Skip to main content
Skip table of contents

Data Security and Privacy Policies

Last Updated: July 2025

At RunWhen, we build AI-powered Site Reliability Engineering tools designed to help modern teams detect, triage, and remediate issues across complex cloud environments. Our platform is architected to focus on infrastructure and application telemetry.

This privacy policy outlines what limited information we handle, how it is secured, and the principles that guide our approach.


Our Approach to Privacy

We design systems to minimize data collection. RunWhen does not collect or process customer application data, end-user content, or personal information beyond what is strictly necessary to provide secure access to our platform.

We do not use customer data for advertising, profiling, or third-party analytics.


Data We Handle

The vast majority of data processed by RunWhen falls into one of the following categories:

  • Automation source code: executable code (python/bash) designed to observe and remediate production systems, scrubbed of any environment-specific configuration

  • System metadata used in configuration: information about cloud resources, configuration, logs, metrics, and alerting signals

  • Automation output: results from infrastructure checks or remediation steps performed by our platform

  • Automation output metadata: Metadata about the output above, e.g. whether the check determined systems were healthy.

More details about these data types and how they are handled is here.


Data Security

Security is a core design pillar at RunWhen. All customer data — including metadata and automation artifacts — is protected with:

  • Encryption in transit and at rest

  • Fine-grained, role-based access control

  • Audit logging and anomaly detection

  • Segmentation by customer and by customer “workspace” (team within a customer)

More detail is available in our Secure-By-Design Principles documentation here.


What We Don’t Do

  • We do not collect or process customer end-user data.

  • We do not share or resell any customer data.

  • We do not have access to run arbitrary code or commands in a customer cloud environments from our SaaS service

To avoid any ambiguity, we note that as part of an enterprise single sign-on (SSO) system, we are given access to the name and email address of our customers employees who are active users of RunWhen. This data is used solely to provision secure access to the RunWhen platform and is never shared or repurposed.

Data Access and Control

Enterprise customers maintain full control over:

  • Which automations are enabled

  • What automation output is sent to RunWhen

  • Who has access to the workspace


Data Deletion

The company is committed to respecting data minimization principles and supporting customers in managing the lifecycle of operational data. While the platform is not designed to store long-term customer data, we recognize the importance of timely data disposal as part of good governance and evolving regulatory frameworks.

RunWhen implements commercially reasonable, best-effort processes to delete customer workspace data upon request or following prolonged inactivity. Deletion requests can be submitted by authorized workspace administrators, and data may also automatically removed following the end of a contract or extended period of inactivity.

The company conducts periodic reviews to identify inactive workspaces and may remove associated metadata in accordance with internal data hygiene practices in lieu of a universal retention schedule across all data categories with a goal of continued refinement deletion workflows to align with customer expectations and applicable privacy standards.


Compliance and Monitoring

RunWhen monitors global privacy and data security regulations and regularly reviews its practices for alignment with industry standards.

We monitor changes in global privacy and data protection laws (such as GDPR, CCPA, and evolving cloud regulatory standards) and assess their applicability to our platform and practices. Updates are incorporated into internal policies, training, and customer-facing documentation as needed.

We provide data processing agreements (DPAs), audit reports, and subprocessors lists upon request for customers with compliance requirements.

Responsibility for privacy and data protection at RunWhen is assigned to our Security and Compliance Team, which includes designated individuals responsible for overseeing adherence to applicable laws, internal standards, and contractual obligations. The team reports to company leadership and coordinates regularly with product and engineering stakeholders.


Data Transfer Across Regions

We do not transfer data across regions unless explicitly configured by the customer. Where applicable, we support data hosting in specific geographic regions and can execute Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) on request.


Privacy Awareness & Training

All RunWhen employees, including engineers, support staff, and contractors, receive annual training on data protection, privacy principles, and secure development practices. We require subprocessors to commit contractually to privacy-aware practices and verify they provide appropriate privacy and security training to their personnel.


Contact

For any privacy-related questions or requests:

RunWhen Security & Compliance Team

security-and-compliance@runwhen.com

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.