Security

runpiper is built for security-first agent deployments. It protects sensitive data by default and gives teams the controls they need to pass security reviews and maintain compliance.

Why teams choose runpiper

  • All task inputs, outputs, errors, and secrets are encrypted at rest before they ever touch storage.
  • Per-tenant encryption keys keep customer data isolated.
  • The master key is stored outside the database and requires a passphrase at boot.
  • Agents never have access to encryption keys, so stored data stays protected.
  • Self-hosting keeps data residency and infrastructure control in your hands.

Quick facts

  • Task inputs, outputs, and errors are encrypted before database writes.
  • Organization secrets and webhook tokens are never stored in plaintext.
  • Per-tenant keys are derived in memory and zeroized after use.
  • A database-only breach cannot expose customer data.
  • Crypto initialization happens before the server accepts requests.

Built-in security controls

Encryption and key management

  • AES-256-GCM envelope encryption for all sensitive objects.
  • Inputs, outputs, errors, secrets, and webhook tokens are encrypted at rest.
  • Unique keys per tenant, derived at runtime and zeroized when dropped.
  • Encrypted master key stored outside the database (disk or S3 keystore).
  • Servers refuse to start without crypto initialization.

Tenant isolation

  • Each organization has its own derived encryption keys.
  • Cross-tenant access is blocked at the crypto boundary.
  • A database-only breach cannot decrypt tenant data.

Access control

  • Scoped API keys support least-privilege usage.
  • Self-hosted admin keys never live in config files.
  • Rate limiting and endpoint scoping are available for hosted and self-hosted deployments.

Agent isolation

  • Agents never receive the master passphrase or encrypted master key.
  • Decryption happens only inside the server process.
  • Long-lived key material is not stored alongside agent data.

Auditability

  • Complete logs for agent executions and capability calls.
  • Exportable logs for SIEM or audit review workflows.

Operational guardrails

  • Startup requires a master passphrase and keystore configuration.
  • Repositories refuse encrypt/decrypt if crypto is not initialized.
  • Misconfiguration fails closed instead of running insecurely.

Recommended security practices

  • Use least-privilege API keys per workload.
  • Store secrets in environment variables, not config files.
  • Enforce TLS for all traffic to the API and database.
  • Rotate API keys and audit access regularly.

Compliance support

runpiper provides security controls that map cleanly to common compliance frameworks. You still own your policies, procedures, and organizational controls, but runpiper reduces the platform-level burden.

SOC 2

  • Encryption at rest and in transit support confidentiality criteria.
  • Audit logs and access controls support security and monitoring evidence.
  • Key management practices support logical access requirements.

ISO 27001

  • Crypto separation and tenant isolation align with data protection controls.
  • Logging and monitoring support operational security controls.
  • Self-hosting enables asset inventory and data location requirements.

HIPAA

  • Encryption and access controls help protect ePHI.
  • Audit logs support access tracking and incident investigations.
  • Self-hosting supports regulated hosting environments and data residency.

GDPR

  • Data minimization and retention policies can be enforced at the workflow level.
  • Self-hosting supports EU data residency requirements.
  • Encryption and access controls protect personal data.

What you should document for audits

  • Data flow diagrams that show encryption at rest and in transit.
  • Key management procedures for passphrase handling and keystore storage.
  • Access control policies for API keys and user accounts.
  • Log retention and monitoring policies.

Next steps