Found a security vulnerability? Please report it responsibly to hello@rundeck.com.au with "Security Report" in the subject line. We will respond within 2 business days.

1. Our approach

Security is built into Rundeck from the ground up. We handle sensitive business and staff data — rosters, timesheets, pay rates, operational records — and we take that responsibility seriously. Our security practices are designed to protect data confidentiality, integrity, and availability.

We continuously review and improve our security posture as the platform evolves. This page reflects our current controls and is updated when meaningful changes are made.

Note: Where SOC 2 Type II or PCI-DSS certifications are mentioned on this page, these certifications belong to our infrastructure providers (Supabase, Vercel, Stripe) — not to Rundeck itself. We have selected these providers specifically because of their independently verified security posture.

2. Infrastructure & hosting

Rundeck runs on enterprise-grade cloud infrastructure provided by trusted vendors:

Application hosting: Vercel — our Next.js application is deployed via Vercel with global edge caching and automatic HTTPS. Vercel maintains SOC 2 Type II certification.
Database & authentication: Supabase — all data is stored on Supabase, which runs on AWS (US East). Supabase is SOC 2 Type II certified and undergoes regular third-party security audits.
Content Delivery Network (CDN) — static assets are served via Vercel's edge network, reducing latency and attack surface.

Our infrastructure providers maintain physical security, environmental controls, and redundancy at their data centre facilities. We do not operate our own physical servers.

3. Encryption

We encrypt data both in transit and at rest:

All data transmitted between your browser/app and our servers is encrypted using TLS 1.2 or higher (HTTPS enforced across all endpoints)
All data stored in our database is encrypted at rest using AES-256
Passwords are never stored in plaintext — we use Supabase Auth's bcrypt-based hashing
Authentication tokens are signed and short-lived, with automatic rotation
Backups are encrypted using the same AES-256 standard

4. Access controls

We apply strict access controls at every layer of the system:

Data isolation

Every business on Rundeck is completely isolated from others. We use Supabase's Row Level Security (RLS) — a database-level enforcement mechanism that ensures queries automatically filter to the authenticated user's business. Even if application-layer logic were bypassed, the database would not return another business's data.

Role-based permissions

Within each business, access is controlled by the roles you define. Managers can be granted granular permissions — for example, a staff member may be able to view the roster but not access pay rates or approve leave. Permissions are enforced server-side.

Internal access

Access to production systems is restricted to a minimal number of authorised personnel
Production access requires multi-factor authentication (MFA)
All administrative actions on production systems are logged
Team members do not access customer data except when required for support, with explicit customer consent

5. Application security

We follow secure development practices throughout the software development lifecycle:

All dependencies are regularly reviewed and updated to address known vulnerabilities
We follow OWASP Top 10 guidelines to protect against common web vulnerabilities (SQL injection, XSS, CSRF, etc.)
Input validation and sanitisation is applied on all user-facing forms and API endpoints
API endpoints enforce authentication and authorisation checks — unauthenticated requests are rejected
Rate limiting is applied to authentication endpoints to protect against brute-force attacks
Security headers (CSP, HSTS, X-Frame-Options) are enforced on all responses

6. Incident response

In the event of a security incident, we follow a structured response process:

Detection — automated monitoring and alerting for anomalous activity, authentication failures, and infrastructure events
Containment — immediate steps to isolate affected systems and prevent further exposure
Assessment — determine scope, impact, and root cause of the incident
Notification — affected customers and the Office of the Australian Information Commissioner (OAIC) will be notified within 30 days of becoming aware of an eligible data breach, in accordance with the Notifiable Data Breaches (NDB) scheme
Remediation — fix the root cause and implement additional controls to prevent recurrence
Post-incident review — document learnings and update security practices accordingly

7. Sub-processors & third parties

We share data with a limited number of third-party providers, each selected for their security posture:

Supabase Inc. — database, authentication (SOC 2 Type II, AWS-hosted)
Vercel Inc. — application hosting (SOC 2 Type II)
Stripe Inc. — payment processing (PCI-DSS Level 1 certified)
Google LLC — optional OAuth sign-in only

We do not share your data with advertising networks, data brokers, or analytics companies that track users across the web.

8. Responsible disclosure

If you discover a security vulnerability in Rundeck, we encourage responsible disclosure. Please:

Email us at hello@rundeck.com.au with the subject line "Security Report"
Include a clear description of the vulnerability and steps to reproduce it
Do not publicly disclose the issue until we have had a reasonable opportunity to investigate and resolve it
Do not access, modify, or delete data belonging to other users during your testing

We will acknowledge receipt within 2 business days and keep you informed of our progress. We are grateful to security researchers who help us keep Rundeck safe and will credit researchers who identify valid issues (with their consent).

We do not currently operate a formal bug bounty programme, but we review all responsible disclosures seriously.