Skip to content

Trust and governance

Enterprise evidence before a larger commitment.

Review identity, access posture, artifact shape, and data boundaries before sending sensitive material.

Current posture

Melbourne + Driver NT · ABN 93 166 541 669
BYOC · no cloud markup · No SOC 2 or ISO claim

Review pack before access

AI data-flow

Commercial identity, AI data-flow, BYOC access, and support checks are reviewable before deeper access.

  • Commercial identity

  • Security and access

  • Support model

Reviewable before signup

Verify identity, data boundaries, and artifact shape before sending sensitive material or signing a larger SOW.

  • ABN, location, service scope, and commercial paths are visible before contact.
  • BYOC, cloud billing, current website subprocessors, provider-hosted exceptions, data-flow assumptions, and NIST AI RMF / CSF 2.0 vocabulary are review inputs, not certification claims.
  • Architecture diagrams are requested through a separate upload instruction flow, not pasted into the website.
View 2 more buyer checks
  • Assessment outputs are framed as inspectable artifacts, not as unsupported case-study proof.
  • Security, risk, finance, and platform teams each have a clear reason to join the first conversation.

After the evidence review

Bring the right review questions.

Use this point to align procurement, platform, and AI data-flow questions before sending diagrams or credentials.

Operating model for enterprise review

The details below are designed to make the first enterprise review practical for security, risk, procurement, finance, and platform teams.

Data handling

Contact data is collected only when you submit it. Architecture diagram review starts with an email request, then upload instructions are sent separately.

View review checks
  • Do not send secrets, credentials, or production tokens through website forms.
  • Accepted diagram formats and upload path are confirmed before transfer.
  • Access is limited to people involved in scoping or delivery.

Infrastructure access

Access model, scope, and approvals are agreed before work starts. Production changes stay inside the client environment and change process.

View review checks
  • Least-privilege access and expiry are defined during onboarding.
  • Client repositories remain the source of truth for delivered code and documentation.
  • Emergency access and rollback expectations are written into the engagement plan.

AI rollout controls

AI tooling is rolled out with an operating model first: who can use it, what data may enter it, and how exceptions are approved.

View review checks
  • SSO, RBAC, allowed-tool policy, and human approval gates are mapped.
  • Prompt/data classification and provider-hosted exceptions are recorded.
  • Disable, rollback, and escalation paths are defined before production use.
View full operating model

Support and escalation

Managed support uses clear severity definitions, response targets, channels, and client prerequisites rather than ambiguous availability claims.

  • Response targets are not represented as resolution guarantees.
  • Critical coverage, support channels, and escalation contacts are defined in the SOW.
  • Client responsibilities such as monitoring access and incident context are explicit.

Commercial and legal

Fixed-scope work is documented before delivery. Legal terms, IP ownership, payment terms, and privacy handling stay explicit.

  • Statements of Work define scope, assumptions, exclusions, and acceptance criteria.
  • NDA and DPA requirements can be handled before sensitive material is exchanged.
  • Client-specific work product ownership follows the service agreement.

Current compliance posture

RunForge does not claim SOC 2 or ISO 27001 certification. We provide evidence-ready engineering artifacts for teams pursuing those controls.

  • No borrowed logos, implied certifications, or unapproved references are used.
  • Control support is separated from certification claims.
  • NIST AI RMF and NIST CSF 2.0 can frame review questions without implying certification.
  • Subprocessors currently referenced by the website include Web3Forms, Calendly, and Plausible.

Trust principles

The posture stays practical: visible business details, client-owned infrastructure, documented exceptions, and artifact-based proof.

Australian business context

RunForge has Melbourne VIC + Driver NT, Australia business locations, operates around Australian business hours, and serves Australia, New Zealand, and APAC.

Bring your own cloud

Clients keep their AWS, GCP, Azure, or selected provider accounts. RunForge does not resell cloud or hide cloud markup.

Documented exceptions

Self-hosted AI runs in Australian cloud regions by default. Provider-hosted tools or broader APAC footprints are treated as explicit exceptions.

Evidence before scale-up

Assessment work produces executive summaries, risk maps, roadmaps, runbooks, ownership models, and fixed-scope next options.

AI data-flow review

AI controls buyers can inspect before rollout.

Inspect the default boundary first, then expand the provider exceptions and approval evidence.

AI data-flow review

Bring provider exceptions, access, rollback, audit logging, repo permissions, or form-safety questions into the enterprise review.

Form safety: Send context only. Secrets, production tokens, credentials, and architecture diagrams move through an agreed transfer path.

AI data-flow matrix

Default boundary, hosted-provider exception, and approval path.

Default boundary

Data

Self-hosted AI workloads are scoped to Australian cloud regions in client-controlled infrastructure by default.

Provider exception and approval

Provider-hosted exception

Hosted model APIs, telemetry, support access, backups, or broader APAC deployment are treated as explicit exceptions.

Approval evidence

Each exception records data categories, business owner, control owner, retention assumptions, and review cadence.

Provider tooling

Tooling

Repo-local skills, evals, static checks, and Browser QA evidence stay in the client repository where practical.

Provider exception: Codex, Claude Code, Cursor, OpenCode, model APIs, or SaaS workflow tools may process prompts, repo context, diffs, logs, or telemetry depending on configuration.

Approval: Approved tools, excluded repositories, sensitive paths, and vendor settings are named before rollout.

View 2 more data-flow areas

Control

Access, secrets, logging, rollback, and runbooks remain inside the client environment and repository.

Exception: Vendor policy controls, SSO, RBAC, audit exports, disable paths, and admin ownership are reviewed before adoption.

Approval: Security, platform, and engineering approvers agree the first pilot scope before production use.

Exception path

No exception is needed when the workload, logs, and operations stay inside the agreed Australian-region boundary.

Exception: Exceptions are documented when prompts, source context, workflow payloads, telemetry, or support data can leave that boundary.

Approval: The exception register names the tool, data flow, approval owner, rollback path, and next review date.

Example artifact gallery

Sanitised examples, not client proof.

These labels describe the shape of work RunForge can produce. They do not imply an undisclosed client, certification, benchmark, or guaranteed outcome.

  • SSO and RBAC mapped before rollout
  • Approved-tool policy and exception register
  • Prompt and data classification guidance
View 3 more rollout controls
  • Human approval gates for agentic actions
  • Audit trail expectations and repository permissions
  • Disable, rollback, and escalation plan
Example

Risk map

Example severity view for platform, AI data-flow, access, and ownership decisions.

Example

AI roadmap

Example sequence that separates useful pilots from provider, data, and support constraints.

View 5 more artifacts
  • Agent controls

    Example permission matrix for tools, repos, command access, approvals, and rollback.

  • Data-flow exceptions

    Example register for hosted providers, telemetry, model APIs, backups, and broader APAC paths.

  • Runbook outline

    Example operating notes for deployment, disable paths, escalation, and handover.

  • Executive readout

    Example leadership summary with decisions needed before larger programme approval.

  • GitOps migration plan

    Example platform sequence covering repository structure, promotion, rollback, and ownership.

Next sensible step

Ready to start the enterprise review?

Book an enterprise review call. We'll work through your governance questions and agree what deeper access is needed before you share anything sensitive.

Book enterprise review call