Security Practices

1.Purpose

This Security Practices statement outlines the safeguards we implement to protect the integrity of the RunPayway™ platform and the Income Stability Score™ records.

This document provides a high-level overview of security practices and does not disclose detailed technical configurations.

This statement is informational in nature and does not constitute a guarantee of security.

2.Platform Architecture Controls

RunPayway™ incorporates technical and administrative safeguards designed to protect the integrity of the platform and the data you provide. These include:

• Deterministic scoring integrity
• Immutability of assessment records
• Controlled access to platform records and API endpoints
• Authenticated registry verification

Security controls are integrated into system design consistent with operational and platform requirements.

3.Data Protection Measures

We implement various security measures to protect your data, including but not limited to:

• Encrypted transmission of data using HTTPS
• API key authentication for scoring and data export endpoints
• HMAC-SHA256 signed payment tokens with expiry verification
• Structured logging of submission and verification events
• Separation of scoring logic from client-facing interfaces

Sensitive payment data is processed via Stripe, an external payment processor.

RunPayway™ does not receive or store full payment card numbers.

4.Access Controls

Access to administrative systems is restricted to authorized personnel only. We implement:

Role-based permissions, subject to periodic internal review.

Authentication safeguards to protect registry endpoints, payment verification, and scoring infrastructure.

5.Logging & Monitoring

We maintain structured logging to monitor:

• System integrity
• Abuse detection
• Audit review
• Dispute investigation

Logs are retained only as necessary to maintain operational integrity and audit traceability.

6.Third-Party Service Providers

RunPayway™ uses third-party providers for infrastructure hosting and payment processing.

These providers maintain their own security practices and compliance standards.

RunPayway™ does not warrant or represent the security practices of third-party providers.

Users are subject to the terms and privacy policies of those providers where applicable.

7.Incident Evaluation & Response

Security incidents are evaluated based on the potential risk to platform integrity or personal information.

If a confirmed incident affects personal information, RunPayway™ will take appropriate steps, consistent with applicable laws.

Response actions may include:

• Investigation
• Containment
• Remediation
• Notification, where legally required

8.Responsible Disclosure

If you identify a potential security vulnerability, you may submit a report via the RunPayway™ contact form.

We will review and evaluate responsible disclosures in line with our internal security procedures.

9.Limitations

No system can be guaranteed to be completely secure.

RunPayway™ does not warrant that unauthorized access will never occur.

Users are responsible for maintaining the confidentiality of their assessment records, verification links, and authorization codes.

10.Continuous Review

Security practices are reviewed periodically and may be updated as part of ongoing system improvements.

Updates will not alter previously issued assessment records.

11.Framework Alignment

RunPayway™ is designed to align with recognized security and privacy frameworks. While certification is a formal process that requires independent third-party auditing, our security practices are structured with the following frameworks in mind:

• SOC 2 Type II — RunPayway™ security controls are designed around the SOC 2 Type II Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Formal certification is on our roadmap.
• ISO 27001 — RunPayway™ security practices are informed by the ISO 27001 Information Security Management System (ISMS) framework, including risk assessment, access control, and continuous improvement.
• GDPR — Data processing practices are designed to satisfy the requirements of the General Data Protection Regulation, including data minimization, purpose limitation, and data subject rights.
• CCPA/CPRA — Privacy practices support California Consumer Privacy Act rights including access, deletion, correction, and opt-out mechanisms.

Framework alignment does not constitute certification. RunPayway™ will update this section as formal audit and certification milestones are achieved.

Enterprise customers requiring detailed security documentation may request additional information through the contact form.