Security

We take security
seriously.

RuntimeGuard is a security product โ€” so we hold ourselves to a high standard when it comes to protecting your data, your infrastructure, and the trust you place in us.

Security posture
How we protect your data
Security is not an afterthought at RuntimeGuard. These are the practices and controls we have in place.
๐Ÿ”’

Encryption in transit

All data between your agents and our API is encrypted using TLS 1.3. We enforce HTTPS on all endpoints. Plaintext connections are rejected. API keys are transmitted via secure headers, never in query strings.

๐Ÿ—„

Encryption at rest

Event data and incident records are stored in encrypted volumes. Database-level encryption is applied to all sensitive fields including API keys (stored as bcrypt hashes) and tenant credentials.

๐Ÿ”‘

Authentication & access control

Every API request requires a valid API key scoped to a single tenant. Admin operations require a separate admin secret. Rate limiting (100 req/min) prevents brute-force and abuse. Keys can be revoked instantly from the dashboard.

๐Ÿข

Multi-tenant isolation

Each tenant's data is fully isolated at the storage layer. Tenant IDs are validated server-side on every operation. It is architecturally impossible for one tenant to query another's events or incidents.

๐Ÿ“‹

Minimal data collection

The eBPF agent collects only what is necessary for detection: process names, file paths, event timestamps, and PIDs. It does not collect file contents, memory dumps, network traffic, or credentials. You always own your data.

๐Ÿ›ก

eBPF safety

eBPF programs are verified by the Linux kernel before execution. They cannot crash the kernel, cannot access arbitrary memory, and are restricted to the specific tracepoints they are attached to. The agent requires root to load eBPF, but runs with minimal capabilities thereafter.

Data & compliance
Data handling practices
We are committed to responsible data handling and are working towards formal compliance certifications.
Event data is processed and stored within the EU (Netherlands).
Data retention is configurable per tenant โ€” default is 90 days for events, 1 year for incidents.
You can request a full data export or deletion at any time by contacting support.
We do not sell, share, or use customer data for any purpose other than providing the service.
We do not use customer event data for ML training, benchmarking, or product analytics without explicit consent.
Subprocessors are limited to infrastructure providers (cloud hosting, email) with appropriate DPAs in place.
SOC 2 Type II and ISO 27001 certifications are on our 2026 roadmap.
Responsible disclosure
Found a vulnerability?
We welcome responsible security research. If you have found a potential vulnerability in RuntimeGuard, please tell us before disclosing it publicly. We commit to a fair and transparent process.

How to report

Send a detailed report to our security team. Include a description of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept code you have developed. We will acknowledge receipt within 24 hours.

Contact:

For sensitive disclosures, request our PGP key in your initial message and we will respond with an encrypted channel.

Response timeline
Severity
Description
Response SLA
Critical
Remote code execution, authentication bypass, full tenant data exposure
24 h
High
Partial data exposure, privilege escalation within a tenant
72 h
Medium
Information disclosure, rate limit bypass, CSRF on non-critical actions
7 days
Low
Hardening improvements, low-impact findings
30 days
Our commitments to researchers
Step 1 โ€” Acknowledgement

We will acknowledge your report

Within 24 hours of your report we will send you a confirmation that it has been received and is being reviewed by our security team.

Step 2 โ€” Assessment

We will triage and assess severity

We assess the validity and severity of the finding. We will communicate our assessment to you and discuss any questions we have about reproduction or impact.

Step 3 โ€” Remediation

We will fix and deploy a patch

Our team will develop and deploy a fix within the SLA for the severity level. We will notify you when the fix is live and provide the opportunity to verify the patch.

Step 4 โ€” Disclosure

We support coordinated public disclosure

After the fix is deployed, we are happy to support a coordinated public disclosure at a time agreed with the researcher. We will credit you in our security advisory unless you prefer to remain anonymous.

Always

No legal action for good-faith research

We commit to not pursuing legal action against researchers who discover and report vulnerabilities in good faith, without accessing customer data or causing service disruption.

Scope
What is in scope

In scope

api.runtimeguard.io โ€” backend REST API
app.runtimeguard.io โ€” dashboard web app
runtimeguard.io โ€” marketing website
The open-source eBPF agent binary
Authentication and session handling
Tenant data isolation

Out of scope

โœ—Denial of service attacks
โœ—Physical attacks on infrastructure
โœ—Social engineering of staff
โœ—Accessing or modifying other customers' data
โœ—Automated scanning without coordination

Questions about
our security?

Contact our team directly. We respond to all security-related enquiries promptly.

Contact us โ†’ Documentation