Security

All data in transit is encrypted using TLS 1.3. Every connection between your browser and Agent Runway's servers is encrypted end-to-end.

All data at rest is encrypted using AES-256 via Supabase's managed encryption layer. This applies to all tables — your transactions, expenses, pipeline deals, and settings.

Row-level security (RLS) is enforced at the database level on all 10 tables. Every query is scoped to the authenticated user — your data cannot be accessed by other users, even in the event of an application logic error.

Bank-account connectivity is a planned future capability of Agent Runway. It is not currently offered. Agent Runway does not currently retrieve, store, or process any banking information about you.

When this capability is introduced, it will be optional, the core Service will continue to work without it, and we will update this Security page and notify users in accordance with our Privacy Policy before any banking data is collected.

All subscription payments are processed by Stripe, Inc., a PCI DSS Level 1 certified payment processor — the highest level of PCI compliance available.

Agent Runway never sees, stores, or transmits your full card number, CVV, or expiry date. Card details are entered directly into Stripe's encrypted, hosted payment fields. Stripe tokenizes your card and returns only a non-sensitive payment method ID to our system.

Agent Runway complies with PCI DSS SAQ A — the self-assessment tier that applies when all cardholder data functions are fully outsourced to a PCI-validated third party and card data never touches our servers.

Stripe Security →

Agent Runway is hosted on Supabase, using Amazon Web Services in the ca-central-1 (Canada) region. Your data is stored in Canada.

Access to production systems is restricted to authorized personnel only via multi-factor authentication. We follow the principle of least privilege — access is limited to what is required for each role.

Authentication is handled by Supabase Auth, using bcrypt for password hashing — passwords are never stored in plaintext. Sign-in today is email and password over TLS. Two-factor authentication is on the near-term roadmap for accounts handling client data.

All API routes are protected by session verification on the server. Unauthenticated requests to protected endpoints return 401 and are logged. We monitor for anomalous access patterns.

Agent Runway complies with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25.

We do not sell your data. Your business data and transaction history are not used for advertising, sold to third parties, or used to train AI or machine-learning models.

You can request a copy of your data, correction of inaccuracies, or complete account deletion at any time by emailing privacy@agentrunway.ca. Account deletion removes all personal and business data within 30 days, except records we are required to retain by law.

See our full Privacy Policy for details.

In the event of a data breach that creates a real risk of significant harm to any user, Agent Runway will:

• Notify affected users as soon as feasible following confirmation of the breach
• Report to the Office of the Privacy Commissioner of Canada as required under PIPEDA
• Provide a description of the breach, data involved, steps taken, and recommendations for affected users
• Engage appropriate security expertise to contain and remediate the incident

Our development process uses AI-assisted coding tools. These tools operate in a development environment only and have no access to production user data. We maintain strict internal policies separating development tools from user information.

If you discover a security vulnerability in Agent Runway, please report it responsibly. We take all security reports seriously and commit to:

• Acknowledging your report within 48 hours
• Keeping you informed of our investigation progress
• Resolving confirmed vulnerabilities within 30 days where feasible
• Not pursuing legal action against researchers who act in good faith

Please do not publicly disclose a vulnerability before we have had a reasonable opportunity to investigate and remediate it. Do not access, modify, or exfiltrate user data as part of security research.