Security Policy

Version 2.0.0 · Last updated May 5, 2026

1. Introduction

This Security Policy (the “Policy”) describes how Boost Run, Inc. (“Boost Run,” “we,” “our,” or “us”) protects the confidentiality, integrity, and availability of the Services we provide and the data entrusted to us by our customers. It is intended for prospective and existing customers, partners, security researchers, and anyone evaluating Boost Run’s security posture.

This Policy is part of, and incorporated by reference into, our Terms of Service, Privacy Policy, and Acceptable Use Policy. Detailed control evidence, audit reports, and supporting documentation are available through our Trust Center (subject to a mutual non-disclosure agreement, where applicable).

Scope. This Policy applies to the Services as defined below, including the Sites, the Platform, the Equipment, our supporting corporate IT systems, and the personnel and processes that operate them. It does not describe how customers should secure their own workloads or Customer Content; that is the customer’s responsibility under the shared-responsibility model described in Section 4.

2. Definitions

Capitalized terms not defined here have the meanings given in our Terms of Service or Privacy Policy. The following definitions apply throughout this Policy:

• Boost Run, Inc. — referred to as “Boost Run,” “we,” “us,” or “our.”
• User — a person or legal entity that accesses or uses the Services. Also referred to as “you” or “your.”
• Equipment — GPU servers, CPU servers, storage servers, and other AI accelerator and infrastructure devices made available through the Platform.
• Platform — the web user interface and API that allow a User to view, configure, provision, and rent Equipment.
• Services — the Sites, the Platform, the Equipment, and all related Boost Run hardware, software infrastructure, and informational or promotional content.
• Account — a User account on the Platform that grants permission to view pricing and inventory and to configure and rent Equipment.
• Customer Content — data, models, code, datasets, files, prompts, outputs, and other materials transmitted to, stored on, or processed using Equipment by or on behalf of a User.
• Subprocessor — a third party engaged by Boost Run to process data on our behalf in connection with the Services, including data-center operators, hosting providers, and other vendors listed at trust.boostrun.com.

3. Our Security Principles

Boost Run’s security program is built on the following principles, applied across every layer of the Services.

• Security by design. Security controls are integrated into the design and development of our systems from the outset, not added as an afterthought.
• Security by default. Systems are configured with secure defaults, so the most secure settings are enabled automatically without requiring customer intervention.
• Defense in depth. We layer technical, administrative, and physical controls so that no single failure compromises the confidentiality, integrity, or availability of the Services.
• Least privilege. Personnel and systems are granted only the minimum access required to perform their roles, and access is reviewed regularly.
• Zero standing access to Customer Content. Boost Run personnel do not have routine access to Customer Content. Where access is required for support, troubleshooting, or legal compliance, it is granted on a just-in-time, role-based, and audited basis.
• Continuous improvement. We continuously evaluate, test, and enhance our security practices to stay ahead of emerging threats, and we treat security as an ongoing program rather than a one-time project.
• Transparency. We publish this Policy, maintain a Trust Center, and make audit reports and security documentation available to customers under a mutual non-disclosure agreement.

4. Shared Responsibility Model

Cloud infrastructure security is a shared responsibility. Boost Run is responsible for the security of the underlying Equipment, network, Platform, and physical facilities. You are responsible for the security of what you build and run on top of the Services, including your Account credentials, the workloads and Customer Content you run on the Equipment, your own access controls and configurations, and your compliance with applicable laws for the data you process. The table below summarizes the allocation of responsibility.

Layer / control	Boost Run	Customer
Customer Content (data, models, code, prompts, outputs)	—	Customer
Application code, libraries, and dependencies running on Equipment	—	Customer
Identity and access management within the customer environment (user roles, API keys, secrets in customer applications)	Provides IAM platform and tooling	Customer configures and manages
Operating system patching, hardening, and configuration on rented Equipment	Provides base images where offered	Customer (for customer-managed instances)
Encryption of Customer Content at the application layer and customer-held key management	—	Customer
Backups of Customer Content	Provides storage; offers backup features where applicable	Customer is responsible for backup configuration
Logging and monitoring of customer applications	Provides Platform audit logs	Customer monitors their own workloads
Platform IAM service, API, web console	Boost Run	—
Container and workload orchestration platform	Boost Run	—
Underlay network, routing, perimeter monitoring, firewalling	Boost Run	—
Hardware drivers, firmware, node lifecycle, endpoint detection on Boost Run managed nodes	Boost Run	—
Physical data center security, power, cooling, asset management	Boost Run (and our colocation providers)	—

5. Compliance and Certifications

Boost Run’s security and compliance program is aligned with internationally recognized frameworks. We design our controls to support our customers’ own compliance obligations and to facilitate independent assessment.

We currently align our program to, and where indicated maintain certification or attestation against, the following frameworks:

• SOC 2 Type II — independent attestation against the AICPA Trust Services Criteria for security, availability, and confidentiality.
• ISO/IEC 27001 — information-security management system certification.
• ISO/IEC 27701 — privacy information-management extension to ISO/IEC 27001.
• ISO/IEC 27017 and 27018 — cloud-services security and protection of personally identifiable information in public clouds.
• ISO 22301 — business continuity management system standard.
• GDPR, UK GDPR, Swiss FADP, and Brazil LGPD — we operate the Services in a manner designed to support compliance with these data-protection regimes.
• CCPA / CPRA and other U.S. state privacy laws — see our Privacy Policy for details.
• HIPAA — we will sign a Business Associate Agreement with eligible customers and operate in accordance with our HIPAA Implementation Guideline for those engagements.

Customers and prospects can request copies of audit reports, certification letters, security overviews, and other compliance materials through their Boost Run account team or sales representative. Materials are typically provided once a mutual non-disclosure agreement is in place.

Note: The certifications listed above represent the current target state of our compliance program. Where a particular certification is in progress rather than already issued, the Trust Center identifies its status. Customers should always confirm current certification scope and status with our compliance team before relying on a particular attestation.

6. Identity and Access Management

We implement strict identity and access management (“IAM”) controls to ensure that only authorized users access our systems and the data they hold.

6.1 Customer-Facing IAM

• Multi-factor authentication (MFA) is supported, and required for privileged Account roles, on the Platform.
• Fine-grained, role-based access controls allow customers to define exactly who or what can perform specific actions on particular resources.
• Single sign-on (SSO) and federation are supported through OIDC and SAML, allowing customers to integrate the Platform with their enterprise identity provider (such as Okta or Microsoft Entra).
• Automated user provisioning is supported through SCIM, enabling customers to automatically federate users and groups from their identity provider into the Platform.
• API keys and service credentials can be created, scoped, rotated, and revoked through the Platform.

6.2 Internal Access Controls

• Access to Boost Run production systems and Customer-facing infrastructure is granted on a need-to-know, need-to-work, and least-privilege basis, with documented business justification and management approval.
• Privileged access is granted just-in-time, time-bounded, and logged, and is reviewed at least quarterly.
• All Boost Run personnel authenticate using strong credentials and MFA, and remote access to production environments is routed through controlled bastion hosts and protected by VPN.
• Access rights are reviewed and updated based on role changes, and revoked promptly upon termination or change of duties.

7. Encryption and Cryptography

Boost Run uses strong, industry-standard cryptography to protect data in transit and at rest.

• Data in transit between you and the Services, and between Boost Run systems, is encrypted using TLS 1.2 or higher with modern cipher suites. Internal management traffic is similarly protected.
• Data at rest on Boost Run managed storage services is encrypted using AES-256 or an equivalent modern algorithm. Object storage and managed databases are encrypted by default.
• Key management is performed using a dedicated key-management system with strict access controls, key rotation, and audit logging. Customers may, where supported, supply their own keys (“BYOK”) or use customer-managed encryption keys.
• Secrets management for customer workloads is supported through a dedicated secrets service that allows you to store API keys, tokens, and certificates in encrypted form rather than hardcoding them.
• Cryptographic standards are maintained in our internal Cryptography Standard, which is reviewed at least annually and updated to deprecate weak algorithms and protocols.

8. Customer Workload Isolation

Boost Run designs its infrastructure to enforce strong isolation between customer environments, preventing unauthorized access and data leakage across tenants.

• Compute isolation. Customer workloads run on isolated compute units. Where the Services are offered as bare-metal Equipment, the Equipment is single-tenant for the duration of the customer’s reservation. Where virtualization is used, customer workloads are isolated at the hypervisor or virtual-machine level.
• Network isolation. Customer environments are segmented using virtual private cloud (VPC) constructs that provide isolated software-defined networks. Customer-defined firewalls and security groups govern inbound and outbound connectivity.
• High-performance fabric isolation. On clusters that use InfiniBand or similar high-performance interconnects, traffic is segmented across the fabric so that data paths between tenants remain strictly separated.
• Storage isolation. Storage volumes and object-storage buckets are logically isolated and protected by IAM controls; cross-tenant access requires explicit configuration by an authorized user.
• Single-tenant clusters. For customers with elevated security or regulatory requirements, Boost Run offers physically isolated, single-tenant clusters with dedicated hardware, dedicated networking, and, where applicable, caged or otherwise physically separated rack space.
• Media sanitization. Storage media allocated to a customer are sanitized before being repurposed, and decommissioned hardware is securely destroyed in accordance with industry-standard practices, by Boost Run or our colocation providers.

9. Network Security

• Public-facing services are fronted by edge protections including DDoS mitigation, web application firewalls, and rate limiting where applicable.
• Internal networks are segmented, and management interfaces are not exposed to the public internet. Production networks are separated from corporate IT networks.
• Customer VPCs support private peering and IPsec or similar VPN connectivity for customers that require dedicated, encrypted access to the Platform.
• Intrusion-detection and intrusion-prevention controls (IDS/IPS) and continuous traffic monitoring are deployed at the perimeter and within the production environment.

10. Logging, Monitoring, and Incident Detection

Continuous monitoring and detailed logging mechanisms are in place to detect and respond to potential security events promptly.

• Audit logs capture security-relevant events on the Platform, including authentication attempts, configuration changes, IAM changes, and access to sensitive resources. Logs are time-stamped, integrity-protected, and retained for a period sufficient to support security investigations and compliance obligations.
• Customer-visible audit logs of activity within the customer’s tenant are made available through the Platform so that customers can monitor their own environment.
• Centralized monitoring of systems, networks, and applications integrates automated alerting, log analysis, and threat detection to provide real-time visibility across the production environment.
• Endpoint detection and response (EDR) is deployed on Boost Run managed nodes and corporate endpoints to detect and respond to malicious activity.

11. Vulnerability Management and Penetration Testing

We maintain a documented vulnerability management program designed to identify, prioritize, and remediate security weaknesses across the Services and our supporting infrastructure.

• Continuous vulnerability scanning of systems, container images, and applications, combined with manual security assessments and threat-intelligence inputs.
• Risk-based prioritization using severity, exploitability, and business impact. We patch common CVEs proactively and partner with intelligence sources to accelerate remediation of high-severity issues.
• Independent penetration testing by reputable third-party firms is conducted at least annually, and after significant changes to the Services. A summary or executive report is available to customers under NDA.
• External security scans by customers are governed by our Rules for External Security Scans, which set out acceptable scope, notification, and conduct requirements.

12. Secure Software Development

Boost Run follows a Secure Software Development Life Cycle (S-SDLC) that integrates security into every phase of design, development, and deployment.

• Separated environments. Development, test, and production environments are logically separated, with strict segregation of responsibilities and controlled change management between them.
• Source-code controls. Source code is maintained in version-controlled repositories with branch protections, peer code review for production-bound changes, and access restricted on a least-privilege basis.
• Application security testing. We use automated static application security testing (SAST), software composition analysis (SCA), container image scanning, and other automated tooling, supplemented by manual reviews where appropriate.
• Change management. Changes to production systems follow a documented change-management process with peer review, testing, and approval requirements.
• Configuration baselines. Production systems are deployed against hardened baselines aligned with industry guidance such as the Center for Internet Security (CIS) Benchmarks, where applicable.

13. Security Incident Response

Boost Run maintains a documented Security Incident Response Plan (SIRP) that defines how we detect, contain, investigate, remediate, and communicate about security incidents.

• Detection and triage. Suspected incidents are triaged by our security team, classified by severity, and routed to a coordinated response team with clear escalation paths.
• Containment and eradication. The response team isolates affected systems, eradicates the root cause, restores affected services, and conducts post-incident reviews to identify and implement improvements.
• Customer notification. Where a security incident affects Customer Content or Personal Information that we process, we will notify affected customers without undue delay and in any event in accordance with applicable law and contractual commitments. Notifications will include the information required for customers to assess the impact and meet their own obligations.
• Regulatory notification. Where required, we will also notify supervisory authorities and other regulators within applicable statutory timeframes.
• Tabletop exercises. The SIRP is tested at least annually through tabletop exercises and is updated based on lessons learned from exercises and from real incidents.

14. Business Continuity and Disaster Recovery

Boost Run maintains a Business Continuity Management System aligned with ISO 22301 principles and a Disaster Recovery Plan (“DRP”) for the Services.

• Resilient architecture. The Platform is designed for high availability, with redundant power, cooling, networking, and storage in our production data centers.
• Backups. Boost Run-managed control-plane data is backed up regularly, with backups stored in segregated locations and tested periodically. Backups of Customer Content within customer-managed environments remain the customer’s responsibility, except where the customer has procured a backup service from Boost Run.
• Recovery objectives. Recovery time and recovery point objectives (RTO/RPO) for the control plane are documented and tested. Service-specific commitments are set out in our Service Level Agreement.
• Plan testing. The DRP is tested at least annually, including failover and recovery exercises, and updated based on test results.

15. Physical and Environmental Security

Boost Run hosts the Equipment in data centers that meet leading industry standards for physical and environmental security. We require our colocation providers to maintain controls aligned with our security program throughout the lifecycle of their contract with us.

• 24/7 protection. Limited-access, fenced facilities with on-site security personnel around the clock.
• Multi-factor physical access. Access requires badge, biometric, or equivalent multi-factor authentication and is granted on a strict need-to-work basis with documented business justification and management approval.
• Surveillance. Cameras at every access point, with real-time monitoring and retention of recordings.
• Hardware protection. Servers and supporting infrastructure are housed in locked, monitored cabinets, and for single-tenant cluster customers may be housed in dedicated cages.
• Environmental controls. Redundant power (UPS and generator), redundant cooling (including direct-to-chip liquid cooling on AI factories where applicable), and fire detection and suppression systems are deployed and monitored.
• Asset management. IT inventory and asset management processes track Equipment from procurement through secure disposal, including documented media-sanitization and destruction procedures.
• On-site document handling. Paper documents containing sensitive information are shredded on-site.

16. Data Residency and Regional Controls

Boost Run’s infrastructure is designed to support customer data-residency requirements. Customers can select the primary region in which their workloads run and their Customer Content is stored. Subject to limited exceptions for high availability, fault tolerance, and disaster recovery (and only for non-sensitive metadata), Customer Content remains within the customer’s selected region.

Cross-region transfers of Personal Information are governed by our Privacy Policy and any applicable Data Processing Addendum. Customers operating in regulated industries should contact our compliance team to discuss data-residency, sovereignty, and regulatory considerations relevant to their workloads.

17. Personnel Security

• Background checks are conducted on Boost Run personnel to the extent permitted by, and in accordance with, applicable local labor and statutory requirements.
• Confidentiality obligations. All personnel are required to execute a confidentiality agreement and to acknowledge our information-security and privacy policies.
• Security awareness training is provided to all personnel at hire and at least annually, and includes training on phishing, social engineering, secure coding (for engineering roles), and incident reporting.
• Endpoint controls. Personnel devices are managed through Mobile Device Management (MDM) and equipped with full-disk encryption, EDR, and policy-based configuration controls.
• Onboarding and offboarding include documented provisioning and deprovisioning of system access, with prompt revocation upon termination or role change.

18. Third-Party and Subprocessor Risk Management

We carefully assess and manage the security and privacy risks associated with our Subprocessors and other vendors.

• Risk-based vendor evaluation before engagement, including due diligence, security questionnaires, and review of independent audit reports where available.
• Contractual safeguards requiring Subprocessors to implement appropriate technical and organizational measures, comply with applicable data-protection laws, and notify us of security incidents within agreed timeframes.
• Ongoing monitoring of vendor security and privacy posture, including periodic reassessments and audit rights where appropriate.
• Subprocessor list. A current list of Subprocessors is published or made available on request through trust.boostrun.com.

19. Vulnerability Disclosure

We welcome reports from security researchers and other members of the security community. If you believe you have discovered a security vulnerability in the Services, please report it to us as described below.

Reporting channel: incidents@boostrun.com

In your report, please include enough information for us to reproduce and validate the issue (for example, steps to reproduce, proof-of-concept code, screenshots, and the affected component or URL). We commit to:

• acknowledging receipt of your report within five (5) business days;
• providing an initial triage assessment of severity and impact within a reasonable period thereafter;
• keeping you informed of remediation progress for valid reports; and
• not pursuing legal action against researchers who act in good faith and in accordance with this Policy and our Rules for External Security Scans.

To act in good faith, researchers must avoid privacy violations, destruction of data, and disruption of the Services; must not access, modify, or exfiltrate Customer Content; must not perform denial-of-service or social-engineering testing; and must give Boost Run a reasonable period to remediate before any public disclosure.

20. Customer Responsibilities

While we work diligently to protect the Services and the data we hold, the security of your Account and your workloads depends on you taking appropriate measures as well. We recommend, at a minimum, that you:

• use strong, unique passwords and enable multi-factor authentication on your Account;
• integrate the Platform with your enterprise identity provider (via OIDC, SAML, or SCIM) where applicable, and apply role-based access controls and least-privilege principles to your Users;
• rotate API keys and other credentials regularly, store them in a secure secrets manager, and never embed them in source code or configuration that could be exposed publicly;
• encrypt sensitive Customer Content at the application layer in addition to the encryption Boost Run applies, and manage your own encryption keys where appropriate;
• apply security patches promptly to operating systems and applications you deploy on the Equipment;
• configure backups, disaster recovery, and high availability for your workloads as appropriate to your business needs;
• monitor activity within your tenant using the audit logs and monitoring tools we provide, and integrate them with your own SIEM or observability stack where required;
• be cautious of phishing, social engineering, and other attempts to obtain credentials or sensitive information; and
• notify us promptly at incidents@boostrun.com if you suspect your Account has been compromised or if you observe a security issue affecting the Services.

21. Reporting Security Concerns

If you have a security question, want to report a suspected vulnerability or incident, or otherwise need to reach our security team, please contact us:

Email: incidents@boostrun.com Privacy / Data Protection Officer: Harry Georgakopoulos

For questions about a specific certification, audit report, or compliance document, please contact your Boost Run account team.

22. Changes to this Security Policy

Boost Run may update this Policy from time to time. When we do, we will revise the “Last updated” date at the top of this Policy and post the updated Policy on our Sites. Where required by applicable law or contract, we will provide additional notice of material changes. A version history is maintained at boostrun.com/changelog. Your continued use of the Services after an update becomes effective constitutes your acceptance of the revised Policy.