Security & Compliance

Security & Compliance

Security and compliance are fundamental to Outrun's architecture. We implement comprehensive security measures and maintain strict compliance standards to protect your data while enabling global business operations.

Security First

Your data security and privacy are our top priorities. We implement enterprise-grade security measures and maintain transparent compliance practices across all regions.

Compliance Framework

SOC 2 Compliance Journey

We are actively working towards SOC 2 Type II certification:

  • Current Status: SOC 2 compliance implementation in progress
  • Target Completion: Full certification by Q2 2024
  • Scope: All data processing and storage operations
  • Third-Party Auditing: Independent security assessment and validation

SOC 2 Trust Principles

Our compliance framework addresses all five trust principles:

Security

  • • Multi-factor authentication
  • • Encryption at rest and in transit
  • • Access controls and monitoring
  • • Incident response procedures

Availability

  • • 99.9% uptime SLA
  • • Multi-region redundancy
  • • Automated failover systems
  • • Disaster recovery planning

Processing Integrity

  • • Data validation and verification
  • • Audit trails and logging
  • • Error detection and correction
  • • Quality assurance processes

Confidentiality

  • • Data encryption and protection
  • • Access restriction controls
  • • Employee background checks
  • • Confidentiality agreements

Regional Compliance Strategy

Data Localization Benefits

Our regional provider strategy enhances compliance:

  • Local Jurisdiction: Providers domiciled in their operating regions
  • Regulatory Expertise: Deep understanding of local data protection laws
  • Reduced Risk: Minimized cross-border data transfer complications
  • Audit Simplification: Streamlined compliance verification processes

Multi-Jurisdiction Support

🇪🇺 GDPR Compliance

  • • EU data stored within EU boundaries
  • • Right to be forgotten implementation
  • • Data portability support
  • • Consent management systems
  • • Data Protection Impact Assessments

🇺🇸 US Privacy Laws

  • • CCPA compliance for California data
  • • CPRA enhanced privacy rights
  • • State-specific privacy requirements
  • • Federal compliance standards
  • • Industry-specific regulations

🇦🇺 Australian Privacy

  • • Privacy Act 1988 compliance
  • • Australian Privacy Principles
  • • Notifiable data breach scheme
  • • Consumer Data Right support
  • • Government data handling standards

🇨🇦 PIPEDA Compliance

  • • Personal Information Protection
  • • Provincial privacy law alignment
  • • Cross-border data transfer rules
  • • Breach notification requirements
  • • Privacy impact assessments

Data Security

Encryption Standards

Data at Rest

All stored data is encrypted using industry-standard encryption:

{
  "encryptionStandard": "AES-256",
  "keyManagement": "Hardware Security Modules (HSM)",
  "keyRotation": "Automatic 90-day rotation",
  "backupEncryption": "Separate encryption keys for backups",
  "databaseEncryption": "Transparent Data Encryption (TDE)"
}

Data in Transit

All data transmission is secured with modern encryption protocols:

  • TLS 1.3: Latest transport layer security
  • Perfect Forward Secrecy: Unique session keys
  • Certificate Pinning: Protection against man-in-the-middle attacks
  • API Security: OAuth 2.0 and JWT token authentication

Access Controls

Multi-Factor Authentication (MFA)

  • Required for All Users: No exceptions for administrative access
  • Multiple Methods: SMS, authenticator apps, hardware tokens
  • Conditional Access: Risk-based authentication policies
  • Session Management: Automatic timeout and re-authentication

Role-Based Access Control (RBAC)

{
  "roles": {
    "workspace_admin": {
      "permissions": ["read", "write", "delete", "manage_users"],
      "scope": "workspace"
    },
    "data_analyst": {
      "permissions": ["read", "export"],
      "scope": "specific_sources"
    },
    "integration_manager": {
      "permissions": ["read", "write", "configure_sources"],
      "scope": "integrations"
    }
  }
}

Security Monitoring

Continuous Monitoring

  • 24/7 Security Operations Center: Real-time threat monitoring
  • Automated Threat Detection: AI-powered anomaly detection
  • Incident Response: Rapid response to security events
  • Vulnerability Management: Regular security assessments and patching

Audit Logging

All system activities are comprehensively logged:

  • User Actions: Complete audit trail of user activities
  • System Events: Infrastructure and application events
  • Data Access: Detailed logging of data access patterns
  • API Calls: Full API request and response logging
  • Retention: 7-year log retention for compliance

Data Ownership & Privacy

Your Data Belongs to You

Clear Ownership Policy

  • Customer Data Ownership: You retain full ownership of all data you provide
  • No Secondary Use: We never use your data for our own business purposes
  • No Data Mining: Your data is not analyzed for competitive intelligence
  • No Advertising: Your data is never used for advertising or marketing

Data Usage Transparency

{
  "dataUsage": {
    "customerData": {
      "purpose": "Providing synchronization services only",
      "sharing": "Never shared with third parties",
      "retention": "As long as you maintain your account",
      "deletion": "Complete deletion upon account termination"
    },
    "analyticsData": {
      "purpose": "Improving user experience and platform performance",
      "collection": "Anonymized usage patterns only",
      "sharing": "Aggregated insights only, never individual data",
      "optOut": "Available upon request"
    }
  }
}

Data Isolation

Workspace-Level Separation

  • Logical Database Isolation: Each workspace has a separate tenant database
  • Access Boundaries: Strict enforcement of workspace boundaries
  • No Cross-Contamination: Data never mixed between workspaces
  • Independent Processing: Separate processing pipelines per workspace

Multi-Tenant Security

  • Tenant Isolation: Complete separation between customer environments
  • Resource Allocation: Dedicated resources prevent resource-based attacks
  • Network Segmentation: Isolated network paths for each tenant
  • Monitoring Separation: Independent monitoring and alerting per tenant

Australian Business Stability

Regulatory Environment

Outrun is headquartered in Australia, providing several advantages:

Political Stability

  • Stable Democracy: Consistent regulatory environment
  • Rule of Law: Strong legal framework and property rights
  • International Relations: Respected member of international community
  • Economic Stability: AAA credit rating and stable currency

Data Sovereignty Respect

  • International Law Compliance: Respect for other nations' data sovereignty
  • No Forced Data Access: Strong legal protections against forced data disclosure
  • Transparent Legal Process: Clear legal procedures for any data requests
  • Customer Notification: Commitment to notify customers of any legal requests

Business Continuity

Corporate Governance

  • Australian Corporate Law: Governed by robust corporate regulations
  • Financial Transparency: Regular financial reporting and auditing
  • Board Oversight: Independent board governance and oversight
  • Regulatory Compliance: Full compliance with Australian business regulations

Operational Resilience

  • Disaster Recovery: Comprehensive business continuity planning
  • Financial Stability: Strong financial position and backing
  • Team Distribution: Globally distributed team for operational resilience
  • Vendor Diversification: Multiple vendor relationships to reduce single points of failure

Analytics & Tracking

Platform Analytics

We collect limited analytics data to improve our service:

What We Collect

  • Usage Patterns: How features are used (anonymized)
  • Performance Metrics: System performance and reliability data
  • Error Tracking: Application errors and system issues
  • User Interface Interactions: UI usage patterns for improvement

What We Don't Collect

  • Personal Data: No personally identifiable information in analytics
  • Business Data: No access to your actual business data
  • Sensitive Information: No collection of sensitive or confidential data
  • Cross-Workspace Data: No correlation of data across different workspaces

Tracking Pixels

Limited use of tracking pixels for user experience optimization:

{
  "trackingPixels": {
    "purpose": "User experience optimization",
    "dataCollected": [
      "Page views and navigation patterns",
      "Feature usage statistics",
      "Performance metrics",
      "Error occurrences"
    ],
    "dataNotCollected": [
      "Personal information",
      "Business data content",
      "Cross-site tracking",
      "Third-party sharing"
    ],
    "optOut": "Available in user preferences"
  }
}

Incident Response

Security Incident Management

Response Timeline

  • Detection: Automated monitoring with < 5 minute detection
  • Assessment: Initial assessment within 15 minutes
  • Containment: Immediate containment measures within 30 minutes
  • Communication: Customer notification within 2 hours (if affected)
  • Resolution: Full resolution and post-incident review

Communication Protocol

  • Immediate Notification: Critical security incidents
  • Regular Updates: Status updates every 2 hours during incidents
  • Post-Incident Report: Detailed analysis within 48 hours
  • Lessons Learned: Process improvements based on incidents

Data Breach Response

Breach Management Process

  1. Immediate Containment: Stop the breach and secure systems
  2. Impact Assessment: Determine scope and affected data
  3. Regulatory Notification: Comply with breach notification laws
  4. Customer Communication: Transparent communication with affected customers
  5. Remediation: Implement fixes and prevent recurrence

Compliance Certifications

Current Certifications

  • ISO 27001: Information Security Management (in progress)
  • SOC 2 Type II: Security and availability controls (in progress)
  • Regional Compliance: GDPR, CCPA, Privacy Act compliance

Planned Certifications

  • ISO 27017: Cloud security controls
  • ISO 27018: Cloud privacy controls
  • FedRAMP: US government cloud security (future consideration)

Best Practices for Customers

Data Security Recommendations

  1. Strong Authentication: Use MFA for all user accounts
  2. Regular Access Reviews: Periodically review user access permissions
  3. Data Classification: Classify data sensitivity levels appropriately
  4. Incident Reporting: Report any suspected security incidents immediately

Compliance Preparation

  1. Data Mapping: Understand what data is stored where
  2. Privacy Policies: Update privacy policies to reflect Outrun usage
  3. Consent Management: Ensure proper consent for data processing
  4. Regular Audits: Conduct regular compliance audits

Next Steps

Learn About Storage

Understand Outrun's multi-region storage architecture and data placement.

Storage Architecture →

Get Started

Set up your first secure data synchronization workflow.

Quick Start Guide →

Security and compliance are not just features - they're fundamental to how we build and operate Outrun. Your trust is our most valuable asset.

Copyright 2023 - LOON SHOOT PTY LTD.

terms | privacy | dpa | sitemap