Data We Process
Runplane processes the following data when evaluating tool execution requests via the SDK:
- Decision request metadata (actionType, target, context fields you choose to send)
- Decision outcomes (ALLOW, BLOCK, REQUIRE_APPROVAL)
- Approval and audit event metadata
- Agent identifiers and organization context
Data We Do Not Need
Runplane does not require access to:
- Secrets, credentials, or API keys
- Full payload contents beyond what you choose to send for policy evaluation
- User personal data unrelated to governance decisions
We recommend redacting sensitive values from context fields before sending decision requests. Only include the minimum information necessary for policy evaluation.
Encryption
In Transit: All data transmitted to and from Runplane is encrypted using TLS 1.2 or higher. API endpoints enforce HTTPS connections.
At Rest: Stored data is encrypted at rest using industry-standard encryption methods. Database backups are also encrypted.
Access Controls
Runplane implements the following access controls:
- Principle of least privilege for internal systems access
- Role-based access within organizations (owner, admin, viewer)
- Admin-only access to approval queues and audit views
- Token-based SDK authentication with per-agent keys
- SDK keys can be rotated at any time from the dashboard
Retention
Decision logs and audit records are retained for governance and compliance purposes. Retention periods vary by plan configuration. Contact support for specific retention details applicable to your account.
After account cancellation, data is retained for 30 days to allow for reactivation, then permanently deleted.
Responsible Disclosure
If you discover a security vulnerability in Runplane, please report it responsibly:
Email: support@runplane.ai
Please include:
- Steps to reproduce the vulnerability
- Potential impact assessment
- Any supporting evidence (screenshots, logs)
We will acknowledge receipt within 48 hours and work with you to understand and address the issue promptly.