// Trust & Security Report
Runway (Runway Financial, Inc.)
Runway is a collaborative FP&A (financial planning & analysis) platform for finance teams: scenario/revenue/headcount planning, budgeting, forecasting, and board reporting, with an AI copilot ('Analyze with AI') layered on top of a shared financial model. Single product line, tiered by company/team size rather than separate consumer/enterprise SKUs.
Certifications held
2
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on runway.com“Runway is SOC 2 Type II compliant, which means we have undergone a rigorous, third-party audit to validate that our security practices continue to meet industry standards over time.”
Verify on runway.com“Privacy compliance (GDPR, CCPA) ... We regularly maintain our list of service providers and subprocessors, as well as our data storage locations.”
> Show 6 unconfirmed / not-held certifications
source: runway.comNo public evidence: ISO 27001 is not mentioned on the /security page, privacy policy, or subprocessor page. Only SOC 2 Type II is cited as an independent audit.
source: runway.comNo public evidence: no HIPAA reference found anywhere on runway.com's security, privacy, terms, or subprocessor pages; product is finance/FP&A tooling, not health data processing.
source: runway.com"Transaction and limited (non-PCI) payment data" is collected, explicitly excluding full cardholder-data handling; no PCI DSS certification is claimed.
source: runway.comNo public evidence: no AI-governance certification (ISO 42001, CSA STAR AI) is referenced on any runway.com page reviewed.
source: runway.comNo public evidence: not referenced on runway.com; product targets private-sector finance teams, not federal government.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Primary application data in Google Cloud Platform (EU and US); integration/sync data via Merge, Workato, Fivetran, Snowflake, Elastic (mostly US, some EU/other regions available on request). Cross-border transfers use Standard Contractual Clauses. Customers with specific residency needs can request accommodation from security@runway.com on a case-by-case basis.
OpenAI is listed as a subprocessor for 'AI model inference and realtime assistant/explanation features' when customers opt into AI features (Analyze with AI). No page reviewed (security, privacy policy, terms, subprocessor list) makes an explicit statement that Runway does or does not train models on customer data, and no opt-out toggle is documented publicly, so this is graded unknown rather than assumed either way.
// Security controls
Encryption in transit and at rest
TLS 1.3 used to encrypt data both at rest and in transit.
runway.comAccess control
Data only accessible by an organization's own administrators and users granted access; role-based access controls.
runway.comAudit logging
All access is logged, described as providing 'a transparent and auditable security trail.'
runway.comSecurity program scale
'100+ controls (and counting)' with continuous automated vulnerability scanning and regular third-party security audits.
runway.comSubprocessor transparency
Public, maintained list of infrastructure, AI, integration, analytics, and support subprocessors (Google Cloud, Snowflake, Vercel, Cloudflare, OpenAI, Fivetran, Merge, Workato, Stripe, HubSpot, Slack, Datadog, Sentry, etc.).
runway.com// Products & data scope
data: Company financial and operational data pulled from 750+ integrations (HRIS, ERP, CRM, accounting systems), plus user-entered planning assumptions and, for the AI copilot, prompts and uploaded files sent to OpenAI for inference.
Single product line marketed to finance teams at growth-stage and mid-market companies (e.g. AngelList, RevenueCat, Rootly cited as customers). No distinct free/consumer tier; onboarding is guided and sales-led. No separate enterprise-only security tier documented publicly (e.g. no dedicated enterprise trust portal), unlike some larger competitors.
// What to watch
- Identity-conflation risk: the name 'Runway' is shared by at least three unrelated companies with different domains — runway.com (this vendor, FP&A), runwayml.com (Runway AI, Inc., generative video, has its own trust.runwayml.com trust center), and runway.team (mobile app release/beta-distribution tool, publishes its own separate SOC 2 Type II announcement). Search engines and generic 'Runway SOC 2' queries surface all three interchangeably. This assessment only used facts fetched directly from runway.com pages; certifications/trust centers belonging to runwayml.com or runway.team must NOT be attributed to this vendor.
- No dedicated self-serve trust center portal (e.g. Vanta/Drata/SafeBase-style page with downloadable reports) was found at runway.com; the SOC 2 Type II report itself is only obtainable by contacting security@runway.com or through the sales process, so the claim could not be independently verified against the raw audit report, only against the vendor's own marketing/security page text.
- AI training posture on customer data is not explicitly disclosed one way or the other on any runway.com page reviewed (security, privacy, terms, subprocessors) despite an active AI feature (OpenAI-backed 'Analyze with AI'); AIFOXX should not claim either 'does not train on your data' or 'trains on your data' without direct written confirmation from Runway.
- No ISO 27001, HIPAA, PCI DSS, ISO 42001, or CSA STAR certification found; only SOC 2 Type II and a GDPR/CCPA privacy program are substantiated.
// At a glance
Pricing model
Sales-led / demo-based subscription pricing for teams (not self-serve; 'Talk to a human' / 'Book a demo' CTAs); exact tiers and per-seat pricing are not publicly listed on the pages reviewed.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Runway (Runway Financial, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
runway.com