At Superhuman, we want you to focus on what you do best — not lose sleep worrying about the safety and reliability of your team's email.
That's why we continually invest in data security, risk management, and maintaining our processing capacity.
First and foremost, we never share or sell your data. We're also SOC 2 compliant, which means we've been rigorously audited to ensure all our processes and policies uphold data safety and security.
Here's what that means for you and your company…
Why Superhuman is trusted by thousands of customers
We succeed by helping you and your team get better at email. Period.
Our mission is giving you and your team the world's fastest email experience. This means we don't sell your data or use your emails for targeted advertising, and we keep your email strictly between you and your recipients.
But don't take our word for it. We're SOC 2 (Service Organization Control 2) compliant, a recognized standard for data security developed by the American Institute of Certified Public Accountants (AICPA).
- Security: We protect your data.
We secure you and your company's data and assets against unauthorized access and use.
- Availability: We're here when you need us.
We maintain our systems to retain processing capacity, and we've carefully assessed all risk factors that could interrupt your service.
- Processing integrity: We keep you and your business in control.
We verify the integrity of all data, and keep records of all systems inputs.
SOC 2 compliance means that all our policies and processes are regularly audited. We also follow Google's compliance requirements in order to use their restricted APIs.
If you'd like to learn more, reach out to our team!
How exactly does Superhuman keep my data private?
All code that is added to Superhuman is reviewed with security in mind — and we run annual security audits to ensure there are no mistakes.
- Superhuman connects directly to your accounts to download messages. That means your inbox is never stored on our servers — instead, it is stored on your machine.
- All data is encrypted at rest and in transit, with particularly sensitive data encrypted additionally at the application level. Instead of storing passwords, we use OAuth, which enables us to have limited access without seeing passwords in full.
- If you use two-factor authentication (2FA) with your account, it'll also work with Superhuman.
- We don't expose internal servers to the internet. We use distroless containers, and run fully on infrastructure managed by Google.
At Superhuman, we use the principle of least privilege: services and users are granted the minimal set of permissions required to do their job.
In short, the only people that can read your emails are you and Google — that's because Superhuman operates on top of Gmail accounts.
Is Superhuman HIPAA compliant?
HIPAA (Health Insurance Portability and Accountability Act) is a standard that companies in healthcare must follow to safeguard Protected Health Information (PHI). Email is not generally considered a HIPAA-compliant way of sharing information, and Superhuman is no exception.
We don't recommend sending PHI over email, and we don't currently sign BAAs (Business Associate Agreements) with companies that may send PHI over email.
Will Superhuman sign Data Processing Addendums as required by the GDPR?
Yes! You can use Superhuman in a way that is compliant with the GDPR. Our standard DPA is superhuman.com/dpa, and we can give you a signed copy if you need it.