We take the security of our customers' campaign data seriously. This page covers how to reach us if you believe you've found a vulnerability, how we handle reports, and what we ask of researchers in return.

Reporting a vulnerability

Email [email protected] with a clear description of the issue, reproduction steps, and the impact you believe it has. Encrypted reports are welcomed; ask us for a current PGP key if you need one.

A machine-readable version of this contact information is available at /.well-known/security.txt in line with RFC 9116.

Our commitments

• We acknowledge receipt within 2 business days.
• We provide an initial assessment within 5 business days.
• We will keep you informed of remediation progress until the issue is resolved.
• We will publicly credit researchers who report valid issues (with their consent).
• We will not take legal action against researchers who follow this policy in good faith.

What we ask of you

• Give us a reasonable window to fix the issue before public disclosure (we aim for 90 days).
• Don't access customer data beyond what's strictly necessary to demonstrate the vulnerability.
• Don't run automated scanners against our production environment without prior approval.
• Don't attempt social engineering against our team or customers.
• Don't perform DoS or DDoS testing against any of our systems.

Scope

The following are in scope for responsible disclosure:

• therunsystem.com and its subdomains
• The portal application (everything under /portal and authenticated routes)
• Authentication flows and session handling
• Data isolation between organisations

Out of scope: third-party services we depend on (please report to them directly — see our sub-processor list), issues already publicly disclosed by us, and DNS/email-spoofing issues we can't control.

How we handle customer data

Customer data is encrypted at rest (Postgres + Railway Volumes) and in transit (TLS via Cloudflare). OAuth tokens for connected platforms are stored separately from the application database. We're GDPR-compliant; data residency is EU. A full sub-processor list is on /sub-processors.

Questions or feedback on this policy? Email [email protected].