Security & compliance at Supercenter

Not yet. A SOC 2 program (Security, Availability, Confidentiality) is underway, targeting a Type I report followed by a Type II observation window. GDPR compliance is documented; we are established in Austria (EU). A DORA ICT third-party readiness package is available for financial-entity customers. ISO 27001 will be evaluated based on customer demand. TISAX and C5 are not planned. The policy stack and control register are available under NDA via the document request below.

Yes. We answer security questionnaires (VSA, CAIQ, SIG-lite or your own template) from a maintained answer bank, typically within two business days. Audit and information rights are defined in our DPA and are satisfied through documentation and reports, with deeper reviews available under enterprise agreements.

All traffic uses TLS 1.2 or higher with HSTS. Data is encrypted at rest by our infrastructure providers (Vercel, Convex). Connector credentials, OAuth tokens and channel secrets are additionally encrypted at the application layer with AES-256-GCM, so a database-level compromise alone cannot expose integration credentials.

The credential encryption key is a dedicated secret, separate from authentication and provider secrets, held in platform environment configuration and never in the repository (CI secret scanning enforces this). Rotation follows a documented runbook with an envelope re-encryption procedure. Automated monitors verify continuously that every stored credential is encrypted, and their status feeds the controls on this page.

Every record is scoped to an organization, and every backend function authenticates its caller and enforces that scope. A CI check fails the build if any backend function lacks an authorization gate. Agents run in isolated per-session sandboxes. Credentials are resolved server-side at execution time and never enter prompts or model context. Cross-user access requires an explicit, revocable delegation grant, and every delegated call is attributed in the audit log.

Access follows least privilege: a small, monitored superadmin allowlist; SSO-backed accounts with MFA; and support access only through audited, time-boxed impersonation that is visible in the audit log. Production data is accessed only for operational need, as defined in the Access Control and Employee Security policies.

No. Inference runs through the Vercel AI Gateway with zero data retention at the gateway. The model providers (Anthropic, OpenAI, Google, xAI) operate under no-training commercial terms as the gateway's sub-processors. We do not train models on customer data.

Consequential actions require human approval before execution. Agents act with scoped credentials resolved per call, never ambient access. Every tool call is audit-logged with on-behalf-of attribution. Agent sessions run in isolated sandboxes. Prompt injection from connected content is mitigated through these approval gates and credential scoping.

The primary database (Convex) is continuously backed up on managed multi-AZ infrastructure in the United States, with scheduled independent exports. The business continuity plan commits to a 24-hour RTO and a 24-hour RPO for catastrophic provider events, with a documented restore runbook and an annual restore test. Retention follows the published schedule: session transcripts 180 days, audit logs 400 days, usage events 90 days.

Yes. Workspace data can be exported on request in standard formats (JSON, CSV, Markdown), and personal data exports run through our data subject request tooling. Most customer data also remains in the customer's own systems of record (email, chat, documents, CRM); Supercenter connects to those tools rather than replacing them.

Disconnecting an integration revokes our access immediately. Your systems of record (email, chat, documents, CRM) are unaffected by leaving. On termination we export requested data in standard formats and delete or anonymize all customer data within 30 days, with confirmation available on request, per the DPA and retention policy.

Production data is processed in the United States on managed infrastructure (Vercel, Convex), encrypted in transit and at rest. Transfers from the EEA, UK and Switzerland are covered by the EU Standard Contractual Clauses incorporated in our DPA, supported by transfer impact assessments and supplementary measures.

The subprocessor list on this page is generated from our vendor register. We give at least 30 days notice of new or replaced subprocessors, with objection rights per the DPA. Each subprocessor is bound by data protection terms no less protective than ours.

We operate an approved incident response plan: triage and containment, customer notification without undue delay per the DPA, supervisory authority notification within 72 hours where GDPR requires it, and a postmortem with tracked corrective actions. Service status is published on the status page.

Your systems of record stay yours: Supercenter connects to tools you already run, so your data does not leave with us. The platform runs on managed multi-AZ infrastructure with no self-operated servers. The DPA commits to data export and deletion or return on termination, and the continuity plan covers key-person unavailability through shared credential recovery. Supercenter is operated from Vienna, Austria (VAT ATU82884407) by a founder with three previously shipped products (Mokker, Zerolens, Yourmap).

Live status and incident history are public on the status page. Security reports are acknowledged within two business days. SLA and support terms are agreed per enterprise contract.

Email security@supercenter.app, also published in /.well-known/security.txt. Reports are acknowledged within two business days, and we do not pursue good-faith research. Every change runs through CI with secret scanning and authorization-gate checks. Dependencies follow a 14-day cooldown policy with expedited handling for known CVEs. An external penetration test is scheduled as part of the SOC 2 program.