Security

All data in transit is encrypted using TLS 1.3. Every connection between your browser and Agent Runway's servers is encrypted end-to-end.

All data at rest is encrypted using AES-256 via Supabase's managed encryption layer. This applies to all tables — your transactions, expenses, pipeline deals, settings, and any imported bank transaction data.

Row-level security (RLS) is enforced at the database level on all 10 tables. Every query is scoped to the authenticated user — your data cannot be accessed by other users, even in the event of an application logic error.

Agent Runway offers an optional bank sync feature powered by Plaid Technologies, Inc., a regulated financial data aggregator used by thousands of financial applications. This feature is entirely optional — Agent Runway works fully without it.

Your banking credentials (username, password, MFA codes) are never seen by Agent Runway. They are entered directly into Plaid's encrypted interface and never transmitted to our servers.

Agent Runway receives read-only access to your transaction history only. We cannot initiate transfers, move funds, modify your account, or access balances beyond what is needed for expense categorization.

Plaid access tokens are stored exclusively in our secured, encrypted database. They are never exposed to client-side code or browser environments.

You can disconnect your bank account at any time from Settings → Bank Connections. Disconnecting immediately revokes Plaid's access to your financial institution and permanently deletes your access tokens from our systems.

Plaid holds SOC 2 Type II and ISO 27001/27701 certifications. Their security posture is independently audited. Plaid Security →

All subscription payments are processed by Stripe, Inc., a PCI DSS Level 1 certified payment processor — the highest level of PCI compliance available.

Agent Runway never sees, stores, or transmits your full card number, CVV, or expiry date. Card details are entered directly into Stripe's encrypted, hosted payment fields. Stripe tokenizes your card and returns only a non-sensitive payment method ID to our system.

Agent Runway complies with PCI DSS SAQ A — the self-assessment tier that applies when all cardholder data functions are fully outsourced to a PCI-validated third party and card data never touches our servers.

Stripe Security →

Agent Runway is hosted on Supabase, using Amazon Web Services in the ca-central-1 (Canada) region. Your data is stored in Canada.

Access to production systems is restricted to authorized personnel only via multi-factor authentication. We follow the principle of least privilege — access is limited to what is required for each role.

Authentication is handled by Supabase Auth, which uses bcrypt for password hashing. Passwords are never stored in plaintext. Agent Runway supports passwordless sign-in via magic link as the default authentication method.

All API routes are protected by session verification on the server. Unauthenticated requests to protected endpoints return 401 and are logged. We monitor for anomalous access patterns.

Agent Runway complies with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25.

We do not sell your data. Your business data, transaction history, and bank transaction data are not used for advertising, sold to third parties, or used to train AI or machine-learning models.

You can request a copy of your data, correction of inaccuracies, or complete account deletion at any time by emailing privacy@agentrunway.ca. Account deletion removes all personal and business data within 30 days, except records we are required to retain by law.

See our full Privacy Policy for details.

In the event of a data breach that creates a real risk of significant harm to any user, Agent Runway will:

• Notify affected users as soon as feasible following confirmation of the breach
• Report to the Office of the Privacy Commissioner of Canada as required under PIPEDA
• Provide a description of the breach, data involved, steps taken, and recommendations for affected users
• Engage appropriate security expertise to contain and remediate the incident

If you discover a security vulnerability in Agent Runway, please report it responsibly. We take all security reports seriously and commit to:

• Acknowledging your report within 48 hours
• Keeping you informed of our investigation progress
• Resolving confirmed vulnerabilities within 30 days where feasible
• Not pursuing legal action against researchers who act in good faith

Please do not publicly disclose a vulnerability before we have had a reasonable opportunity to investigate and remediate it. Do not access, modify, or exfiltrate user data as part of security research.