Automate & Orchestrate with Confidence

Policy-Driven. Audit-Ready. Secure.

Built for Security at Every Layer

Security is built into everything we do - from how we hire and empower our people, to the safeguards in our product, to the governance and controls that protect your data and support your compliance obligations.

This Trust Center gives you a clear overview of how we secure your users, your ScriptRunner deployments, and data across people, product, and compiance.

Certifications & Compliance

Independent validation matters. ScriptRunner’s security and compliance posture is regularly reviewed by external auditors and security experts. Through certifications and third-party assessments such as ISO 27001 and independent penetration tests, we demonstrate our commitment to the highest standards of information security.

ISO/IEC 27001

ScriptRunner aligns with theprinciples of ISO/IEC 27001:2022 and follows a structured, risk-based approachto securing systems, automations, and customer data.

Our focus is on strong access and permission management (RBAC, least privilege, MFA), full traceability and versioning of scripts and configurations, high availability through monitoring and backup strategies, and the protection of sensitive and personal data in line with GDPR and international standards.

Through continuous risk management, audits, and ongoing processimprovements, we ensure that ScriptRunner is operated in a secure, compliant,and audit-ready manner within modern IT environments. ScriptRunner ISO/IEC 27001:2022 certificate is available tocustomers upon request.

Penetration Tests

ScriptRunner conducts scheduled penetration tests to proactively identify and remediate security vulnerabilities across its platform and supporting infrastructure. Each test follows a structured process that includes defining the test scope, executing the penetration test, evaluating critical findings, applying necessary patches, and documenting successful remediation and implementation.

All activities are formally documented, including the planned penetration test schedule and defined test scope, ensuring full traceability and audit readiness.

In addition, ScriptRunner maintains regular systembackups to ensure business continuity and rapid recovery in the event ofincidents, supporting the availability and resilience of all critical services.

"We were impressed by the high level of maturity of the security measures implemented. It is rare in practice and speaks for a consistently applied ”security by design“ approach that no high-risk or critical vulnerabilities were identified within the scope of our defined testing."
- PCG Group

ScriptRunner develops its solutions in line with recognized standards for security, privacy, and operational resilience. By following these established frameworks, we ensure our platform is founded on trust, responsibility, and robust protection mechanisms.

General Data Protection Regulation (GDPR)

GDPR is the EU's data protection framework governing how personal data is collected and processed. Enforced since May 2018, it strengthened individual privacy rights and applies to any organization worldwide that handles personal data of EU or EEA residents.

NIS2

NIS2 strengthens cybersecurity requirements for critical and important sectors across the EU. Member States must implement it into national law by October 2024, requiring organizations to apply appropriate risk management and security measures and to promptly report significant cyber incidents.

Dora

Dora defines a unified EU framework to strengthen the digital operational resilience of financial institutions. In force since January 2023 and applicable from January 2025, it focuses on ICT risk management, consistent incident reporting, resilience testing, and oversights of third-party ICT providers.

FedRAMP

FedRAMPis a U.S. government program that defines standardized security requirements for cloud services used by federal agencies. It provides a consistent approach to security assessment, authorization, and continuous monitoring to ensure cloud offerings meet strict federal security standards.

NIST-SP 800-53

NIST-SP 800-53 provides a comprehensive set of security and privacy controls to help organizations protect information systems and manage cybersecurity risk, particularly in government and regulated environments.

Cybersecurity Resilience Act (CRA)

TheCyber Resilience Act (CRA) establishes EU-wide cybersecurity requirements for digital products, aiming to improve security throughout their lifecycle and ensure vulnerabilities are addressed before and after products reach the market.

Articifial Intelligence (AI)

Artificial intelligence is becoming a strategic priority for mdoern IT. ScriptRunner actively aligns its platform and governance approach with emergin AI regulations and standards including:

EU AI Act

U.S. Federal AI Governance and Transparency Act of 2024

Product & Platform Security

ScriptRunner delivers asecurity-first, policy-driven automation platform that centralizes control,embeds governance, and ensures every action is fully audited and compliant. Bykeeping execution, identity protection, and credential handling strictly governedin one unified system, ScriptRunner provides a secure foundation for allautomated operations.

Role-based Access Control (RBAC)

Role‑based access control (RBAC) ensures that only authorized users can execute specific actions, enforcing strict, policy‑driven permissions across all automation activities. This provides a secure delegation model that minimizes privilege exposure while maintaining full traceability for compliance.

Audit Readiness & Versioning

Audit Readiness & Versioning ensures full traceability with centralized logs, reporting, and controlled version history for every script and action, making audits seamless and compliant. This provides a single source of truth through governed version control and approval workflows, eliminating inconsistencies and enabling reliable, audit-ready automation at scale.

Policies

Policies enforce consistent, secure, and compliant automation by centrally defining how scripts are executed across cloud, hybrid, and on‑prem environments. They provide a policy‑driven framework that standardizes execution, reduces risk, and ensures governance at scale.

Approval Workflows

Approval workflows add a secure human‑in‑the‑loop checkpoint, ensuring sensitive or high‑impact automations only run after designated approvers verify and authorize the request. This controlled approval layer strengthens governance, reduces risk, and maintains compliance across cloud, hybrid, and on‑prem environments.

Password-free Scripts

ScriptRunner enables password‑free scripting by retrieving credentials securely at runtime from external vaults, never embedding or storing passwords in scripts. This keeps secrets centralized, auditable, and protected.

Script Injection Prevention

No security-relevant credentials in the script (ever!). No code that can be smuggled in via input fields. Achieve a level of security that significantly exceeds PowerShell standards.

Encryption

ScriptRunner supports TDE‑enabled SQL Server databases, ensuring all configuration and report data is fully encrypted to meet GDPR, HIPAA, and PCI‑DSS requirements. It also adds an internal security layer by re‑encrypting credentials from Windows CredStore or Azure Key Vault with AES‑256, ensuring secrets remain protected even if the underlying store is compromised.

No Direct System Access

ScriptRunner prevents direct, unrestricted access by users and administrators to central IT resources. Actions are executed exclusively by ScriptRunner servers.

Organizational Security

Data Privacy Training

Employees receive regular data privacy training to ensure personal and sensitive data is handled in line with applicable data protection laws and best practices.

Information Security Training

Information security training is provided to build awareness of secure behaviors and to reduce risks related to data access, handling, and protection.

Phishing Awareness Training

Phishing awareness training helps employees recognize and respond appropriately to social engineering and email‑based threats.

Third-Party Background Checks

Background checks are conducted for relevant personnel in accordance with local laws and regulations to support a trusted working environment.

Confidentiality Agreements

All employees and relevant contractors are required to sign confidentiality agreements to protect customer and company information.

Disaster & Recovery Plans

Disaster recovery and business continuity plans are in place to support the availability of services and the timely restoration of operations in the event of a disruption.

Information Security

Information Security Officer (ISO) and Compliance Officer

ScriptRunner has appointed a dedicated Information Security Officer (ISO) and Compliance Officer to oversee and continuously strengthen our security and regulatory posture. The ISO is responsible for defining, implementing, and monitoring our information security strategy, ensuring that appropriate technical and organizational measures are in place to protect customer data and systems.

The Compliance Officer ensures that our processes align with applicable legal, regulatory, and industry requirements, and supports ongoing risk assessments, audits, and internal controls. Together, they promote a culture of security, transparency, and accountability across the organization, ensuring that security and compliance are embedded into our operations, product development, and decision-making processes.

Data Privacy Officer

ScriptRunner has appointed a dedicated Data Privacy Officer (DPO) to oversee the protection of personal data across our organization. The DPO ensures that the collection, processing, storage, and transfer of personal data are conducted in accordance with applicable data protection laws and regulatory requirements.

The DPO monitors compliance with privacy regulations, advises on data protection impact assessments, and serves as a point of contact for supervisory authorities and data subjects. By embedding privacy-by-design and privacy-by-default principles into our processes and products, the DPO helps ensure that personal data is handled responsibly, transparently, and securely at all times.

Trusted by Enterprise IT Teams Worldwide

Leading organizations across industries rely on ScriptRunner to automate securely, enforce governance, and scale PowerShell operations with confidence. Explore how global enterprises trust our platform to meet their highest standards for security, compliance, and operational resilience.