Compliance

Is Runnex SOC2 Compliant?

Runnex is not yet SOC2 compliant, but we plan to start the process this year. While we cannot provide a specific timeline, please email us at support@ctrlplane.dev to express your interest, and we will notify you when we achieve SOC2 compliance.

Security Measures

Data Isolation and Protection

Runnex uses virtual machines (VMs) to securely isolate your data from other users. Specifically, we use KVM, a trusted VM technology built into the Linux kernel and utilized by millions of developers worldwide. We also implement strict rules around authentication, encryption, and other security measures to prevent unauthorized access to our systems.

Github Runner One-Time Token Authentication

To authenticate GitHub’s self-hosted runners and ensure secure workflow execution, Runnex uses one-time tokens for each job. These tokens are valid only for a single execution and are automatically removed from the repository, organization, or enterprise afterward, minimizing security exposure.

Trusting Runnex with Your Data

To protect your data, Runnex employs several security measures:

  • Your data is stored on our secure servers
  • All communication is encrypted
  • Access to our servers is strictly controlled and audited
  • Your code is never saved on our servers after a job is completed

We pledge to keep your code secret and not access it ourselves. Your code will never be sold, and we understand that earning your trust is an ongoing process.

Data Separation from Other Users

Our use of KVM-based virtual machines ensures that your data remains separate from other users’ data. Our strict security measures prevent unauthorized individuals from observing or accessing your data.

Log Retention

We retain metadata logs containing information about CI jobs, including the initiator, start time, duration, and selected hardware. This data helps us understand our business performance over time.

Data Storage After Job Completion

We do not store your code and secrets after a job is completed.

GitHub App Permissions and Visibility

Runnex requires specific GitHub app permissions to function properly and provide seamless CI/CD integration. Our GitHub app needs read and write access to:

  • Actions
  • Workflows
  • Code
  • Pull requests
  • Checks
  • Self-hosted runners

These permissions allow us to properly execute workflows and provide debugging support when needed.

When a job is triggered through events like push, pull_request, or workflow_dispatch, our control plane receives a webhook from GitHub containing essential metadata:

  • Repository name
  • Sender information
  • Workflow name
  • Job name

Upon job completion, we receive a final webhook with:

  • Job status
  • Status of each step
  • Step names
  • Duration of each step

This information helps us monitor job execution and provide support when needed, while maintaining our commitment to data privacy and security.

Was this page helpful?

Suggest editsRaise issue
ConcurrencyTerms of Service