Data Security and Privacy Policies
Last Updated: July 2025
At RunWhen, we build AI-powered Site Reliability Engineering tools designed to help modern teams detect, triage, and remediate issues across complex cloud environments. Our platform is architected to focus on infrastructure and application telemetry.
This privacy policy outlines what limited information we handle, how it is secured, and the principles that guide our approach.
Our Approach to Privacy
We design systems to minimize data collection. RunWhen does not collect or process customer application data, end-user content, or personal information beyond what is strictly necessary to provide secure access to our platform.
We do not use customer data for advertising, profiling, or third-party analytics.
Data We Handle
The vast majority of data processed by RunWhen falls into one of the following categories:
Automation source code: executable code (python/bash) designed to observe and remediate production systems, scrubbed of any environment-specific configuration
System metadata used in configuration: information about cloud resources, configuration, logs, metrics, and alerting signals
Automation output: results from infrastructure checks or remediation steps performed by our platform
Automation output metadata: Metadata about the output above, e.g. whether the check determined systems were healthy.
More details about these data types and how they are handled is here.
Data Security
Security is a core design pillar at RunWhen. All customer data — including metadata and automation artifacts — is protected with:
Encryption in transit and at rest
Fine-grained, role-based access control
Audit logging and anomaly detection
Segmentation by customer and by customer “workspace” (team within a customer)
More detail is available in our Secure-By-Design Principles documentation here.
What We Don’t Do
We do not collect or process customer end-user data.
We do not share or resell any customer data.
We do not have access to run arbitrary code or commands in a customer cloud environments from our SaaS service
To avoid any ambiguity, we note that as part of an enterprise single sign-on (SSO) system, we are given access to the name and email address of our customers employees who are active users of RunWhen. This data is used solely to provision secure access to the RunWhen platform and is never shared or repurposed.
Data Access and Control
Enterprise customers maintain full control over:
Which automations are enabled
What automation output is sent to RunWhen
Who has access to the workspace
Data Deletion
The company is committed to respecting data minimization principles and supporting customers in managing the lifecycle of operational data. While the platform is not designed to store long-term customer data, we recognize the importance of timely data disposal as part of good governance and evolving regulatory frameworks.
RunWhen implements commercially reasonable, best-effort processes to delete customer workspace data upon request or following prolonged inactivity. Deletion requests can be submitted by authorized workspace administrators, and data may also automatically removed following the end of a contract or extended period of inactivity.
The company conducts periodic reviews to identify inactive workspaces and may remove associated metadata in accordance with internal data hygiene practices in lieu of a universal retention schedule across all data categories with a goal of continued refinement deletion workflows to align with customer expectations and applicable privacy standards.
Compliance and Monitoring
RunWhen monitors global privacy and data security regulations and regularly reviews its practices for alignment with industry standards.
We monitor changes in global privacy and data protection laws (such as GDPR, CCPA, and evolving cloud regulatory standards) and assess their applicability to our platform and practices. Updates are incorporated into internal policies, training, and customer-facing documentation as needed.
We provide data processing agreements (DPAs), audit reports, and subprocessors lists upon request for customers with compliance requirements.
Responsibility for privacy and data protection at RunWhen is assigned to our Security and Compliance Team, which includes designated individuals responsible for overseeing adherence to applicable laws, internal standards, and contractual obligations. The team reports to company leadership and coordinates regularly with product and engineering stakeholders.
Data Transfer Across Regions
We do not transfer data across regions unless explicitly configured by the customer. Where applicable, we support data hosting in specific geographic regions and can execute Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) on request.
Privacy Awareness & Training
All RunWhen employees, including engineers, support staff, and contractors, receive annual training on data protection, privacy principles, and secure development practices. We require subprocessors to commit contractually to privacy-aware practices and verify they provide appropriate privacy and security training to their personnel.
Contact
For any privacy-related questions or requests:
RunWhen Security & Compliance Team
security-and-compliance@runwhen.com