability reports: security@runinfra.ai

Privacy and data-subject requests: privacy@runinfra.ai

Procurement and SOC 2 report requests: trust.rightnowai.co

RightNow AI, Inc.
131 Continental Dr
Newark, DE 19713
United States