ApyrunGet Started

Security

Last updated: January 31, 2026

TL;DR

  • All data encrypted in transit (TLS) and at rest
  • API secrets encrypted using industry-standard methods
  • Each user gets a dedicated execution environment
  • Environments have resource limits (CPU, memory, network)
  • User environments are isolated from each other
  • Continuous vulnerability scanning
  • Regular dependency updates
  • Payment details handled securely by Paddle (we never see your card)

Security Assurance

Apyrun undergoes regular internal security reviews to verify that our security controls function as designed. In January 2026, we completed a comprehensive application-level security assessment covering authentication, authorization, tenant isolation, secrets management, and data protection.

Assessment outcome: No critical or high-severity vulnerabilities were identified. All tested security boundaries—including multi-tenant isolation and secrets protection—were verified to be functioning correctly.

Security is foundational to Apyrun. This page details the technical and organizational measures we implement to protect your data and code. For information about data handling, see our Data Policy.

While we implement industry-standard security practices, no system can guarantee absolute security. We continuously work to improve our security measures and promptly address any identified vulnerabilities.

Data Encryption

  • In transit – all connections use TLS encryption (HTTPS)
  • At rest – database and secrets encrypted using industry-standard methods
  • SSL certificates – automatically managed and renewed

Environment Isolation

Each user runs in a dedicated environment with appropriate security measures:

  • Separation – users are isolated from each other
  • Resource limits – fair usage limits prevent abuse
  • Restricted execution – code runs with appropriate security boundaries

Secret Management

Your API keys and credentials receive dedicated protection:

  • Encrypted at rest — secrets are encrypted before storage and remain encrypted in our database
  • Access-scoped — only your scripts, running in your environment, can access your secrets
  • Runtime-only — secrets are decrypted only at the moment of use and are never persisted in plaintext
  • Staff-invisible — Apyrun staff cannot read your API keys or credentials

We implement zero-knowledge encryption principles: your secrets are encrypted using keys derived from your authenticated identity. The platform cannot decrypt your secrets—only your authorized runtime environment can. This means that even in the event of a database breach, your credentials remain protected.

Vulnerability Management

  • Continuous scanning – automated monitoring for vulnerabilities
  • Automated alerts – security issues trigger immediate notifications
  • Regular updates – dependencies updated promptly when issues are found
  • Infrastructure updates – systems maintained with security patches

Security Testing & Verification

Our security posture is validated through a combination of automated and manual testing:

  • Automated scanning — regular scans identify common vulnerabilities and misconfigurations
  • Manual security testing — structured assessments verify authorization logic, tenant isolation, and data protection
  • Dependency management — third-party libraries are monitored and updated when security issues are disclosed
  • Internal security baseline — we maintain documented security standards and verify compliance regularly

Our security testing covers authentication, authorization, session management, secrets handling, browser automation sessions, and API access controls. We are prepared to engage external security firms for independent verification when appropriate.

Access Controls

  • Authentication – secure session management with HTTP-only cookies
  • API keys – scoped access for programmatic use
  • Admin access – restricted to essential personnel only
  • Audit logging – security-relevant actions are logged

Infrastructure

  • Hosting – EU-based servers
  • Rate limiting – protection against abuse
  • Firewall – only necessary ports exposed
  • Backups – regular database backups

Service Availability

We strive to maintain high availability of the Service. However, we cannot guarantee uninterrupted access. The Service may be temporarily unavailable due to:

  • Scheduled maintenance (we aim to notify in advance)
  • Security updates requiring immediate deployment
  • Circumstances beyond our control

Payment Security

Payment processing is handled entirely by Paddle, our Merchant of Record. We never see, store, or process your credit card details.

Reporting Security Issues

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to security@apyrun.io

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact

We take all reports seriously. You can expect an initial acknowledgment within 48 hours, and we will keep you informed as we investigate and address the issue.

Questions?

For security-related questions, contact security@apyrun.io