Security
Supera holds sensitive employee records, so security isn't a feature — it's the foundation. Here's how we protect your data, in plain terms.
The short version: your data is encrypted in transit and at rest, each company is isolated with its own encryption key, administrators sign in with multi-factor authentication, every sensitive action is written to a tamper-evident log, and when data is deleted it is destroyed for good. Supera is built to SOC 2 and ISO 27001 control standards, on infrastructure that is itself SOC 2 and ISO 27001 certified.
Encryption
All traffic to and from Supera is protected with TLS in transit. Your stored data is encrypted at rest with AES-256. Each company's data is encrypted with its own key, so one company's records are cryptographically separated from every other's.
Per-company isolation
Every customer's data lives in its own isolated space with a dedicated encryption key. There is no shared pool where one company could reach another's information. This isolation is also what makes our deletion guarantee possible (below).
Sign-in & access
Administrators sign in with multi-factor authentication (MFA). Employees use a passwordless sign-in — a Google or Apple account, a one-tap email link, or a one-time code — so there are no employee passwords to leak. Access is role-based: administrators see their company, managers see only their own direct reports, and employees see only themselves.
Tamper-evident audit log
Sensitive actions are recorded in a hash-chained audit log — a running record that is designed so that any after-the-fact tampering would be detectable. It gives you a trustworthy history of what happened and when.
Permanent deletion & crypto-shredding
Deleting a single employee permanently removes their records from your account — we don't keep a hidden copy for our own use, and your company's encryption key is left untouched, so everyone else's data is unaffected.
Closing your entire account goes further: because your company has its own encryption key, we destroy that key — "crypto-shredding" — which makes all of your company's data, including in backups, permanently unreadable. Either way, you can export your data first, and deletion is real, not just hidden.
Your data is not used to train AI
Supera uses Anthropic's business API to draft and translate reviews. By default, Anthropic does not use business API data to train its models, and that data is short-lived — under a signed data-processing agreement. Your team's reviews help you; they are not fed into anyone's AI.
Anonymous feedback stays anonymous
For anonymous 360° feedback, we never store who wrote what. Anonymity is structural, not a setting — so it holds against everyone, including administrators. Results are only shown once enough people have responded.
Standards & infrastructure
Supera runs on infrastructure that is independently SOC 2 and ISO 27001 certified (our providers), and our own practices are built to the SOC 2 and ISO 27001 control frameworks.
To be straight with you: Supera itself is not yet SOC 2 or ISO 27001 certified — those require an independent audit we haven't completed. We say "built to" the frameworks, not "certified." As we grow we intend to pursue an independent penetration test and a formal SOC 2 report; until then we won't claim either. We'd rather tell you exactly what we do (above) than wave a badge we haven't earned.
Our role: your data processor
When your company uses Supera, you decide what employee information goes in and why — you're the "data controller." Supera is your data processor: we handle that information only to run the Service for you, on your instructions. In plain terms:
- We don't use your employees' data for our own purposes, and we never sell it.
- We keep it encrypted and isolated to your company (see above).
- We use a short list of vetted subprocessors under signed DPAs (below).
- We help you respond to employee data requests — access, correction, deletion.
- If a data breach ever affected your data, we'd notify you promptly so you can meet your obligations.
- When you leave, you can export your data, and we delete it (see above).
This is a plain-language summary of how we work — not a contract. The specifics are governed by our Privacy Policy and, for business customers, a Data Processing Agreement (DPA) available at [email protected].
Who we share data with (subprocessors)
To run Supera we rely on a small set of vetted providers, each under a signed Data Processing Agreement that limits how they may use your data:
- Cloudflare — hosting, storage, and network (SOC 2 / ISO 27001 certified).
- Google Cloud (Cloud KMS) — management of the encryption keys.
- WorkOS — sign-in and multi-factor authentication.
- Anthropic — AI drafting and translation (business API; not used to train models).
- Stripe — subscription billing (we never see full card numbers).
- Twilio & Meta (WhatsApp) — text and WhatsApp message delivery.
- Resend — email delivery.
If your company enables an optional Slack or Microsoft Teams integration, that platform becomes a subprocessor too — only for your company, and only to deliver those notifications. We never sell your data. A signed DPA and our current subprocessor list are available on request at [email protected].
Reporting a concern
If you believe you've found a security issue, please email [email protected] and we'll respond promptly. You can also check current service status on our status page.