Security

Version 1.0 · Effective 7 July 2026 · Last updated 7 July 2026

Supera holds sensitive employee records, so security isn't a feature — it's the foundation. Here's how we protect your data, in plain terms.

The short version: your data is encrypted in transit and at rest, each company is isolated with its own encryption key, administrators sign in with multi-factor authentication, every sensitive action is written to a tamper-evident log, and when data is deleted it is destroyed for good. Supera is built to SOC 2 and ISO 27001 control standards, on infrastructure that is itself SOC 2 and ISO 27001 certified.

Encryption

All traffic to and from Supera is protected with TLS in transit. Your stored data is encrypted at rest with AES-256. Each company's data is encrypted with its own key, so one company's records are cryptographically separated from every other's.

Per-company isolation

Every customer's data lives in its own isolated space with a dedicated encryption key. There is no shared pool where one company could reach another's information. This isolation is also what makes our deletion guarantee possible (below).

Sign-in & access

Administrators sign in with multi-factor authentication (MFA). Employees use a passwordless sign-in — a Google or Apple account, a one-tap email link, or a one-time code — so there are no employee passwords to leak. Access is role-based: administrators see their company, managers see only their own direct reports, and employees see only themselves.

Tamper-evident audit log

Sensitive actions are recorded in a hash-chained audit log — a running record that is designed so that any after-the-fact tampering would be detectable. It gives you a trustworthy history of what happened and when.

Permanent deletion & crypto-shredding

Deleting a single employee permanently removes their records from your account — we don't keep a hidden copy for our own use, and your company's encryption key is left untouched, so everyone else's data is unaffected.

Closing your entire account goes further: because your company has its own encryption key, we destroy that key — "crypto-shredding" — which makes all of your company's data, including in backups, permanently unreadable. Either way, you can export your data first, and deletion is real, not just hidden.

Your data is not used to train AI

Supera uses Anthropic's business API to draft and translate reviews. By default, Anthropic does not use business API data to train its models, and that data is short-lived — under a signed data-processing agreement. Your team's reviews help you; they are not fed into anyone's AI.

Anonymous feedback stays anonymous

For anonymous 360° feedback, we never store who wrote what. Anonymity is structural, not a setting — so it holds against everyone, including administrators. Results are only shown once enough people have responded.

Standards & infrastructure

Supera runs on infrastructure that is independently SOC 2 and ISO 27001 certified (our providers), and our own practices are built to the SOC 2 and ISO 27001 control frameworks.

To be straight with you: Supera itself is not yet SOC 2 or ISO 27001 certified — those require an independent audit we haven't completed. We say "built to" the frameworks, not "certified." As we grow we intend to pursue an independent penetration test and a formal SOC 2 report; until then we won't claim either. We'd rather tell you exactly what we do (above) than wave a badge we haven't earned.

Our role: your data processor

When your company uses Supera, you decide what employee information goes in and why — you're the "data controller." Supera is your data processor: we handle that information only to run the Service for you, on your instructions. In plain terms:

This is a plain-language summary of how we work — not a contract. The specifics are governed by our Privacy Policy and, for business customers, a Data Processing Agreement (DPA) available at [email protected].

Who we share data with (subprocessors)

To run Supera we rely on a small set of vetted providers, each under a signed Data Processing Agreement that limits how they may use your data:

If your company enables an optional Slack or Microsoft Teams integration, that platform becomes a subprocessor too — only for your company, and only to deliver those notifications. We never sell your data. A signed DPA and our current subprocessor list are available on request at [email protected].

Reporting a concern

If you believe you've found a security issue, please email [email protected] and we'll respond promptly. You can also check current service status on our status page.

This page describes our security approach in plain language for a general audience; it is a summary, not a contractual specification. For how we handle personal data, see our Privacy Policy.