Security
RunwayCtrl is designed to govern tool writes while minimizing data capture.
Security posture is evolving during preview; defaults are conservative.
Data minimization by default
- •Metadata-first by default.
- •Receipts (attempt records) are the audit trail for governed actions.
- •Payload capture is optional and purpose-limited (when enabled).
- •Least-privilege access to tools.
Captured by default (metadata)
- •Attempt metadata: action_key, integration, actor identifier (no personal details), environment/tenant ID
- •Timestamps: started_at, finished_at
- •Outcome: success/failure + reason category (timeout, rate-limit, policy blocked, tool error)
- •Policy decisions: budget used, backoff applied, lease acquired/denied, rate-limit decisions
- •Trace linkage identifiers (trace_id, span_id) when tracing is enabled (IDs only)
This is the minimum needed to reconstruct governed execution without storing full payloads.
Not captured by default
- •Secrets or credentials
- •Full request/response payload bodies
- •PII beyond minimal actor identifiers required for auditing
- •Customer content from tools (issue text, incident descriptions) unless explicitly enabled
If payload capture is enabled for a specific integration/action, it's opt-in and configurable.
Optional payload capture (when enabled)
- •Payload capture is disabled by default in preview.
- •If enabled, it can be scoped by integration + action + environment.
- •Redaction rules apply before storage (allowlist/denylist fields).
- •Retention can be configured per scope.
- •Goal: enable debugging for specific workflows, not broad data collection.
Retention and redaction
Defaults are conservative and configurable.
- •Retention windows per environment/integration/action (metadata vs optional payload retention)
- •Field-level redaction rules (denylist by key name patterns + explicit allowlist)
- •Ability to disable payload capture at any time
Data minimization checklist
- 1Start metadata-only
- 2Enable payload capture only for one action scope
- 3Set short retention for payloads
- 4Apply redaction rules
We recommend starting metadata-only.
Credentials and access
- •RunwayCtrl uses your existing tool credentials; it does not require sharing secrets beyond what's needed to execute the governed call.
- •Credentials are scoped to the minimum permissions needed for the configured actions.
- •Where credentials live depends on deployment mode; we aim for standard patterns (customer-managed secrets / short-lived tokens) as the model matures.
In preview, credential handling is implemented in a conservative, least-privilege way; details may evolve as we harden deployments.
Policy controls (security boundary)
Policy Gate
Restrict which actions can run, budgets, and rate limits.
Concurrency Leases
Prevent racing writes and conflicting remediations.
Retry Governance
Bounded retries to avoid storm behavior that can look like abuse.
Attempt Ledger
Receipts as the audit trail for governed actions.
Auditability via receipts
- •Every governed action produces an attempt record (receipt).
- •Receipts provide a reconstructible timeline for postmortems and reviews.
- •Source of truth for governed actions.
Example receipt (metadata-only)
{
"schema_version": "0.1",
"attempt_id": "att_09H_",
"action_key": "pagerduty:incident:svc_abc:dedupe_123",
"integration": "pagerduty",
"actor": "agent:cname-or-id",
"timestamps": {
"started_at": "2026-01-25T20:19:12Z",
"finished_at": "2026-01-25T20:19:12Z"
},
"outcome": "success",
"policy": {
"retry_budget": 3,
"backoff_ms": [250, 500, 1000],
"lease": "lease_09H_"
},
"trace": {
"trace_id": "4bf92f3577b34da6a...",
"span_id": "00f067aa0ba902b7"
}
}Common questions
Now
Metadata-only receipts + trace linkage IDs
Next
Expanded controls (policy packs, additional integrations)
Security contact
Report a security issue
security@runwayctrl.comDesign partners: tell us your security requirements early; we will adapt defaults and controls.