DATA PROCESSING ADDENDUM

Last Updated: November 19th, 2021

If you require a signed copy of this addendum, please email hello@superhuman.com.

This Customer Data Processing Agreement, including its Annexes, (the "DPA") is supplemental to and forms part of our Terms of Service and any applicable order forms, statement of work or work orders (collectively, the "Agreement"), entered between Superhuman Labs, Inc. ("Superhuman") and the customer (the "Customer"). This DPA is supplemental to the Agreement and sets out the obligations that apply when Superhuman processes Personal Data on behalf of the Customer in the course of providing the services under the Agreement.

  1. Definitions

    1. "Applicable Data Protection Laws" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question including, where applicable, (i) European Data Protection Laws and (ii) CCPA; in each case, as may be amended, superseded or replaced from time to time.

    2. "CCPA" means the California Consumer Privacy Act, Cal. Civ. Code§ 1798.100 et seq., and its implementing regulations.

    3. "Europe" means, for the purposes of this DPA, the Member States of the European Union, plus Iceland, Liechtenstein, Norway, Switzerland and the United Kingdom.

    4. "European Data Protection Laws" means all data protection laws and regulations applicable to the European Union ("EU") or the European Economic Area ("EEA"), including (a) the General Data Protection Regulation 2016/679 (the "EU GDPR"); (b) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, the "UK GDPR"); (c) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances ("Swiss DPA"); (d) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (e) applicable national implementations of (a),(b), (c), and (d).

    5. "Data Subject" means any individual about whom Personal Information may be processed pursuant to the Agreement.

    6. "Personal Information" means any information that is protected as "personal data", "personal information" or "personally identifiable information" under Applicable Data Protection Laws and which is processed by Superhuman on behalf of the Customer in connection with the Services, as more particularly described in Annex A of this DPA.

    7. "Privacy Shield" means the EU-U.S. Privacy Shield program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016) 4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.

    8. "Privacy Shield Principles" means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in the Annex II to the European Commission Decision of July 12, 2016.

    9. "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Information from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Information from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where Swiss DPA applies, a transfer of Personal Information from Switzerland to any other country which is not based on an adequacy decision recognized under Swiss data protection law.

    10. "Security Incident" means any confirmed breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Information transmitted, stored or otherwise processed by Superhuman in the context of this Agreement. "Security Incident" shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

    11. "Sensitive Information" means Personal Information revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation.

    12. "Services" means the services provided by Superhuman to the Customer under the Agreement.

    13. "Model Clauses" or "SCCs" means (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs") (as amended, superseded or updated from time to time.

    14. "Sub-processor" means any third party processor engaged by Superhuman to assist in fulfilling its obligations with respect to providing the Services under the Agreement and this DPA.

    15. The terms "controller", "processor" and "processing" shall have the meanings given to them in the GDPR and the terms and "process", "processes" and "processed" shall be interpreted accordingly.

  2. Scope and applicability of this DPA

    1. Scope

      This DPA applies to the extent that Superhuman processes Personal Information that is subject to Applicable Data Protection Laws as a processor (or a sub-processor, where applicable) on behalf of and in accordance with the instructions of the Customer in the course of providing the Services and/or for the business purposes agreed with the Customer in writing in the Agreement (collectively, the "Business Purposes"), as further described in Annex A of this DPA. For the avoidance of doubt, Business Purposes shall include (i) processing in accordance with the Agreement (including this DPA); (ii) processing initiated by Customer's authorized users in their use of the Services; and (iii) processing to comply with other documented, reasonable instructions provided by Customer (e.g. via email) or where otherwise agreed upon by the parties, where such instructions are consistent with the terms of the Agreement.

    2. Processing of Personal Information

      The Parties acknowledge and agree that Customer is the controller of the Personal Information processed in connection with the Services or, if Customer is itself acting on behalf of a third-party controller, a processor.

      Superhuman will at all times: (i) process the Personal Information only to fulfil the Business Purposes to provide the Services to Customer in accordance with the Agreement; (ii) not process the Personal Information for a purpose other than the Business Purposes; (iii) not "sell" Personal Information (as understood within the requirements of the CCPA); (iv) not retain, use, or disclose the Personal Information except as necessary to fulfil the Business Purposes or as otherwise permitted under Applicable Data Protection Laws; and (v) not retain, use, or disclose the Personal Information outside of the direct business relationship between the person and the business except as necessary to fulfil the Business Purposes or as otherwise permitted under the Applicable Data Protection Laws. Superhuman certifies that it understands these restrictions and will comply with them.

      Customer shall comply with its obligations under Applicable Privacy Laws, and in particular under European Data Protection Laws as a controller or processor (as applicable). Where Customer is itself a processor acting on behalf of a third party controller, Customer shall ensure that any data processing undertaken pursuant to this DPA and the Agreement reflects the documented instructions issued by the ultimate controller of such data.

      Superhuman shall process Personal Data submitted to Superhuman by the Customer within the Services as a processor (or sub-processor, as applicable) on behalf of the Customer and in accordance with Customer's instructions.

      As a processor, Superhuman shall process Personal Information only for the purposes described in the Agreement (including this DPA) and only in accordance with the Business Purposes. Superhuman shall inform the Customer if, in its opinion, the Customer's processing instructions infringe Applicable Data Protection Laws.

      The parties agree that the Agreement (including this DPA), and the Customer's use of the Services in accordance with the applicable terms of use, set out Customer's complete and final instructions to Superhuman in relation to the processing of Personal Information. The parties further agree that any processing outside the scope of these instructions (if any) shall require a prior written agreement between the Customer and Superhuman.

    3. Aggregate or de-identified information

      Notwithstanding the foregoing or anything to the contrary in the Agreement (including this DPA), the Customer acknowledges that Superhuman shall have a right to collect and create anonymized, aggregate, and/or de-identified information as defined by Applicable Data Protection Law ("Aggregate Data") for its own legitimate business purposes, including, but not limited to, product improvement and development.

    4. Customer responsibilities

      The Customer is responsible for the lawfulness of Personal Information processed under or in connection with the Agreement. Notwithstanding anything contrary in the Agreement, the Customer represents and warrants that:

      1. it has provided, and will continue to provide all notice and obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Data Protection Laws for Superhuman to lawfully process Personal Information for the purposes contemplated by the Agreement (including this DPA);

      2. it has complied with its obligations under Applicable Data Protection Laws in order to lawfully provide Superhuman and its Sub-processors with the Personal Information; and

      3. it shall ensure its processing instructions comply with applicable laws (including Applicable Data Protection Law) and that the processing of Personal Information by Superhuman in accordance with the Customer's instructions will not cause Superhuman to be in breach of Applicable Data Protection Laws.

    5. Prohibited information

      Customer further acknowledges that it shall not disclose, and shall not require any individuals to disclose, (i) Sensitive Information or (ii) Personal Information of any person under the age of 13, and Customer agrees not to provide any such information through the Services.

  3. Security

  4. The Services provide reasonable technical and organizational measures that have been designed, taking into account the nature of its Processing, to assist Superhuman's customers in securing their Personal Information in the Services, insofar as reasonably possible. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures are listed in Annex B of this DPA.

    Superhuman will require that its personnel who is granted access to Personal Information be under an appropriate obligation of confidentiality (whether a contractual or statutory duty) to protect the confidentiality of the Personal Information.

    Customer agrees that, except as otherwise provided by this DPA, the Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Information when in transit to and from the Service(s) and taking any appropriate steps to securely encrypt or backup any Personal Information processed in connection with the Services.

    Upon written request from Customer, Superhuman shall provide written responses (on a confidential basis) to reasonable requests for information from Customer in relation to Superhuman's processing of Personal Information, as long as Customer does not exercise this right more than once in any 12-month rolling period. Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Superhuman has experienced a Security Incident, or on another reasonably similar basis.

  5. Data subject requests

  6. Customer is responsible for handling any requests or complaints from Data Subjects with respect to their Personal Information processed by Superhuman. Customer shall delete from the Services all Personal Information (except where such information has been anonymized or de-identified) for which it has received a verified request for deletion from the relevant individuals or applicable data protection authorities relating to the processing of Personal Information under the Agreement.

    Superhuman will notify Customer as soon as practicable, unless prohibited by applicable law, if Superhuman receives any such requests or complaints. For the avoidance of doubt, Superhuman may communicate, without restriction, with a regulatory or judicial body or a Data Subject if it is not reasonably apparent on the face of the communication to which customer of Superhuman the request relates to.

    Customer acknowledges that the Services provide the Customer with a number of controls that the Customer may use to retrieve, correct, delete or restrict Personal Information, which Customer may use to assist it in connection with its obligations under Applicable Data Protection Laws and to respond to requests from Data Subjects or applicable data protection authorities.

  7. Assistance

    1. Data protection impact assessments

    2. Superhuman will assist with conducting any legally required data protection impact assessments (including subsequent consultation with applicable data protection authorities), if so required by applicable law, taking into account the nature of processing and the information available to Superhuman. Superhuman may charge a reasonable fee for any such assistance, as permitted by Applicable Data Protection Laws.

    3. Regulatory investigations

    4. Upon request from the Customer, Superhuman will assist the Customer in the event of an investigation by a competent regulator, including a data protection authority or similar authority, if and to the extent that such investigation relates to the processing of Personal Information by Superhuman on your behalf in accordance with this Agreement. Superhuman may charge a reasonable fee for such requested assistance, to the extent permitted by Applicable Data Protection Laws.

  8. Security Incidents

  9. Upon becoming aware of a Security Incident, Superhuman shall notify Customer without undue delay that a Security Incident has occurred, unless otherwise prohibited by applicable law or otherwise as instructed by a supervisory authority. Following such notification, Superhuman will take reasonable steps to mitigate the effects of the Security Incident and to minimize any damage resulting from the Security Incident. Superhuman shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Client.

    At the Customer's request, Superhuman will provide reasonable assistance and cooperation with respect to any notifications that the Customer is legally required to send to affected Data Subjects and relevant authorities. Superhuman may charge a reasonable fee for such requested assistance, to the extent permitted by Applicable Data Protection Laws.

  10. Sub-Processors

  11. Pursuant to the Agreement, Customer agrees that Superhuman may engage Sub-processors to process personal data on the Customer's behalf and disclose Personal Information to Sub-processors, provided that Superhuman imposes appropriate obligations on its Sub-processors regarding the security and confidentiality of Personal Information.

    By signing this DPA, Customer hereby provides a general written authorization for Superhuman to engage Sub-processors to provide the Services. Customer may access our list of sub-processors through the following URL: https://superhuman.com/subprocessors . You can subscribe for email notifications of updates to our Sub-processor list be emailing this request to hello@superhuman.com. Superhuman will provide at least fifteen (15) calendar days prior written notice to Customer of the engagement of any new Sub-Processor. Customer may object in writing to the appointment of each such Sub-Processor on reasonable grounds (e.g. if making Personal Information available to the Sub-Processor may violate Applicable Privacy Law or weaken the protections for such Personal Information) by notifying Superhuman promptly in writing within ten (10) calendar days of receipt of Superhuman notice in accordance with this Section 7. Such notice shall explain the reasonable grounds for the objection and the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If Customer does not object to the proposed Sub-processor within ten (10) calendar days of receipt of notice, the Sub-processor is deemed to have been approved. Superhuman may in its sole discretion, remove the Sub-Processor from the list. In the event a Sub-Processor is removed by Superhuman, Superhuman will be provided a reasonable amount of time to replace the Sub-processor.

  12. Data Transfers

  13. In connection with the performance of the Agreement, the parties agree that Superhuman may transfer Personal Information to various locations, which may include locations both inside and outside of the European Economic Area ("EEA"). The parties agree that where transfer of Personal Information from Customer to Superhuman is a Restricted Transfer, it will be subject to the transfer mechanism considerations listed below: The parties further agree that:

    1. although Superhuman is not relying on Privacy Shield as a legal basis for transfers of personal data outside the EU in light of the judgement of the Court of Justice of the European Union in Case C-311/18, Superhuman shall continue to process personal data (within the meaning of Applicable Data Protection Laws) in compliance with the Privacy Shield Principles as long as Superhuman is self-certified to Privacy Shield. Superhuman further agrees to notify Customer if it determines that it can no longer meet its obligation to provide the level of protection required by the Privacy Shield Principles.

    2. the Restricted Transfer shall be subject to the appropriate Model Clauses, which are automatically incorporated by reference and form an integral part of this DPA, as follows:

      1. In relation to Personal Information that is protected by the GDPR, the EU SCCs will apply as follows:

        1. Module Two (Transfer controller to processor) and Module Three (Transfer processor to processor) will apply, where appropriate;

        2. in Clause 7, the optional docking clause shall apply;

        3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-Processor changes shall be fifteen (15) days;

        4. in Clause 11, the optional language will not apply;

        5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

        6. in Clause 18(b), disputes shall be resolved before the courts of Ireland.

        7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex A to this DPA;

        8. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex B to this DPA

      2. In relation to data that is protected by the UK GDPR, the EU SCCs as implemented in accordance with paragraph (a) above will apply provided that:

        1. any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the UK GDPR; references to specific Articles of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK GDPR; references to "EU", "Union" and "Member State law" are all replaced with "UK"; Clause 13(a) and Part C of Annex II of the EU SCCs are not used; references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Information Commissioner and the courts of England and Wales; Clause 17 of the EU SCCs is replaced to state that "The Clauses are governed by the laws of England and Wales" and Clause 18 of the EU SCCs is replaced to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts";

        2. to the extent and for so long as the EU SCCs as implemented in accordance with paragraph 2(A) above cannot be used to lawfully transfer Personal Information protected by the UK DPA to Supplier, the UK SCCs shall be incorporated into and form an integral part of this DPA and shall apply to such transfers; and

        3. for the purposes of the UK SCCs (where applicable) the relevant Annexes/ Appendices of the UK SCCs shall be deemed completed using the information contained in Annex A and Annex B of this DPA.

      3. In relation to Personal Information that is protected by the Swiss DPA, the EU SCCs as implemented in accordance with paragraph (1) above will apply provided that:

        1. references in the EU SCCs to "Regulation (EU) 2016/679" or the "GDPR" shall be interpreted as references to the Swiss Federal Act on Data Protection (FADP);

        2. references to "EU", "Union" and "Member State law" shall be interpreted as references to Switzerland and to Swiss law, as the case may be;

        3. the term ’member state’ shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland);

        4. the EU SCC clauses should be interpreted as protecting the data of legal entities until the entry into force of the revised FADP; and

        5. references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner (FDPIC) and competent courts in Switzerland.

      4. In the event that any provision of this Agreement or this DPA contradicts, directly or indirectly, the Model Clauses, the Model Clauses shall prevail.

    3. to the extent Superhuman adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses) for the transfer of personal data ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Applicable Data Protection Law and extends to the territories to which the personal data is transferred), and, if required, the parties agree to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect to such Alternative Transfer Mechanism; and

    4. if and to the extent that a court of competent jurisdiction or relevant supervisory authority with binding authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer personal data in accordance with Applicable Data Protection Laws, Superhuman may implement any additional measures or safeguards not described in this DPA to enable the lawful transfer of such personal data.

  14. Return or disposal

  15. Upon termination or expiration of the Agreement for any reason, Superhuman will, at the Customer's request, return or destroy Personal Information in its possession or control. This requirement shall not apply to the extent that Superhuman is required by any applicable law to retain some or all information (including Personal Information), in which event Superhuman shall isolate and protect such data from any further processing except to the extent required by applicable law.

  16. General

    1. The parties agree that this DPA shall supersede and replace any existing terms the parties may have previously entered into in connection with the Services, as such terms relate to the subject matter of this DPA.

    2. The obligations placed upon Superhuman under this DPA shall survive so long as Superhuman and/or its Sub-processors process Personal Information on the Customer's behalf.

    3. This DPA may not be modified except by a subsequent written instrument signed by both parties.

    4. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.

    5. The Agreement remains unchanged and in full force and effect. In case of discrepancies between this DPA and any agreement(s) between the parties and/or their Affiliates, the provisions of the following documents (in order of precedence) shall prevail: (a) Standard Contractual Clauses (where applicable); then (b) this DPA; and then (c) the main body of the Agreement. This DPA shall not limit or restrict, but shall only be deemed to supplement the Standard Contractual Clauses..

    6. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions of the Agreement.

    7. This DPA will be governed by and construed in accordance with the governing law and venue provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.

ANNEX A

DATA PROCESSING/TRANSFER DESCRIPTION

ANNEX 1(A): LIST OF PARTIES

Data exporter

Name of the data importer: The entity identified as "Customer" in the Agreement and this DPA.

Activities relevant to the data transferred: The activities specified in the DPA.

Role (Controller/Processor): Controller (for Module 2) or Processor (For Module 3).

Data importer

Name of the data importer: Superhuman Labs, Inc.

Activities relevant to the data transferred: The activities specified in the DPA.

Role (Controller/Processor): Processor

ANNEX 1(B): DESCRIPTION OF THE PROCESSING / TRANSFER

Categories of Data Subjects whose personal information is transferred:

Customer shall be deemed to have declared that the categories of data subjects include: (i) prospects, customers, business partners and vendors of Customer (who are natural persons); (ii) employees or contact persons of Customer’s prospects, customers, business partners and vendors; (iii) employees, agents, advisors, freelancers of Customer (who are natural persons); and/or (iv) Customer’s Authorized Users.

Categories of Personal Information transferred:

Customer shall be deemed to have declared that the types of personal data may include but are not limited to the following types of personal data: (i) name, address, title, contact details; (ii) IP addresses, usage data, cookies data, location data and (iii) contents of emails.

Sensitive Information transferred (if appropriate) and applied restrictions or safeguards

In accordance with Section 2.5 of the DPA, Customer shall not disclose, and shall not require any individuals to disclose, (i) Sensitive Information or (ii) Personal Information of any person under the age of 13, and Customer agrees not to provide any such information through the Services.

Frequency of the Transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuous or one-off depending on the Services being provided by Superhuman.

Nature, subject matter and duration of the Processing

Nature: Superhuman provides a Service designed to improve the email experience by making it faster and more intelligent, as further described in the Agreement.

Subject Matter: Personal Information.

Duration: The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms, plus the period from the expiry of the Agreement until deletion of the Personal Information by Superhuman, in accordance with the terms of the Agreement.

Purpose(s) of the data transfer and further processing:

Superhuman shall process Personal Information for the Business Purposes, as further defined in Section 2.1 of the DPA.

Period for which the personal information will be retained, or if that is not possible the criteria used to determinate that period, if applicable:

Superhuman will retain Personal Information from Customer for the term of the Agreement and any period after the termination of expiry of the Agreement during which Superhuman processes Personal Information from Customer in accordance with the Agreement.

ANNEX 1(C): COMPETENT SUPERVISORY AUTHORITY

Competent supervisory authority

The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, is either:

  1. the supervisory authority applicable to the data exporter in its EEA country of establishment or,

  2. where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or

  3. where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located.

With respect to the processing of Customer Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the "ICO").

With respect to the processing of personal data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

ANNEX B

TECHNICAL AND ORGANISATIONAL MEASURES

TO ENSURE THE SECURITY OF THE DATA PROCESSED

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Superhuman's information security program includes administrative, technical, and physical safeguards to protect the Personal Information that we handle against anticipated threats or hazards to its security, confidentiality or integrity (such as unauthorized access, collection, use, copying, modification, disposal or disclosure, unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage or any other unauthorized form of processing)

Superhuman's security program is based on the following key security principles:

  • The principle of least privilege — services and users are granted the minimal set of permissions required to do their job.

  • Encryption at rest and in transit — all data is encrypted at rest and in transit, with particularly sensitive data encrypted additionally at the application level.

  • Minimized attack surface — we expose no internal servers to the internet, use distroless containers, and run fully on infrastructure managed by Google.

  • Automatic updates — laptops, servers and containers are configured to automatically update to the latest versions soon after they become available.

  • Clear security boundaries — production, staging, development, etc. are all separate and navigating a security boundary requires authenticating using Google's Identity and Access Management (IAM). All authentication requires two factors.

  • Verify assumptions — all code that is added to Superhuman is reviewed from the point of view of security, and we run annual security audits with an external firm to catch mistakes.

We have included below some illustrative examples of security measures in place at Superhuman:

  1. Measures for the encryption of personal data

    • Superhuman is hosted fully on Google Cloud. We make use of their existing infrastructure security to encrypt data at rest, and where appropriate, an additional layer of application-level encryption to reduce the risk of data being exposed.

    • Superhuman encrypts all network traffic across the public internet using TLS, and uses Google Cloud ATLS to protect traffic within our datacenter.

  2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

    • Superhuman keeps all of its systems and services up-to-date, using automated mechanisms where possible, or by responding to proactive alerting where that is not possible. We rely heavily on immutable infrastructure that is regularly recreated in a known good state.

    • Permissions are assigned using the "principle of least privilege" — each employee only has access to the necessary parts of the infrastructure required to perform their role.

    • Superhuman proactively predicts how our usage patterns will change, and invests heavily in ensuring that our systems are resilient to our anticipated load. All changes to systems are approved by an independent engineer, and tested before they are changed in production.

  3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

    • Superhuman continually monitors the availability of its systems and has 24/7 coverage in case of incidents affecting the availability of the service.

    • Superhuman runs core services distributed across multiple availability zones to reduce the probability that a catastrophe will impact our availability.

    • Superhuman backs up all data and those backups are distributed across multiple regions to ensure that even if our live production environment is completely unavailable, we will still be able to restore access to data.

  4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

    • Superhuman runs annual security audits with a third party firm to help us identify areas of risk.

    • Superhuman runs an annual SOC 2 certification process to help us evaluate the effectiveness of our controls.

    • Superhuman runs quarterly incident outage simulations, including restoring production backups, and simulating other scenarios to ensure our team is trained in how to respond.

  5. Measures for user identification and authorisation

    • All user identification is delegated to Google, and we heavily rely on Oauth2 for authorization.

    • Superhuman employees are required to use multi-factor authentication using physically secure tokens.

    • All sign-in events are logged to an independent system of record.

  6. Measures for the protection of data during transmission

    • See the information provided in relation to data in transit under Section 1 (Measures for the encryption of personal data).

  7. Measures for the protection of data during storage

    • See the information provided in relation to data at rest under Section 1 (Measures for the encryption of personal data).

  8. Measures for ensuring physical security of locations at which personal data are processed

  9. Measures for ensuring system configuration, including default configuration

    • Superhuman uses Google Cloud Kubernetes Engine to enforce a consistent configuration across all our production machines.

    • Superhuman uses Google Cloud Security Scanner to identify any unsafe changes to configuration to our Google Cloud resources.

    • Superhuman uses MDM to enforce a secure system configuration for all corporate laptops.

  10. Measures for internal IT and IT security governance and management

    • Superhuman's infrastructure is covered by Googleʼs ISO 27001 certification, since it is fully hosted on the Google Cloud.

    • Superhuman has in place a written information security policy, including supporting documentation.

    • Other written security policies that Superhuman has in place include the following:

      • Data Access Levels

      • Disaster recovery and business continuity

      • Infrastructure management policy

      • Records of processing activities

      • Risk management policy

      • Data retention policy

  11. Measures for ensuring accountability

    • Superhuman logs access to any customer data, and these logs are publicly visible

    • Superhuman requires all employees to report any potential policy violations and to escalate them either to a manager, or to our anonymous complaints form.

    • Data processing agreements are in place with our data processing partners.