How we protect your data
Last updated: April 24, 2026
Security is not a feature we add later — it is built into the architecture from day one.
Authentication
Powered by Supabase Auth (Supabase holds SOC 2 Type II certification — this is their certification, not Ruunly's). Passwords are hashed with bcrypt — we never store plaintext passwords. Business owners log in with email + password. End customers use magic links by default, eliminating password attack surface.
Database Isolation
Every tenant's data is isolated using PostgreSQL Row-Level Security (RLS). Even if someone bypassed our application layer, the database enforces that Tenant A can never see Tenant B's data. Policies are tested with automated pgTAP tests on every deploy.
Payments
Payment processing is handled by Stripe (PCI DSS Level 1). Ruunly uses Stripe-hosted Checkout for subscription and payment-method collection. Card data never touches Ruunly servers. We store only the last 4 digits and card type for display purposes.
File Storage
All uploaded files are stored in Cloudflare R2. Buckets are never public — files are only accessible via time-limited presigned URLs (15 minutes for uploads, 1 hour for downloads). File types are validated server-side by magic bytes, not just file extension.
Encryption
- →All data in transit: TLS 1.3 via Cloudflare
- →All data at rest: AES-256 encryption at the database layer (Supabase)
- →JWT access tokens expire after 15 minutes
- →Sensitive configuration (API keys, secrets) stored in environment variables, never in code
Shared Responsibility
Security is shared between Ruunly and each business customer. Ruunly is responsible for securing the platform infrastructure, application controls, tenant isolation, and integrations we operate. Business customers are responsible for using strong passwords, limiting staff access, protecting their devices, reviewing team permissions, configuring Stripe and messaging features lawfully, and promptly notifying Ruunly of suspected account compromise.
Compliance Posture
Ruunly uses service providers with security certifications, including Stripe for PCI DSS Level 1 payment processing and Supabase for hosted authentication and database services. These are provider certifications and do not mean Ruunly itself is certified under those frameworks.
Ruunly designs its privacy and security program to support CCPA and other U.S. privacy law obligations. CCPA is not a certification program. Ruunly can provide data processing terms and subprocessor information to business customers on request.
Incident Response
Ruunly maintains procedures to triage, investigate, contain, and remediate suspected security incidents. If Ruunly determines that a security incident requires notice under applicable law or contract, Ruunly will notify affected customers without undue delay and provide information reasonably available at the time, including the nature of the incident, affected data categories, mitigation steps, and customer actions where applicable.
Access Controls and Auditability
Ruunly restricts production access to authorized personnel and service accounts with a business need. Administrative actions are logged with user, tenant, timestamp, and action metadata. Sensitive operations, including payment configuration changes, require re-authentication and are auditable.
Vulnerability Disclosure
Ruunly welcomes responsible vulnerability reports. Researchers must act in good faith, avoid privacy violations, avoid service disruption, avoid data destruction or exfiltration, and give Ruunly reasonable time to investigate before public disclosure. Ruunly will not pursue legal action for good-faith research that follows these rules.
Email: [email protected]