Purpose
This document outlines RunWhen’s practical approach to Segregation of Duties (SoD). While the company operates with a small team, SoD principles are observed to minimize risk, prevent conflicts of interest, and ensure accountability in key technical and operational processes.
Scope
This policy applies to all members of the RunWhen team who participate in product development, infrastructure operations, production deployments, or financial decision-making.
Current Controls
-
Code Review and Deployment
All production code changes are made via GitHub pull requests and require peer review and approval before merge. Only reviewed code is eligible for deployment via CI/CD pipelines. -
CI/CD Pipeline Protections
Modifications to deployment automation and infrastructure-as-code are also made via GitHub pull requests and are reviewed by another engineer before changes are applied. -
Access Control
Access to production systems is restricted to a limited group from customer support and DevOps. New access requests must be approved by a second team member and are logged. Note that access to production systems does not grant access to enterprise data that is stored as part of the enterprise’s Workspace on RunWhen. Access to Workspace data must be explicitly approved by the customer by adding RunWhen personnel to the Workspace with appropriate permissions. -
Customer Billing Data Access
Access to sensitive customer billing / financial data is limited to specific roles and reviewed periodically.
Contact
For questions regarding this policy, please contact security@runwhen.com.