Learn about our journey to SOC2 Type II compliance - delivering exacting standards of security so that our customers can rest easy, knowing they are in safe hands.
We are proud to announce that Runn has achieved full SOC2 compliance, an independent verification of our approach to security, privacy and safeguarding customer data. We started our compliance journey in late 2022, and shared what we learned after getting SOC2 Type I in March 2023. Since then, we’ve been audited against SOC2 Type II on the actual implementation of our policies and processes.
With nearly a year of improved security practices under our belt, we figured it’s worth revisiting how it’s going.
Keeping our company and customers secure is an ongoing effort involving everyone at Runn - any compliance audit can only see a snapshot of what’s really happening. We make sure everyone reads the policies that apply to them, but don’t rely on them remembering every detail. A lot of processes are happening out in the open to keep them alive.
Most staff have requested access to something via our #access-requests channel on Slack. We post friendly reminders and summaries of important policies in our #general channel. Everyone is in charge of keeping their device secure with Kolide’s friendly Slackbot, which guides them through fixing any issues.
Read more about this in “Do it with the whole org” and “Do it transparently” in our SOC2 Type I announcement.
Since writing our policies, we’ve welcomed nearly two dozen staff and contractors to Runn. Establishing onboarding and HR processes early on enabled us to grow with security in mind, but classifying everyone and matching them with appropriate security controls proved to be particularly challenging.
For example, not every part-time contractor is required to use a company laptop - but they do need to protect their device with our endpoint security.
Apart from security, SOC2 also nudged us towards more standardized and well documented onboarding. While there are a few additional mandatory checkboxes, we feel that newcomers have a better experience in their first weeks now than compared to when we didn't have these standard procedures in place.
Our security team is distributed across the globe, which provides resilience but also poses communication challenges. In addition to the daily chatter, we’ve established quarterly reviews of our security posture (roadmap, risks, security events, upcoming milestones). This is done asynchronously via Notion templates designed to encourage discussion and collaboration.
We found this rhythm helpful for keeping longer term security initiatives and trends front of mind. As a side effect, it also happens to meet our compliance requirements around keeping leadership and the board informed - a win-win!
SOC2 has made a significant positive impact for us in vendor management: we track all vendors and tools used, and require more explicit review (due diligence) before approving new ones. This has led to numerous honest and productive conversations about use cases and the risks associated with them.
We have decided against using some vendors that would’ve likely been introduced “under the radar” before formalizing our processes. While there can be a fair bit of “compliance theater” in this space, a small cross-functional security team can be very effective at making responsible decisions to safeguard our customer data as well as our own business.
Great developers inherently want to write secure software, and bring a lot of practitioner knowledge to the table. The role of a security team is to set the guardrails without getting in the way of agile delivery, and enabling devs with the right tools and training.
We’ve invested into automation on security-focused linters, static code analysis as well as dependency management (shifting security left). Runn works in six week cycles, where every feature team considers the risks of what they’re building through lightweight threat modeling before code gets shipped to production.
Ongoing SOC2 compliance demonstrates our commitment to security and privacy. Security is never "done", but getting to a solid baseline early on as a startup allows us to build security into every aspect of our business over time.
We’d like to thank our partners in this journey, as we couldn’t have done it without your help! Thanks to Vanta for providing the tools to manage compliance as well as valuable SOC2 advice, Johanson Group for keeping us on our toes through audits, and ZX Security/Chaleit for penetration testing our infrastructure and code (to learn more about our security partnerships, you can read all about our work with Chaleit here).
And to learn more about our security protocols and how we deliver the highest standards to our customers, feel free to book a demo call with us. Security is a top priority for us, so we're always happy to get in the weeds and talk details about how we meet the most stringent requirements.
We're a remote-first organization, and we always have been. Find out what we do differently, and how our remote work ethos helps our team live their best lives.
Discover the business benefits of async work - with examples from successful asynchronous working at Runn.
As part of our deep dive into how to build a healthy team, we caught up with Rowan Savage, the co-founder and Chief Technology Officer at Runn. Rowan shared his thoughts on team building, work-life balance, and always having the humility to ask for help.