Security at RunBeat Media

We take the security of our platforms and your data seriously. This page outlines the measures we have in place to protect the RunBeat ecosystem — including RunBeat Pulse, RunBeat CRM, and RunBeat Compliance.

Infrastructure Security

Cloud Hosting

All RunBeat application services are hosted on Amazon Web Services (AWS) in the UK. Audio streaming is delivered via EU-based datacentres. AWS maintains industry-leading security certifications including ISO 27001, SOC 2, and GDPR compliance.

• Application data is stored and processed within the UK; streaming is delivered via EU datacentres
• Infrastructure is provisioned using scripted, repeatable deployments
• Services run in isolated environments with least-privilege access controls

Network Security

• All traffic is encrypted in transit using TLS 1.2/1.3
• HTTP Strict Transport Security (HSTS) is enforced with preload
• API endpoints are protected by rate limiting to prevent abuse
• Web Application Firewall rules protect against common attack vectors
• Content Security Policy (CSP) headers prevent cross-site scripting

Data Protection

Encryption

• All data is encrypted at rest using AES-256 encryption
• Database connections use TLS with certificate verification
• Sensitive configuration values are encrypted using AES-256-GCM
• Credentials are managed through secure secrets management services

Backups and Recovery

• Automated database backups with 14-day retention and point-in-time recovery
• Media files are replicated across multiple geographic regions
• File versioning protects against accidental deletion or corruption
• Deletion protection is enabled on all critical data stores

Data Isolation

RunBeat Pulse operates as a multi-tenant platform with strict data isolation between stations. Each station's data — media, schedules, compliance records, and user accounts — is logically separated and access-controlled at the application level.

Authentication and Access Control

• User authentication is handled by AWS Cognito with support for Microsoft 365 single sign-on
• All API requests require valid, signed authentication tokens
• Role-based access control (RBAC) restricts actions based on user permissions
• Session tokens have limited lifetimes and are automatically refreshed
• Authentication endpoints have stricter rate limiting to prevent brute-force attacks

Email Security

• SPF, DKIM, and DMARC are configured on all RunBeat domains
• Outbound emails are sent through authenticated, verified sending services
• Email content is sanitised to prevent injection attacks

Application Security

• All user input is validated and parameterised to prevent injection attacks
• User-generated content is sanitised before rendering
• File uploads are validated for type, size, and content
• Dependencies are regularly audited for known vulnerabilities
• Error messages are sanitised to prevent information disclosure
• Security headers are applied to all responses (CSP, X-Frame-Options, HSTS, Referrer-Policy, Permissions-Policy)

Monitoring and Incident Response

• Application and infrastructure logs are shipped to centralised monitoring
• Automated alerts trigger on error rate spikes and anomalous activity
• Regular security reviews are conducted on the codebase and infrastructure

Compliance

RunBeat Compliance — our compliance framework built around the Ofcom Broadcasting Code — maintains regulatory-grade audit trails. Compliance decisions are retained for a minimum of two years to support stations in demonstrating due diligence under the Broadcasting Code, and cannot be deleted during the retention period.

Responsible Disclosure

If you discover a security vulnerability in any RunBeat service, please report it responsibly through our contact page. We appreciate your help in keeping our platform secure.