Security & Trust
How Runtimekindle handles your data and protects your cluster.
We sell security tooling to security-conscious teams. This page explains what data we collect, how we store it, and the controls framework we built to satisfy enterprise procurement requirements.
Data Collection
What Runtimekindle collects — and what it doesn't
What we collect
Process execution events (binary paths, arguments, PIDs, Linux namespaces, cgroup identifiers), network connection metadata (source and destination IPs, ports, protocol — not payload content), file access events (file paths and access type — not file contents), and build artifact metadata for SBOM generation (package names, versions, hashes, license identifiers).
What we never collect
Application payload data (HTTP request/response bodies, database query contents, message queue payloads), secrets or credentials (environment variables, mounted secrets, API keys), file contents (only paths and access events), and personally identifiable information from your application layer. The eBPF agent operates at the syscall layer — it observes metadata, not data.
Controls Framework
Infrastructure and operational controls
Encryption in transit
All data between the eBPF agent and the control plane is encrypted via TLS 1.3. Internal service-to-service communication uses mutual TLS.
Encryption at rest
Event data and SBOM artifacts are encrypted at rest using AES-256. Encryption keys are managed via a dedicated key management service with rotation policies.
Access controls
Role-based access control for all control plane resources. Multi-factor authentication required for all staff access to production infrastructure. Principle of least privilege enforced across all service accounts.
Audit logging
All control plane operations are logged with actor identity, timestamp, and action. Logs are stored in an append-only store. Customer-facing audit events are exportable via API.
Incident response
Runtimekindle maintains an incident response plan with defined severity levels, notification timelines, and communication procedures. Security incidents are disclosed to affected customers within 72 hours of confirmation.
Vendor management
Third-party vendor security reviews are conducted before onboarding. Sub-processors are listed in our Privacy Policy. SBOM exports are available for the Runtimekindle control plane software itself upon request.
Compliance Posture
How we approach compliance requirements
Runtimekindle is designed with SOC 2 Trust Services Criteria in mind. Our internal controls are aligned with the CC (Common Criteria) categories, and we are in the process of preparing for a formal SOC 2 Type 2 assessment. We will disclose the completion of that assessment when available. We do not currently hold SOC 2 Type 1 or Type 2 certification — we are not certified, we are controls-aligned.
We are not HIPAA covered or BAA-eligible at this time for healthcare data workloads. We are not FedRAMP authorized — the Scale plan includes evidence export formats compatible with FedRAMP-adjacent review workflows, but we have no active ATO. We are not a PCI DSS QSA or qualified auditing body — we generate evidence and controls output; your QSA performs the assessment.
For enterprise customers with procurement security questionnaires, we provide a detailed security questionnaire response document on request. Contact [email protected] with your questionnaire format.
Data Processing Agreements (DPAs) are available for customers who require them under GDPR or similar privacy frameworks. Contact us to request a DPA. Our Privacy Policy lists all sub-processors and describes data transfer mechanisms.
Responsible Disclosure
Report a vulnerability
If you discover a security vulnerability in Runtimekindle, please report it to [email protected]. We commit to acknowledging reports within 48 hours and providing a remediation timeline within 7 business days. We ask that you give us reasonable time to address the issue before public disclosure.
Security questions from your procurement team?
We respond to vendor security questionnaires and can provide a DPA on request. Contact us directly.