LoginBook Technical Discussion
Enterprise Compliance & Audits

RuntimeHQ Security Philosophy

RuntimeHQ is built for operational reliability during outages and maintenance events affecting customer-facing applications. The platform prioritizes calm, predictable, and secure operational behavior during high-pressure production events.

✓ Secure state delivery✓ Append-only audits✓ Production-safe workflows

Infrastructure & Hosting

Cloud Infrastructure

  • Hosted on enterprise-grade cloud infrastructure providers
  • Production infrastructure isolated from non-production environments
  • Infrastructure designed for high operational availability
  • Runtime-state APIs optimized for low-latency delivery

Geographic Hosting

  • Primary infrastructure region strategy defined during onboarding
  • Future support planned for regional deployment preferences and data residency requirements

Operational Availability Goals

  • Runtime-state APIs designed for high availability
  • Operational control systems monitored continuously
  • Recovery-oriented infrastructure philosophy

Encryption & Network Security

Transport Security

  • HTTPS/TLS enforced across all public endpoints
  • Secure API transport required for all integrations
  • Modern TLS standards applied to external communication

Encryption At Rest

  • Application data encrypted at rest
  • Operational metadata encrypted using managed infrastructure security controls
  • Backup encryption practices applied where supported

Credential Handling

  • Passwords stored using industry-standard hashing algorithms
  • API keys securely generated and isolated per environment
  • Sensitive credentials never exposed in operational logs

Authentication & Access Control

Access & Session Rules

Reliable Incident Access

Email/password authentication is supported, alongside secure magic-links as a secondary login method to ensure SREs maintain access during external SSO degradations.

Organizational Limits

Access is strictly restricted to onboarded organizations only. The MVP operates a simplified Org-wide Operational Admin model, where authorized admins can invite additional admins within verified domains.

Session Management

Secure session expiration and token handling are strictly enforced, alongside operational login activity audits.

Future Identity Roadmap

We are actively scheduling enterprise identity federation integrations on our roadmap:

Okta SSO
Microsoft Entra ID
Google Workspace
SAML / OpenID

Auditability & Operational Logging

Operational Audit Logging

RuntimeHQ maintains a comprehensive, audit-ready operational history of actions:

• Incident activations• Incident resolutions• Maintenance schedules• State modifications• Message custom updates• Application target shifts• Admin operations

Immutable Operational History

  • Operational history is designed to be append-only where possible
  • Actor identities and absolute timestamps are preserved for COE reconstruction

Timestamp Standards

  • All timestamps are recorded internally as UTC in the database
  • UI displays localized local organizational time contexts

Runtime Safety Controls

Environment Separation

  • Production and non-production API keys are strictly separated
  • Non-production runtime state testing is isolated from production triggers
  • Safe workflows prevent accidental production incident activations

Engine Protections

  • Deterministic runtime-state resolution model
  • Most severe operational state wins during conflicts
  • Runtime-state propagation controlled centrally

Concurrency Protection

  • Optimistic concurrency protections protect active incidents against overwrites
  • Designed to facilitate simultaneous multi-admin incident mitigations

Data Management

Retention Principles

Operational histories are retained for audit. Archived apps are preserved to protect audit timeline integrity.

Backup Strategy

Periodic, encrypted backups are executed and recovery procedures operationally verified.

Disaster Recovery

Recovery-oriented design ensures continuous edge delivery of runtime states during major cloud incidents.

Privacy & Data

Minimal Data Philosophy

We only collect app identifiers, operational messages, and runtime states. We do not ingest customer end-user PII.

GDPR Readiness Goals

Full support for access workflows, customer deletion request handling, and data privacy operations.

Data Residency

Regional database hosting preferences and isolated storage pools are defined on our roadmap.

Vulnerabilities

Responsible Disclosure

We encourage security researchers to coordinate reports on authentication, credentials, and state vulnerabilities.

Process & Response

Reports are reviewed promptly and coordinate mitigations managed diligently based on operational triage severity.

Security Contact

[email protected]

Operational Reliability

Availability Target: Standard API target is 99.9% availability. Edge node groups are continuously monitored to ensure dependability.

Incident Response Philosophy: The delivery mechanism is designed to remain operationally isolated and fully functional even when central command dashboards undergo database mitigations.

Maintenance Policy: Production-impacting maintenance events are avoided where possible, with mandatory notifications delivered in advance.

Future Security Roadmap

• SSO/SAML integration• Role-based access control• Audit log exporting• Customer-managed retention• Advanced permissions• Regional deployments
FAQ

Trust & Security FAQ

Review disclosures regarding transport encryption, data isolation, and our minimal PII footprint strategy.

Is RuntimeHQ secure for enterprise operational workflows?
RuntimeHQ is designed with operational security controls including HTTPS/TLS encryption, audit logging, environment isolation, and access protections.
Does RuntimeHQ encrypt data at rest?
Yes. RuntimeHQ infrastructure encrypts operational data at rest where supported by infrastructure providers.
Does RuntimeHQ support HTTPS and TLS?
Yes. RuntimeHQ uses HTTPS/TLS encryption for dashboard access, APIs, and operational communication.
Where is RuntimeHQ hosted?
RuntimeHQ infrastructure may be hosted on Amazon Web Services (AWS), including infrastructure hosted in the United States unless otherwise agreed.
Does RuntimeHQ support SSO?
SSO support is planned for future phases, including Microsoft and Okta-based authentication support.
Does RuntimeHQ maintain operational audit logs?
Yes. RuntimeHQ maintains immutable operational audit history for incidents, maintenance windows, runtime-state changes, and operational actions.
Can RuntimeHQ customers choose hosting regions?
Regional hosting flexibility is available for enterprise customers during onboarding.
Does RuntimeHQ store customer end-user personal data?
RuntimeHQ is designed primarily for operational runtime-state infrastructure and does not intentionally require customer end-user personal data.
Does RuntimeHQ support environment isolation?
Yes. RuntimeHQ supports production and non-production API key separation.
Architecture Review

Secure runtime-state control for your platforms

Schedule a dedicated security and architecture review with our reliability engineering team. Let's evaluate safe integration practices.

Book technical discussion

No sales pitch. Connect directly with our platform SREs to evaluate integration feasibility.

runtimehq-sre-shell
$ echo $SRE_EMAIL
[email protected]
Recommended Context

To help us prepare for our discussion, please share some context on your current outage banner workflow, such as:

  • Hardcoded banner deployments
  • Toggling CMS content manually
  • Editing feature flags during active incidents
Open Mail Client