For Superhuman Labs LLC customers who agreed to the DPA before Oct 29, 2025, please see DPA here, unless otherwise superseded.

Superhuman Data Privacy Addendum

Effective Date: Oct 29, 2025

This Data Privacy Addendum (“Addendum”) is incorporated into and subject to the terms and conditions of the current version of any agreements (“Agreement”) between you (“Customer”) and Superhuman Platform Inc. (“Superhuman”) (each a “Party” and collectively the “Parties”) governing the Customer’s use of the Services.

All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement. This Addendum reflects the Parties’ agreement with respect to the terms governing Superhuman’s processing of personal data contained within Customer Data (“Customer Personal Data”) and protected by Applicable Data Privacy Laws. 

In the event of any conflict or inconsistency between the terms of the main Agreement and this Addendum, the terms of this Addendum shall take precedence over the Agreement and any other associated contractual document between the Parties, to the extent of any such conflict. The Parties agree as follows:


1. Definitions.

For purposes of this Addendum: 

a. “Applicable Data Privacy Laws” means national, federal, state, provincial, or other privacy, data security, data protection law, or regulation applicable to Processing of Customer Personal Data, including without limitation and as applicable: (i) United States Data Privacy Laws and (ii) European Data Privacy Laws, in each case as amended or superseded from time to time. 

b. “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) as operated by the U.S. Department of Commerce; as may be amended, superseded, or replaced. “Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework. 

c. “European Data Privacy Laws” means, as applicable to the Processing of Customer Personal Data: (i) General Data Protection Regulation (EU) 2016/679 (“GDPR”); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European (Withdrawal) Act 2018 (“UK Data Privacy Laws”); and  (iii) in respect of Switzerland, The Federal Act on Data Protection of 19 June 1992 and its Ordinances (the “Swiss DPA”). 

d. “Europe” means, for the purposes of this Addendum, the European Union, Iceland, Liechtenstein, Norway, Switzerland, and the United Kingdom.

e. “EU SCCs” means standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR between (i) controllers and processors or (as the circumstances require) (ii) processors and processors, in each case, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 and not including any clauses marked as optional. 

f. “Data Security Incident” means a breach of Superhuman’s security that leads to the accidental or unlawful acquisition, destruction, loss, alteration, or unauthorized disclosure of or access to Customer Personal Data transmitted, stored, or otherwise processed by Superhuman in connection with the provision of the Service. “Data Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. 

g. “Standard Contractual Clauses” means, as applicable, the EU SCCs or the UK SCCs. 

h. “Sub-processor” means a processor engaged by Superhuman or its affiliates to assist in providing the Service(s) pursuant to the Agreement or this Addendum. Sub-processors may include third parties or affiliates of Superhuman but shall exclude any Superhuman employee, contractor, or consultant. 

i. “United States Data Privacy Laws” means the California Consumer Privacy Act, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act, and any other privacy laws enacted by a US state, in each case as may be amended and together with applicable implementing regulations, that provide general privacy protection to consumers and distinguish between controllers and processors.

j. “UK SCCs” means the EU SCCs together with the International Data Transfer Addendum (version B1.0) approved by the United Kingdom Information Commissioner. 

k. The terms “controller”, “data subject”, “personal data”, “process”, “processing,and “processor” shall have the meanings given to them in the Applicable Data Privacy Laws and include the terms “business”, “consumer”“personal information”, and “service provider”. The terms “business purpose”, “commercial purpose”, “sell”, and “share” shall have the meanings given to them in the United States Data Privacy Laws.


2. Scope and Purposes of Processing.

a. This Addendum applies to the extent that Superhuman Processes, as a processor or service provider (as applicable), any Customer Personal Data protected by Applicable Data Privacy Laws. Superhuman will only Process Customer Personal Data as set forth in this Addendum and in compliance with Applicable Data Privacy Laws. 

b. The Parties acknowledge and agree that Customer is a controller or processor with respect to the Processing of Customer Personal Data, and Superhuman will Process Customer Personal Data only as a processor on behalf of Customer, as further described in Exhibit A (Data Processing Description) of this Addendum. If Customer is acting as processor, Customer will (i) fulfill Superhuman’s obligations to Customer’s controllers under this Addendum, including as applicable, the Standard Contractual Clauses, and (ii) ensure that any data processing undertaken pursuant to this Addendum reflects the documented instructions issued by the ultimate controller of such data.

c. Customer instructs Superhuman to Process Customer Personal Data in accordance with the Agreement (including this Addendum) and only for the following purposes: 

(i) to provide, secure, and monitor the Service(s) in accordance with the Agreement; 
(ii) to perform Processing activity initiated by Customer in its use of the Service (including, for example, through an administrative console); and 
(iii) to comply with other reasonable instructions provided by Customer that are consistent with the terms of the Agreement and this Addendum. 
Accordingly, processing by Superhuman is carried out for business purposes, including performing services on behalf of Customer, helping ensure security and integrity, debugging, and error repair.   

d. Without prejudice to Section 3 (Customer Responsibilities), Superhuman shall immediately notify Customer in writing, unless prohibited from doing so under applicable law, if it becomes aware or believes that any Processing instructions from Customer violate European Data Privacy Laws and UK Data Privacy Laws.


3. Customer Responsibilities.

a. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. 

b. Customer represents and warrants that it will comply with its obligations related to the processing of Customer Personal Data under Applicable Data Privacy Laws, including that: (i) it has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents, permissions, and rights necessary under applicable laws, including Applicable Data Privacy Laws, for Superhuman to lawfully Process Customer Personal Data for the purposes contemplated by the Agreement (including this Addendum); (ii) it has complied with all applicable laws, including Applicable Data Privacy Laws in the collection and provision to Superhuman of such Customer Personal Data; and (iii) it shall ensure its Processing instructions comply with applicable laws (including Applicable Data Privacy Laws) and that the processing of Customer Personal Data by Superhuman in accordance with Customer’s instructions will not cause Superhuman to be in breach of Applicable Data Privacy Laws. 

c. If Customer reasonably believes that Superhuman is engaged in unauthorized Processing of Customer Personal Data, Customer will immediately notify Superhuman of such belief, and the Parties will work together in good faith to remediate the allegedly violative Processing activities, if necessary.


4. Superhuman Responsibilities.

a. Superhuman will: 

i. Not Sell or Share Customer Personal Data. 

ii. Not Process Customer Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, Superhuman will not Process Customer Personal Data outside of the direct business relationship between Customer and Superhuman. 

iii. Not combine Customer Personal Data with information received from or on behalf of another source or collected from Processor’s own interactions with a Data Subject except to the extent such combination is permitted under Applicable Data Privacy Laws. 

iv. With respect to its Processing of Customer Personal Data, Superhuman complies with Applicable Data Privacy Laws and, where required of processors under Applicable Data Privacy Law, provides the same level of privacy protection as required of Customer under Applicable Data Privacy Law. 

v. Notify Customer if, in Superhuman’s opinion, Superhuman is unable to meet its obligations under the Applicable Data P


5. Data Subject Rights and Cooperation.

a. Superhuman will promptly notify Customer of: (i) any third party or individual (e.g., on Customer’s behalf); or (ii) any government or data subject requests for access to or information about Superhuman’s Processing of Customer Personal Data on Customer’s behalf (each a “Communication”), unless prohibited by Applicable Data Privacy Laws. In the event Superhuman receives such Communication directly, Superhuman will not respond to such Communication except as appropriate (e.g., to direct the data subject to contact Customer) or where legally required, without Customer’s prior authorization. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. 

b. Superhuman shall provide reasonable and legally required assistance and cooperation to enable Customer to fulfil its obligations under Applicable Data Privacy Laws. Upon written request of Customer, this includes, to the extent Customer is not able to respond to Communication using the functionality of the Services, reasonable cooperation to assist Customer to respond to Communications taking into account the nature of the Processing. 

c. To the extent required under Applicable Data Privacy Laws, and taking into account the nature of the Processing and the information available to Superhuman, Superhuman will provide reasonable assistance to Customer to carry out a data protection impact assessment or prior consultation with supervisory authorities, as required by Applicable Data Privacy Laws. Superhuman shall comply with the foregoing by: (i) complying with Section 10 (Audits); (ii) providing the information contained in the Agreement, including this Addendum; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance (at Customer’s expense).


6. Data Security.

a. Superhuman will: (i) as outlined in Exhibit B, implement appropriate and reasonable administrative, technical, physical, and organizational measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of Customer Personal Data (“Security Measures”); and (ii) ensure that employees, contractors, and Sub-processors authorized to Process the Customer Personal Data is under an appropriate obligation of confidentiality (whether statutory or contractual). 

b. Customer is responsible for reviewing the information made available by Superhuman relating to data security and making an independent determination as to whether the Security Measures applicable to the Service meets Customer’s requirements and legal obligations under Applicable Data Privacy Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Superhuman may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer. 

c. Notwithstanding the above, Customer agrees that except as provided by this Addendum, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or back up any Customer Data uploaded to the Service.


7. Data Security Incident.

a. Upon becoming aware of a Data Security Incident, Superhuman will: (i) notify Customer promptly and without undue delay after becoming aware of a Data Security Incident; (ii) provide timely information relating to the Data Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) promptly take reasonable steps to contain and investigate any Data Security Incident. 

b. Superhuman’s notification of or response to a Data Security Incident under this Section 7 shall not be construed as an acknowledgment by Superhuman of any fault or liability with respect to the Data Security Incident. Superhuman has no obligation to assess Customer Data to identify information that may be subject to specific legal requirements. 

c. Customer acknowledges that (i) Data Security Incidents and Superhuman’s commitments in this Addendum do not extend to any third-party integrations or services that Customer or its End Users procure through the Superhuman marketplace and (ii) Customer is solely responsible for reviewing the security and privacy documentation and agreements provided by such third parties. 


8. Sub-Processors.

a. Customer acknowledges and agrees that Superhuman may engage Sub-processors to Process Customer Personal Data in accordance with the provisions within this Addendum and Applicable Data Privacy Laws. A current list of Superhuman’s Sub-processors is available at https://superhuman.com/?previous_page=legal/subprocessors (“Sub-processor Page”) and Customer specifically authorizes Superhuman’s engagement of such Sub-processors. In addition, Customer generally authorizes Superhuman’s engagement of other third parties as Sub-processors, in accordance with Section 8(c) below. 

b. Superhuman shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Personal Data as those in this Addendum, to the extent applicable to the nature of the service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this Addendum and for any acts or omissions of such Sub-processor that cause Superhuman to breach any of its obligations under this Addendum. 

c. Superhuman shall notify Customer if it adds Sub-processors at least 30 days prior to any such changes if Customer opts in to receive such notifications using the dedicated form referenced in the Sub-processor Page. Customer may object in writing to Superhuman’s appointment of any new Sub-processor prior to their appointment on reasonable grounds relating to data protection (e.g., if making Customer Personal Data available to Sub-processor may violate Applicable Data Privacy Laws or weaken the protections for such Customer Personal Data) and in such instance, the Parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution is reached, Superhuman will, at its sole discretion, either not appoint the Sub-processor or permit Customer to terminate or suspend the affected Service in accordance with the termination provisions in the Agreement without liability to either Party (but without prejudice to the fees incurred by Customer prior to suspension or termination). 


9. Data Transfers.

a. Customer acknowledges that Superhuman may process Customer Personal Data in the United States and any other locations in which Superhuman and its Sub-processors maintain data processing operations to perform the Service. Superhuman will not transfer (directly or via onward transfer) Customer Personal Data originating in Europe to a country outside of Europe, unless it first takes measures to enable the transfer is in compliance with applicable European Data Privacy Laws. 

b. Superhuman participates in and certifies compliance with the Data Privacy Framework as described in Superhuman, Inc.’s Data Privacy Framework Certification. Where and to the extent the Data Privacy Framework applies, it  will be used to lawfully receive Customer Personal Data in the United States, and Superhuman will ensure that it provides at least the same level of protection to such data as is required by the Data Privacy Framework Principles. Superhuman will notify Customer if it makes a determination that it can no longer comply with its obligations under the Data Privacy Framework. 

c. If European Data Privacy Laws require that appropriate safeguards are put in place (for example, if the Data Privacy Framework does not cover the transfer or is invalidated), the applicable Standard Contractual Clauses will be incorporated in full by reference and form an integral part of this Addendum as follows (with the Annexes and/ or Appendices to the applicable Standard Contractual Clauses being as set out in Exhibit A to this Addendum): 

i. To the extent Superhuman processes Customer Personal Data protected by European Data Privacy Laws, Superhuman agrees to be bound by and Process such Customer Personal Data in compliance with the EU SCCs. For the purposes of the descriptions in the EU SCCs, Superhuman agrees that it is a “data importer” and Customer is the “data exporter” (notwithstanding that Customer may itself be an entity located in a third country). For the purpose of Clause 9 of the EU SCCs shall allow for general authorization for the engagement of sub-processors in accordance with Section 8.c of this Addendum. For the purpose of Clause 17 of the EU SCCs, the governing law shall be the law of Ireland, and for Clause 18 the courts of Ireland shall have jurisdiction.

ii. To the extent Superhuman processes Customer Personal Data protected by UK Data Privacy Law, the UK SCCs will apply. 

iii. To the extent Superhuman processes Customer Personal Data protected by the Swiss DPA, the EU SCCs will apply, with the following modifications: 

A. any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; 
B. references to “EU”, “Union”, “Member State”, and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and 
C. references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the FDIPC and competent courts in Switzerland. 

iv. In the event of any conflict between the EU SCCs or UK SCCs and this Addendum, the EU SCCs or UK SCCs (as applicable) will prevail. 


10. Audits.

a. Upon Customer’s request, Superhuman will make available to Customer information reasonably necessary to demonstrate compliance with this Addendum. Customer acknowledges and agrees that it shall exercise its audit rights under this Addendum (including this Section 10(a) and, where applicable, the Standard Contractual Clauses), and any audit rights granted under Applicable Data Privacy Laws, by instructing Superhuman to comply with the audit measures described in Section 10(b) below. 

b. Upon written request, Superhuman will supply (on a confidential basis) to Customer a summary copy of its most current audit report(s) (“Audit Report”) prepared by third-party security professionals at Superhuman’s selection and expense. 


11. Return or Destruction of Customer Personal Data.

a. Upon termination or expiry of the Agreement, Superhuman will, at the written request of Customer, make available for return to Customer and/or securely destroy all Customer Personal Data in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent Superhuman is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back up systems, which data Superhuman shall securely isolate and protect from any further Processing and delete in accordance with its deletion practices. 


12. Deidentified Data of United States Residents.

a. The Parties acknowledge that data that has been “de-identified” or “deidentified” in accordance with United States Data Privacy Laws (“Deidentified Data”) is not Personal Data. 

b. Except as otherwise permitted by Applicable Data Privacy Laws, Superhuman may deidentify Customer Personal Data and Process Deidentified Data only if it: 

i. Takes reasonable measures to ensure that the Deidentified Data cannot be associated with an individual; 
ii. Publicly commits to maintain and use the Deidentified Data only in a deidentified fashion and not attempt to re-identify the Deidentified Data; and 
iii. Contractually obligates any recipient of the Deidentified Data to comply with substantially similar requirements as those set out in this Section 12 (Deidentified Data) of the Addendum.


13. Limitation of Liability.

a. Superhuman’s liability arising out of or in connection with this Addendum is subject to the limitations and exclusions of liability stated in the Agreement.


14. Term.

a. The effective date of this Addendum is the date of the latest signature of a Party or, if no such date exists, the effective date of the Agreement. 


15. Survival.

a. The provisions of this Addendum survive the termination or expiration of the Agreement for so long as Superhuman or its Sub-Processors Process Customer Personal Data.


Exhibit A: Data Processing Description

1. List of Parties:

Data exporter(s): 
Name: The entity identified as “Customer” in the Addendum. 
Address: The address for Customer specified in the Addendum or the Agreement. 
Contact details: The contact details associated with the Customer’s account, or as otherwise specified in the Addendum or the Agreement. 
Activities relevant to the data transferred: See Section 2 below. 
Role: When Customer is acting as controller, Controller. When Customer is acting as a processor, Processor. 

Data importer(s): 
Name: “Superhuman” as identified in the Addendum. 
Address: The address for Superhuman as specified in the Agreement. 
Contact details: The contact details for Superhuman as specified in the Addendum or the Agreement. 
Activities relevant to the data transferred: See Section 2 below. 
Role: Processor


2. Description of Processing

a. Subject matter, nature, and purpose of Processing: Superhuman will process Customer Personal Data solely for the purposes set out in Section 2(c) of this Addendum. 

b. Anticipated duration of Processing: For the term of the Agreement plus the period from expiry or termination of the Agreement until deletion of all Customer Personal Data by Superhuman in accordance with the Agreement. 

c. Typical categories of Data Subjects: Data subjects include the individuals about whom data is provided to Superhuman via the Service by (or at the direction of) Customer or its Users. 

d. Categories of Customer Personal Data typically subject to Processing under the Agreement: The categories of Customer Personal Data are determined by Customer in its sole discretion and include data relating to individuals provided to Superhuman via the Service, by (or at the direction of) Customer or its Users. 

e. Special categories of Personal Data: Superhuman does not intentionally collect or Process any special categories of Personal Data.


Exhibit B: Technical and organizational measures, including technical and organizational measures to ensure the security of the data

The Services provided under this Addendum comprise multiple distinct product offerings, including, without limitation, Grammarly, Superhuman Mail, and Coda (collectively, the “Services”). Each Service maintains and implements technical and organizational security measures appropriate to its design and functionality for the protection of Customer Personal Data and for the prevention, detection, and mitigation of Data Security Incidents. In light of the differing architectures and operational requirements of the respective Services, the Security Measures applicable to each Service are described separately below. For clarity, the technical and organizational security measures described herein are specific to the relevant Service and shall not be construed to apply to any other Service. Such Security Measures shall apply solely to the extent Customer has procured the relevant Service, as identified in the applicable ordering document or online purchase checkout page agreed to by Customer.

Security Measures applicable for Grammarly offerings: 

Grammarly performs strict administrative, contractual, and technical procedures to protect information transferred to, out of, and stored on its servers for the provision of its services. 

All Grammarly server-side infrastructure is hosted on Amazon Web Services (AWS) in the United States. Grammarly’s servers and network minimize the attack surface, placing all systems in our private network inside our secure cloud platform, and exposing external services only via load balancers and a web application firewall. Grammarly is registered for AWS Enterprise Support, the highest possible tier of AWS support. 

Grammarly encrypts all data transfers between itself and data exporters by up-to-date encryption protocols, including at least TLS 1.2. Customer data is encrypted at rest using AES-256. Grammarly utilizes AWS Key Management Services for database encryption and key management. Access to the cryptographic keys is restricted to authorized personnel. Grammarly internal services are available via its virtual private network, with the exception of services that must have access to the public internet for Grammarly’s product provisioning to customers. 

Access to the Personal Data storage is performed using the principle of least privilege; multi-factor authentication is required. Security continually monitors access to all information, and provisions clear security boundaries between production, staging, development, etc. 

Grammarly’s Compliance teams define and control the collection, processing, and storage of customers’ Personal Data. For this, Grammarly uses data flow maps, service inventory, new service launch checklists, and other processes to track all internal and external data transfers. Grammarly verifies all code changes via reviews, automated checks, and runs annual security pen tests with an external firm. All laptops, servers, and containers are configured to update to the latest versions when available. 

Detailed information about Grammarly’s technical and organizational measures to ensure the security of the data is specified in the enterprise-grade attestation and regulatory compliance pages at https://www.grammarly.com/security and https://www.grammarly.com/trust

Security Measures applicable for Superhuman Mail offerings:

The Superhuman Mail information security program includes administrative, technical, and physical safeguards designed to protect the Personal Information that we handle against anticipated threats or hazards to its security, confidentiality or integrity (such as unauthorized access, collection, use, copying, modification, disposal or disclosure, unauthorized, unlawful, or accidental loss, destruction, acquisition, damage, or any other unauthorized form of processing).

Superhuman’s security program is based on the following key security principles:
  • The principle of least privilege: Services and users are granted the minimal set of permissions required to do their job.
  • Encryption at rest and in transit: All data is encrypted at rest and in transit, with particularly sensitive data encrypted additionally at the application level.
  • Minimized attack surface: We expose no internal servers to the internet, use distroless containers, and run fully on infrastructure managed by Google.
  • Automatic updates: Laptops, servers, and containers are configured to automatically update to the latest versions soon after they become available.
  • Clear security boundaries: Production, staging, development, etc. are all separate, and navigating a security boundary requires authenticating using Google’s Identity and Access Management (IAM). All authentication requires two factors.
  • Verify assumptions: All code that is added to Superhuman is reviewed from the point of view of security, and we run annual security audits with an external firm to identify mistakes.


Below are some illustrative examples of security measures in place:
1. Measures for the encryption of personal data
  • Superhuman is hosted fully on Google Cloud. We make use of their existing infrastructure security to encrypt data at rest and, where appropriate, an additional layer of application-level encryption to reduce the risk of data being exposed.
  • Superhuman encrypts all network traffic across the public internet using at least TLS 1.2, and uses Google Cloud ATLS to protect traffic within our environment.
2. Measures for protecting ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • Superhuman keeps all of its systems and services up-to-date, using automated mechanisms where possible, or by responding to proactive alerting. We rely heavily on immutable infrastructure that is regularly recreated in a known good state.
  • Permissions are assigned using the principle of least privilege—each employee only has access to the necessary parts of the infrastructure required to perform their role.
  • Superhuman proactively predicts how our usage patterns will change, and invests heavily in ensuring that our systems are resilient to our anticipated load. All changes to systems are approved by an independent engineer and tested before they are changed in production.
3. Measures for restoring the availability and access to Personal Information in a timely manner in the event of a physical or technical incident
  • Superhuman continually monitors the availability of its systems and has 24/7 coverage in case of incidents affecting the availability of the service.
  • Superhuman core services are distributed across multiple zones to reduce the probability that a catastrophic event will impact our availability.
  • Superhuman backs up all data, and those backups are distributed across multiple regions, so that if our live production environment is completely unavailable, we will still be able to restore access to data.
4. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
  • Superhuman conducts annual security audits using a third-party firm to help identify areas of cyber risk.
  • Superhuman conducts an annual SOC 2 audit process to help evaluate the effectiveness of our controls.
  • Superhuman conducts quarterly incident outage simulations, including restoring production backups.
5. Measures for user identification and authorization
  • All user identification is delegated to your email provider (Google or Microsoft), and we heavily rely on Oauth2 for authorization.
  • Superhuman employees are required to use multi-factor authentication.
  • All sign-in events are logged to an independent system of record.
6. Measures for physical security of locations at which Personal Information is processed
  • Superhuman processes Personal Information within Google Cloud, which provides physical security as described in Google documentation: https://cloud.google.com/security
7. Measures for ensuring system configuration, including default configuration
  • Superhuman uses Google Cloud Kubernetes Engine to enforce a consistent configuration across all our production machines.
  • Superhuman uses Google Cloud Security Scanner to identify any unsafe changes to configuration to our Google Cloud resources.
  • Superhuman uses MDM to enforce a secure system configuration for all company-owned laptops.
8. Measures for internal IT and IT security governance and management
  • Superhuman’s infrastructure is covered by Googleʼs ISO 27001 certification and SOC 2 attestations, since it is fully hosted on the Google Cloud.
  • Superhuman has in place a written Information Security Policy, including supporting documentation.
  • Other written security policies that Superhuman has in place include the following:
    • Data Access Levels
    • Disaster recovery and business continuity
    • Infrastructure management policy
    • Records of processing activities
    • Risk management policy
    • Data retention policy
9. Measures for ensuring accountability
  • Superhuman requires all employees to report any potential policy violations and to escalate them either to a manager, or to our anonymous complaints form.


Security Measures applicable for Coda offerings: 


Please review the information available at this site (which is subject to update from time to time): https://coda.io/trust/securityannex