Security & Trust

The security behind your team’s AI brain.

Security posture at a glance

Built secure, by design.

SOC 2 Type I

Independently attested, unqualified opinion.*

SOC 2 Type II

In progress.

Single-tenant by design

Every organization gets its own dedicated VM and encrypted storage volume.

Encrypted end to end

TLS 1.2+ in transit, AES-256 at rest with Azure-managed keys.

*Attested by MNP LLP, an independent CPA firm, with an unqualified opinion on control design as of January 1, 2026.

The architecture

Your data lives on a computer that’s yours alone.

Runneth gives each organization its own dedicated virtual machine with a single-tenant storage volume attached to it.

Data reaches that machine only through access you grant, and it stays inside your own isolated environment.

One organization. One machine. No shared tenancy.
▾ your-organization /vm
🔒 storage-volume # single-tenant, AES-256 at rest
📄 brand_context.md
📄 customer_voice.md
▾ /integrations # OAuth scopes you grant
👤 access # authenticated users of your org only

Connected on your terms

Every integration runs on permissions you grant.

Every connection is authorized by you and scoped by OAuth permissions, explicit sharing, or the API-key access level you control, and any of them can be revoked at any time.

Runneth
NotionGoogle DriveSlackHubSpotMetaTikTokAsana
Scoped access. Revoke any integration at any time.

How a connection actually works

1
An authorized user in your organization connects, or asks us to connect, a third-party integration they already have access to.
2
That integration exposes files or data to Runneth only through explicit sharing, OAuth scopes and permissions, or API-key access level.
3
Shared data may be saved on your VM when the agent needs it to do the work, or when you direct it to be saved.
4
Data from custom integrations is stored only on your dedicated, single-tenant storage volume attached to your organization’s own VM.
5
That volume is encrypted at rest with Azure-managed keys, and the VM only allows access to authenticated and authorized users of your organization.
6
Saved data is retained for the lifetime of your Motion account unless a user directs it to be deleted.

Data handling

What Runneth does. What it never does.

Does

Encrypts everything
TLS 1.2+ in transit, AES-256 at rest, and secrets held in Azure Key Vault.
Connects through your permissions
Access is scoped by OAuth permissions, explicit sharing, or the API-key access level you grant.
Isolates every organization
A dedicated single-tenant VM and encrypted storage volume per organization.
Deletes on request
A user can direct full deletion of saved data at any time.

Does not

Train models on your data
Runneth runs on existing third-party foundation models and adheres to their terms, all of which state your data is not used for training.
Mix tenants
No shared storage and no cross-organization access between customers.
Access and authentication

Only the right people, with the least access they need.

Authentication

Google OAuth 2.0 / OIDC today. SAML 2.0 on the roadmap.

Multi-factor authentication

Enforced for all internal staff and all privileged and production access.

Role-based access

Least-privilege RBAC with unique IDs and no shared accounts.

Credential hygiene

Company-wide password manager mandated, with quarterly privileged-access reviews.

Security you can review

Trust it because you checked, not because we asked.

SOC 2 Type I attestedSingle-tenant VM per organizationEncrypted in transit and at restNever trains on your data
FAQ

The questions we get most.

How is our data encrypted?

TLS 1.2+ in transit and AES-256 at rest with Azure-managed keys; secrets in Azure Key Vault. Hosted in Microsoft Azure, Canada Central. Network protected by Azure Firewall, WAF, and Cloudflare, with per-environment virtual networks and segmentation.

Do you support SSO?

Google OAuth 2.0 / OIDC today. SAML 2.0 on the roadmap.

Is MFA enforced?

2FA can optionally be enabled on your account by an admin.

How is access controlled?

Least-privilege RBAC, unique IDs, no shared accounts; privileged access reviewed quarterly.

Where is our data hosted?

Microsoft Azure, Canada Central. Processing spans Canada and the US. PIPEDA applies.

What data does Runneth process, and how is PII handled?

No PII is handled through advertising platforms. For integrations, an authorized user in your organization connects, or asks us to connect, a third-party integration they already have access to. That integration exposes files or data to Runneth only through explicit sharing, OAuth scopes and permissions, or API-key access level. Shared data may be saved on your VM when the agent needs it to do the work, or when you direct it to be saved. Data from custom integrations is stored only on your dedicated, single-tenant storage volume attached to your organization’s own VM. That volume is encrypted at rest with Azure-managed keys, and the VM only allows access to authenticated and authorized users of your organization. Saved data is retained for the lifetime of your Motion account unless a user directs it to be deleted.

Are you SOC 2 certified?

Runneth has a SOC 2 Type I attestation with an unqualified opinion as of January 1, 2026. A Type II observation period is in progress. Report under NDA.

What is your data retention and deletion policy?

While active, saved data persists. After your account is removed, data is retained for up to 18 months and then fully deleted. You can request deletion at any time.