// Trust & Security Report

    Runway AI, Inc. logo

    Runway AI, Inc.

    Generative AI video and 'general world model' platform: Gen-4.5 (text/image-to-video), Aleph 2.0 (video-to-video editing), Act-Two (performance capture), Runway Agent 2.0, Runway Characters (real-time conversational video-agent API), GWM-1 general world models (Worlds, Avatars, Robotics), plus a developer API, Enterprise plan, and Education plan

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Certifications and Attestations: 'SOC 2 Type II 2025 Runway AI, Inc. Report' listed under Compliance > SOC 2 Type II on the Trust Center

    Verify on trust.runwayml.com
    GDPR (compliance posture, not a certification)
    HELD

    'Our systems incorporate protections for European users in accordance with GDPR requirements' (Data Security page); the Privacy Policy names Runway as the GDPR 'data controller' and describes EEA/UK data-subject rights (access, deletion, rectification, portability, objection). Runway AI's own Privacy Policy does NOT cite Standard Contractual Clauses or a UK Addendum; its documented international-transfer basis is user consent to processing in the United States and other countries. (An earlier draft's SCC/UK-Addendum/adequacy wording was mis-sourced from runway.com, the unrelated Runway Financial, Inc. FP&A company, and has been removed.)

    Verify on runwayml.com
    > Show 7 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    The vendor's own security page states only 'Our security program incorporates elements from ISO 27001 and NIST frameworks' -- this is a framework-alignment claim, not a certification claim. The Trust Center's Compliance section lists only 'SOC 2 Type II' and does not list an ISO 27001 certificate or auditor report.

    source: runwayml.com
    HIPAA
    NOT CONFIRMED

    No public evidence. HIPAA is not mentioned on the Trust Center, the Data Security page, or the Privacy Policy, and no Business Associate Agreement is referenced anywhere on the vendor's own domain.

    source: trust.runwayml.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. Not mentioned on the Trust Center or Data Security page; Runway does not appear to directly process cardholder data (billing is third-party).

    source: trust.runwayml.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence. Not listed in the Trust Center's Certifications and Attestations section (which lists only the SOC 2 Type II report, a CAIQ, a security whitepaper, and policy documents).

    source: trust.runwayml.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Trust Center lists a 'Responsible AI Commitments' document but no ISO 42001 or other formal AI-governance certification/attestation.

    source: trust.runwayml.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on the Trust Center or elsewhere on runwayml.com.

    source: trust.runwayml.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found; no government/public-sector authorization referenced on the vendor's own domain.

    source: trust.runwayml.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    Not publicly specified. The Data Security page references multi-datacenter hosting but does not name specific regions; no self-serve data-residency selection is documented on the vendor's own domain.

    On standard (non-Enterprise) plans, the Terms of Use grant Runway a 'non-exclusive, irrevocable, perpetual, worldwide, royalty-free, fully paid, transferable, sublicensable right and license to use any Inputs and Outputs' for purposes that explicitly include to 'train and improve its AI models, algorithms and related technology.' There is no self-serve opt-out for standard/Team plans. The separate Runway Enterprise Services Terms (Section 5.2, Customer Content) state 'Runway may not use Customer Content as training data for the Services' -- i.e. Enterprise customers are contractually excluded from training. This is a real, vendor-confirmed tier difference (consumer/Team trains by default; Enterprise does not) rather than a legacy-vs-current contradiction.

    // Security controls

    Encryption in transit

    TLS 1.2+ with strong cipher suites for all data transmission

    runwayml.com

    Encryption at rest

    AES-256; encryption keys protected in secure key-management systems

    runwayml.com

    Password storage

    Passwords never stored in plaintext or reversible encryption

    runwayml.com

    Independent audit

    SOC 2 Type II 2025 report available (Trust Center, access on request)

    trust.runwayml.com

    Penetration testing

    '2025 Penetration Test and Remediation Summary' listed as a Trust Center resource; control catalog also lists 'Penetration testing performed' under Product security

    trust.runwayml.com

    Business continuity / DR

    Trust Center control catalog lists 'Continuity and Disaster Recovery plans established' and 'tested'; a Business Continuity/Disaster Recovery Policy document is published

    trust.runwayml.com

    Subprocessors

    Public subprocessor list maintained

    runwayml.com

    // Products & data scope

    Runway (Standard / Team, web app)Consumer / prosumer generative AI video and image tools (Gen-4.5, Aleph 2.0, Act-Two, Agent 2.0)

    data: User-uploaded images/video and generated outputs; used by default to train and improve Runway's AI models under the standard Terms of Use, with no self-serve opt-out.

    Default plan tier; broadest data-training exposure of the product family.

    Runway API / CharactersDeveloper API for generative video and real-time conversational video agents

    data: Content submitted via API calls; governed by the same standard Terms of Use unless the account is contracted under Enterprise terms.

    Used to build custom character/agent experiences on top of GWM-1.

    Runway EnterpriseContracted enterprise tier of the same generative video platform

    data: Customer Content contractually excluded from model training ('Runway may not use Customer Content as training data for the Services'); enterprise customers can request the SOC 2 report directly.

    Materially different privacy/training posture than the standard consumer/Team tier -- this distinction should be surfaced to buyers.

    Runway for EducationDiscounted/education-focused access to the same core product

    data: No education-specific data-handling terms found on the vendor's own domain beyond the standard Terms of Use.

    Minimal public detail; treated as the standard product under an education pricing wrapper.

    // What to watch

    • Identity-conflation risk: runway.com (Runway Financial, Inc., a financial-planning/FP&A software company) and runway.team are unrelated companies that also use the name 'Runway'. This assessment uses ONLY runwayml.com, trust.runwayml.com, and help.runwayml.com evidence for Runway AI, Inc., the AI video/world-model company. QA NOTE: an earlier draft leaked runway.com's Standard Contractual Clauses / UK Addendum / adequacy-decision transfer wording into Runway AI's GDPR entry; that mis-sourced detail was verified against the live runwayml.com Privacy Policy (which contains none of those terms) and removed. The two 'Runway' vendors must never be cross-linked or conflated.
    • Possible over-claim: the Data Security page's phrase 'incorporates elements from ISO 27001 and NIST frameworks' could read to a buyer as an ISO 27001 certification claim; the Trust Center's actual Certifications and Attestations list only includes the SOC 2 Type II report, with no ISO 27001 certificate. Graded ISO 27001 held=false and flagged for careful copy on the listing.
    • Meaningful AI-training tier gap: standard/Team-tier customer content trains Runway's models by default with no opt-out, while Enterprise customers are contractually excluded from training. This should be shown prominently since it materially affects data-sensitive buyers who are not on an Enterprise contract.
    • No HIPAA or PCI DSS evidence found; not suitable to list as supporting regulated health or payment-card data.
    • No public DPA document or self-serve data-residency controls were found on the vendor's own domain. Runway AI's own Privacy Policy does NOT describe Standard Contractual Clauses; its documented international-transfer basis is user consent to processing in the United States and other countries. Enterprise buyers should confirm DPA and transfer-safeguard terms directly with Runway's legal/sales team.

    // At a glance

    Pricing model

    Freemium / subscription tiers (Standard, Pro, Team) plus custom-quoted Enterprise contracts

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Runway AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-05. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.runwayml.com

    > Browse all vendor trust reports