Security and Compliance
Last updated: July 3, 2026
This page outlines Run-Fi's approach to protecting customer financial data and maintaining regulatory compliance.
1. Security Approach
Run-Fi takes a defence-in-depth approach to protecting customer financial data. We implement multiple layers of security controls across infrastructure, application, and operational domains.
Our security program is designed to meet the requirements of financial institutions and regulated entities. Specific implementation details, including security architecture and controls documentation, are shared with customers under NDA during the sales and evaluation process.
We continuously assess and improve our security posture in response to evolving threats and customer requirements.
2. Encryption
All customer data is encrypted both in transit and at rest:
- Data in transit: All API communications use TLS encryption with modern cipher suites
- Data at rest: Transaction data and audit logs are encrypted using industry-standard encryption algorithms
- Key management: Encryption keys are managed using secure key management systems with regular rotation
Specific encryption standards and implementations are documented in our security overview, available to customers during the evaluation process.
3. Access Control
Access to customer data is strictly controlled and limited to authorised personnel on a need-to-know basis:
- All access to production systems and customer data is authenticated and logged
- Multi-factor authentication is required for administrative access
- Access permissions follow the principle of least privilege
- Access logs are retained and monitored for anomalous activity
Detailed access control policies and procedures are available to customers under NDA.
4. Audit Trail
Run-Fi maintains a comprehensive, tamper-evident audit trail of all reconciliation activity:
- Every transaction match, exception, and manual review is logged with timestamp and user attribution
- Data export and API access events are recorded
- Configuration changes and administrative actions are tracked
- Audit logs are immutable and cryptographically verified to detect tampering
Customers can export their complete audit history at any time through the platform. Audit logs are retained in accordance with regulatory requirements and customer contract terms.
5. Compliance Roadmap
Run-Fi is aligned with multiple data protection and security frameworks. Our compliance roadmap includes:
| Framework / Regulation | Status |
|---|---|
| GDPR (EU General Data Protection Regulation) | Aligned |
| UK GDPR | Aligned |
| POPIA (South Africa Protection of Personal Information Act) | Aligned |
| Kenya Data Protection Act 2019 | Aligned |
| SOC 2 Type II | Planned |
| ISO 27001 | Planned |
Note: Specific timelines and certification status details are available to customers during the evaluation process.
6. Sub-Processors
Run-Fi uses a limited number of carefully vetted third-party service providers (sub-processors) to support platform infrastructure. These sub-processors fall into the following categories:
- Cloud infrastructure: Hosting and compute services
- Data storage: Secure database and object storage
- Monitoring and logging: Security and performance monitoring
All sub-processors are bound by contractual data protection obligations equivalent to those in our Data Processing Agreement. The complete list of sub-processors, including their locations and purposes, is available to customers under NDA and documented in the Data Processing Agreement.
Customers are notified of any changes to our sub-processor list and have the right to object to new sub-processors as outlined in the Data Processing Agreement.
7. Incident Response
In the event of a security incident that affects customer data, Run-Fi commits to:
- Promptly investigate and contain the incident
- Notify affected customers without undue delay
- Provide details on the nature and scope of the incident
- Cooperate with customer incident response and regulatory notification requirements
Specific notification timelines and procedures are defined in customer contracts. Where required by law (such as GDPR's 72-hour breach notification requirement), we adhere to the stricter standard.
8. Vulnerability Disclosure
Run-Fi welcomes responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it to:
Please include:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Your contact information for follow-up
We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days. We ask that you do not publicly disclose the vulnerability until we have had an opportunity to address it.
Questions about this policy? Email info@run-fi.xyz