// Trust & Security Report

    Runway (Runway Financial, Inc.) logo

    Runway (Runway Financial, Inc.)

    Runway is a collaborative FP&A (financial planning & analysis) platform for finance teams: scenario/revenue/headcount planning, budgeting, forecasting, and board reporting, with an AI copilot ('Analyze with AI') layered on top of a shared financial model. Single product line, tiered by company/team size rather than separate consumer/enterprise SKUs.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Runway is SOC 2 Type II compliant, which means we have undergone a rigorous, third-party audit to validate that our security practices continue to meet industry standards over time.

    Verify on runway.com
    GDPR (posture)
    HELD

    Privacy compliance (GDPR, CCPA) ... We regularly maintain our list of service providers and subprocessors, as well as our data storage locations.

    Verify on runway.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence: ISO 27001 is not mentioned on the /security page, privacy policy, or subprocessor page. Only SOC 2 Type II is cited as an independent audit.

    source: runway.com
    HIPAA
    NOT CONFIRMED

    No public evidence: no HIPAA reference found anywhere on runway.com's security, privacy, terms, or subprocessor pages; product is finance/FP&A tooling, not health data processing.

    source: runway.com
    PCI DSS
    NOT CONFIRMED

    "Transaction and limited (non-PCI) payment data" is collected, explicitly excluding full cardholder-data handling; no PCI DSS certification is claimed.

    source: runway.com
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    No public evidence: no AI-governance certification (ISO 42001, CSA STAR AI) is referenced on any runway.com page reviewed.

    source: runway.com
    CSA STAR
    NOT CONFIRMED

    No public evidence: not referenced on runway.com.

    source: runway.com
    FedRAMP
    NOT CONFIRMED

    No public evidence: not referenced on runway.com; product targets private-sector finance teams, not federal government.

    source: runway.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Primary application data in Google Cloud Platform (EU and US); integration/sync data via Merge, Workato, Fivetran, Snowflake, Elastic (mostly US, some EU/other regions available on request). Cross-border transfers use Standard Contractual Clauses. Customers with specific residency needs can request accommodation from security@runway.com on a case-by-case basis.

    OpenAI is listed as a subprocessor for 'AI model inference and realtime assistant/explanation features' when customers opt into AI features (Analyze with AI). No page reviewed (security, privacy policy, terms, subprocessor list) makes an explicit statement that Runway does or does not train models on customer data, and no opt-out toggle is documented publicly, so this is graded unknown rather than assumed either way.

    // Security controls

    Encryption in transit and at rest

    TLS 1.3 used to encrypt data both at rest and in transit.

    runway.com

    Access control

    Data only accessible by an organization's own administrators and users granted access; role-based access controls.

    runway.com

    SSO

    Single Sign-On supported via Google, Rippling, or Xero.

    runway.com

    Audit logging

    All access is logged, described as providing 'a transparent and auditable security trail.'

    runway.com

    Security program scale

    '100+ controls (and counting)' with continuous automated vulnerability scanning and regular third-party security audits.

    runway.com

    Subprocessor transparency

    Public, maintained list of infrastructure, AI, integration, analytics, and support subprocessors (Google Cloud, Snowflake, Vercel, Cloudflare, OpenAI, Fivetran, Merge, Workato, Stripe, HubSpot, Slack, Datadog, Sentry, etc.).

    runway.com

    // Products & data scope

    Runway FP&A platformFinancial planning & analysis / business modeling SaaS

    data: Company financial and operational data pulled from 750+ integrations (HRIS, ERP, CRM, accounting systems), plus user-entered planning assumptions and, for the AI copilot, prompts and uploaded files sent to OpenAI for inference.

    Single product line marketed to finance teams at growth-stage and mid-market companies (e.g. AngelList, RevenueCat, Rootly cited as customers). No distinct free/consumer tier; onboarding is guided and sales-led. No separate enterprise-only security tier documented publicly (e.g. no dedicated enterprise trust portal), unlike some larger competitors.

    // What to watch

    • Identity-conflation risk: the name 'Runway' is shared by at least three unrelated companies with different domains — runway.com (this vendor, FP&A), runwayml.com (Runway AI, Inc., generative video, has its own trust.runwayml.com trust center), and runway.team (mobile app release/beta-distribution tool, publishes its own separate SOC 2 Type II announcement). Search engines and generic 'Runway SOC 2' queries surface all three interchangeably. This assessment only used facts fetched directly from runway.com pages; certifications/trust centers belonging to runwayml.com or runway.team must NOT be attributed to this vendor.
    • No dedicated self-serve trust center portal (e.g. Vanta/Drata/SafeBase-style page with downloadable reports) was found at runway.com; the SOC 2 Type II report itself is only obtainable by contacting security@runway.com or through the sales process, so the claim could not be independently verified against the raw audit report, only against the vendor's own marketing/security page text.
    • AI training posture on customer data is not explicitly disclosed one way or the other on any runway.com page reviewed (security, privacy, terms, subprocessors) despite an active AI feature (OpenAI-backed 'Analyze with AI'); AIFOXX should not claim either 'does not train on your data' or 'trains on your data' without direct written confirmation from Runway.
    • No ISO 27001, HIPAA, PCI DSS, ISO 42001, or CSA STAR certification found; only SOC 2 Type II and a GDPR/CCPA privacy program are substantiated.

    // At a glance

    Pricing model

    Sales-led / demo-based subscription pricing for teams (not self-serve; 'Talk to a human' / 'Book a demo' CTAs); exact tiers and per-seat pricing are not publicly listed on the pages reviewed.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Runway (Runway Financial, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    runway.com

    > Browse all vendor trust reports