For Superhuman Labs LLC customers who agreed to the DPA before Oct 29, 2025, please see DPA here, unless otherwise superseded.
Superhuman Data Privacy Addendum
Effective Date: July 8, 2026
This Data Privacy Addendum (“Addendum”) is incorporated into and subject to the terms and conditions of the current version of any agreements (“Agreement”) between you (“Customer”) and Superhuman Platform Inc. (“Superhuman”) (each a “Party” and collectively the “Parties”) governing the Customer’s use of the Services.
All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement. This Addendum reflects the Parties’ agreement with respect to the terms governing Superhuman’s processing of personal data contained within Customer Data (“Customer Personal Data”) and protected by Applicable Data Privacy Laws.
In the event of any conflict or inconsistency between the terms of the main Agreement and this Addendum, the terms of this Addendum shall take precedence over the Agreement and any other associated contractual document between the Parties, to the extent of any such conflict. The Parties agree as follows:
1. Definitions.
For purposes of this Addendum:
a. “Applicable Data Privacy Laws” means national, federal, state, provincial, or other privacy, data security, data protection law, or regulation applicable to Processing of Customer Personal Data, including without limitation and as applicable: (i) United States Data Privacy Laws and (ii) European Data Privacy Laws, in each case as amended or superseded from time to time.
b. “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) as operated by the U.S. Department of Commerce; as may be amended, superseded, or replaced. “Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework.
c. “European Data Privacy Laws” means, as applicable to the Processing of Customer Personal Data: (i) General Data Protection Regulation (EU) 2016/679 (“GDPR”); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European (Withdrawal) Act 2018 (“UK Data Privacy Laws”); and (iii) in respect of Switzerland, The Federal Act on Data Protection of 19 June 1992 and its Ordinances (the “Swiss DPA”).
d. “Europe” means, for the purposes of this Addendum, the European Union, Iceland, Liechtenstein, Norway, Switzerland, and the United Kingdom.
e. “EU SCCs” means standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR between (i) controllers and processors or (as the circumstances require) (ii) processors and processors, in each case, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 and not including any clauses marked as optional.
f. “Data Security Incident” means a breach of Superhuman’s security that leads to the accidental or unlawful acquisition, destruction, loss, alteration, or unauthorized disclosure of or access to Customer Personal Data transmitted, stored, or otherwise processed by Superhuman in connection with the provision of the Service. “Data Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
g. “Standard Contractual Clauses” means, as applicable, the EU SCCs or the UK SCCs.
h. “Sub-processor” means a processor engaged by Superhuman or its affiliates to assist in providing the Service(s) pursuant to the Agreement or this Addendum. Sub-processors may include third parties or affiliates of Superhuman but shall exclude any Superhuman employee, contractor, or consultant.
i. “United States Data Privacy Laws” means the California Consumer Privacy Act, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act, and any other privacy laws enacted by a US state, in each case as may be amended and together with applicable implementing regulations, that provide general privacy protection to consumers and distinguish between controllers and processors.
j. “UK SCCs” means the EU SCCs together with the International Data Transfer Addendum (version B1.0) approved by the United Kingdom Information Commissioner.
k. The terms “controller”, “data subject”, “personal data”, “process”, “processing,” and “processor” shall have the meanings given to them in the Applicable Data Privacy Laws and include the terms “business”, “consumer”, “personal information”, and “service provider”. The terms “business purpose”, “commercial purpose”, “sell”, and “share” shall have the meanings given to them in the United States Data Privacy Laws.
2. Scope and Purposes of Processing.
a. This Addendum applies to the extent that Superhuman Processes, as a processor or service provider (as applicable), any Customer Personal Data protected by Applicable Data Privacy Laws. Superhuman will only Process Customer Personal Data as set forth in this Addendum and in compliance with Applicable Data Privacy Laws.
b. The Parties acknowledge and agree that Customer is a controller or processor with respect to the Processing of Customer Personal Data, and Superhuman will Process Customer Personal Data only as a processor on behalf of Customer, as further described in Exhibit A (Data Processing Description) of this Addendum. If Customer is acting as processor, Customer will (i) fulfill Superhuman’s obligations to Customer’s controllers under this Addendum, including as applicable, the Standard Contractual Clauses, and (ii) ensure that any data processing undertaken pursuant to this Addendum reflects the documented instructions issued by the ultimate controller of such data.
c. Customer instructs Superhuman to Process Customer Personal Data in accordance with the Agreement (including this Addendum) and only for the following purposes:
(i) to provide, secure, and monitor the Service(s) in accordance with the Agreement;
(ii) to perform Processing activity initiated by Customer in its use of the Service (including, for example, through an administrative console); and
(iii) to comply with other reasonable instructions provided by Customer that are consistent with the terms of the Agreement and this Addendum.
Accordingly, processing by Superhuman is carried out for business purposes, including performing services on behalf of Customer, helping ensure security and integrity, debugging, and error repair.
d. Without prejudice to Section 3 (Customer Responsibilities), Superhuman shall immediately notify Customer in writing, unless prohibited from doing so under applicable law, if it becomes aware or believes that any Processing instructions from Customer violate European Data Privacy Laws and UK Data Privacy Laws.
3. Customer Responsibilities.
a. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.
b. Customer represents and warrants that it will comply with its obligations related to the processing of Customer Personal Data under Applicable Data Privacy Laws, including that: (i) it has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents, permissions, and rights necessary under applicable laws, including Applicable Data Privacy Laws, for Superhuman to lawfully Process Customer Personal Data for the purposes contemplated by the Agreement (including this Addendum); (ii) it has complied with all applicable laws, including Applicable Data Privacy Laws in the collection and provision to Superhuman of such Customer Personal Data; and (iii) it shall ensure its Processing instructions comply with applicable laws (including Applicable Data Privacy Laws) and that the processing of Customer Personal Data by Superhuman in accordance with Customer’s instructions will not cause Superhuman to be in breach of Applicable Data Privacy Laws.
c. If Customer reasonably believes that Superhuman is engaged in unauthorized Processing of Customer Personal Data, Customer will immediately notify Superhuman of such belief, and the Parties will work together in good faith to remediate the allegedly violative Processing activities, if necessary.
4. Superhuman Responsibilities.
a. Superhuman will:
i. Not Sell or Share Customer Personal Data.
ii. Not Process Customer Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, Superhuman will not Process Customer Personal Data outside of the direct business relationship between Customer and Superhuman.
iii. Not combine Customer Personal Data with information received from or on behalf of another source or collected from Processor’s own interactions with a Data Subject except to the extent such combination is permitted under Applicable Data Privacy Laws.
iv. With respect to its Processing of Customer Personal Data, Superhuman complies with Applicable Data Privacy Laws and, where required of processors under Applicable Data Privacy Law, provides the same level of privacy protection as required of Customer under Applicable Data Privacy Law.
v. Notify Customer if, in Superhuman’s opinion, Superhuman is unable to meet its obligations under the Applicable Data Privacy Laws, unless such notice is prohibited by applicable law.
5. Data Subject Rights and Cooperation.
a. Superhuman will promptly notify Customer of: (i) any third party or individual (e.g., on Customer’s behalf); or (ii) any government or data subject requests for access to or information about Superhuman’s Processing of Customer Personal Data on Customer’s behalf (each a “Communication”), unless prohibited by Applicable Data Privacy Laws. In the event Superhuman receives such Communication directly, Superhuman will not respond to such Communication except as appropriate (e.g., to direct the data subject to contact Customer) or where legally required, without Customer’s prior authorization. Customer will be responsible for responding to any such request, including, where necessary, by using the functionality of the Services.
b. Superhuman shall provide reasonable and legally required assistance and cooperation to enable Customer to fulfill its obligations under Applicable Data Privacy Laws. Upon written request of Customer, this includes, to the extent Customer is not able to respond to Communication using the functionality of the Services, reasonable cooperation to assist Customer to respond to Communications taking into account the nature of the Processing.
c. To the extent required under Applicable Data Privacy Laws, and taking into account the nature of the Processing and the information available to Superhuman, Superhuman will provide reasonable assistance to Customer to carry out a data protection impact assessment or prior consultation with supervisory authorities, as required by Applicable Data Privacy Laws. Superhuman shall comply with the foregoing by: (i) complying with Section 10 (Audits); (ii) providing the information contained in the Agreement, including this Addendum; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance (at Customer’s expense).
6. Data Security.
a. Superhuman will: (i) as outlined in Exhibit B, implement appropriate and reasonable administrative, technical, physical, and organizational measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of Customer Personal Data (“Security Measures”); and (ii) ensure that employees, contractors, and Sub-processors authorized to Process the Customer Personal Data is under an appropriate obligation of confidentiality (whether statutory or contractual).
b. Customer is responsible for reviewing the information made available by Superhuman relating to data security and making an independent determination as to whether the Security Measures applicable to the Service meets Customer’s requirements and legal obligations under Applicable Data Privacy Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Superhuman may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.
c. Notwithstanding the above, Customer agrees that except as provided by this Addendum, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or back up any Customer Data uploaded to the Service.
7. Data Security Incident.
a. Upon becoming aware of a Data Security Incident, Superhuman will: (i) notify Customer promptly and without undue delay after becoming aware of a Data Security Incident; (ii) provide timely information relating to the Data Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) promptly take reasonable steps to contain and investigate any Data Security Incident.
b. Superhuman’s notification of or response to a Data Security Incident under this Section 7 shall not be construed as an acknowledgment by Superhuman of any fault or liability with respect to the Data Security Incident. Superhuman has no obligation to assess Customer Data to identify information that may be subject to specific legal requirements.
c. Customer acknowledges that (i) Data Security Incidents and Superhuman’s commitments in this Addendum do not extend to any third-party integrations or services that Customer or its End Users procure through the Superhuman marketplace and (ii) Customer is solely responsible for reviewing the security and privacy documentation and agreements provided by such third parties.
8. Sub-Processors.
a. Customer acknowledges and agrees that Superhuman may engage Sub-processors to Process Customer Personal Data in accordance with the provisions within this Addendum and Applicable Data Privacy Laws. A current list of Superhuman’s Sub-processors is available at https://superhuman.com/legal/subprocessors (“Sub-processor Page”) and Customer specifically authorizes Superhuman’s engagement of such Sub-processors. In addition, Customer generally authorizes Superhuman’s engagement of other third parties as Sub-processors, in accordance with Section 8(c) below.
b. Superhuman shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Personal Data as those in this Addendum, to the extent applicable to the nature of the service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this Addendum and for any acts or omissions of such Sub-processor that cause Superhuman to breach any of its obligations under this Addendum.
c. Superhuman shall notify Customer if it adds Sub-processors at least 30 days prior to any such changes if Customer opts in to receive such notifications using the dedicated form referenced in the Sub-processor Page. Customer may object in writing to Superhuman’s appointment of any new Sub-processor prior to their appointment on reasonable grounds relating to data protection (e.g., if making Customer Personal Data available to Sub-processor may violate Applicable Data Privacy Laws or weaken the protections for such Customer Personal Data) and in such instance, the Parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution is reached, Superhuman will, at its sole discretion, either not appoint the Sub-processor or permit Customer to terminate or suspend the affected Service in accordance with the termination provisions in the Agreement without liability to either Party (but without prejudice to the fees incurred by Customer prior to suspension or termination).
9. Data Transfers.
a. Customer acknowledges that Superhuman may process Customer Personal Data in the United States and any other locations in which Superhuman and its Sub-processors maintain data processing operations to perform the Service. Superhuman will not transfer (directly or via onward transfer) Customer Personal Data originating in Europe to a country outside of Europe, unless it first takes measures to enable the transfer in compliance with applicable European Data Privacy Laws.
b. Superhuman participates in and certifies compliance with the Data Privacy Framework as described in Superhuman Platform Inc.’s Data Privacy Framework Certification. Where and to the extent the Data Privacy Framework applies, it will be used to lawfully receive Customer Personal Data in the United States, and Superhuman will ensure that it provides at least the same level of protection to such data as is required by the Data Privacy Framework Principles. Superhuman will notify Customer if it makes a determination that it can no longer comply with its obligations under the Data Privacy Framework.
c. If European Data Privacy Laws require that appropriate safeguards are put in place (for example, if the Data Privacy Framework does not cover the transfer or is invalidated), the applicable Standard Contractual Clauses will be incorporated in full by reference and form an integral part of this Addendum as follows (with the Annexes and/ or Appendices to the applicable Standard Contractual Clauses being as set out in Exhibit A to this Addendum):
i. To the extent Superhuman processes Customer Personal Data protected by European Data Privacy Laws, Superhuman agrees to be bound by and Process such Customer Personal Data in compliance with the EU SCCs. For the purposes of the descriptions in the EU SCCs, Superhuman agrees that it is a “data importer” and Customer is the “data exporter” (notwithstanding that Customer may itself be an entity located in a third country). For the purpose of Clause 9 of the EU SCCs shall allow for general authorization for the engagement of sub-processors in accordance with Section 8.c of this Addendum. For the purpose of Clause 17 of the EU SCCs, the governing law shall be the law of Ireland, and for Clause 18 the courts of Ireland shall have jurisdiction.
ii. To the extent Superhuman processes Customer Personal Data protected by UK Data Privacy Law, the UK SCCs will apply.
iii. To the extent Superhuman processes Customer Personal Data protected by the Swiss DPA, the EU SCCs will apply, with the following modifications:
A. any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;
B. references to “EU”, “Union”, “Member State”, and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and
C. references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the FDIPC and competent courts in Switzerland.
iv. In the event of any conflict between the EU SCCs or UK SCCs and this Addendum, the EU SCCs or UK SCCs (as applicable) will prevail.
10. Audits.
a. Upon Customer’s request, Superhuman will make available to Customer information reasonably necessary to demonstrate compliance with this Addendum. Customer acknowledges and agrees that it shall exercise its audit rights under this Addendum (including this Section 10(a) and, where applicable, the Standard Contractual Clauses), and any audit rights granted under Applicable Data Privacy Laws, by instructing Superhuman to comply with the audit measures described in Section 10(b) below.
b. Upon written request, Superhuman will supply (on a confidential basis) to Customer a summary copy of its most current audit report(s) (“Audit Report”) prepared by third-party security professionals at Superhuman’s selection and expense.
11. Return or Destruction of Customer Personal Data.
a. Upon termination or expiry of the Agreement, Superhuman will, at the written request of Customer, make available for return to Customer and/or securely destroy all Customer Personal Data in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent Superhuman is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back up systems, which data Superhuman shall securely isolate and protect from any further Processing and delete in accordance with its deletion practices.
12. Deidentified Data of United States Residents.
a. The Parties acknowledge that data that has been “de-identified” or “deidentified” in accordance with United States Data Privacy Laws (“Deidentified Data”) is not Personal Data.
b. Except as otherwise permitted by Applicable Data Privacy Laws, Superhuman may deidentify Customer Personal Data and Process Deidentified Data only if it:
i. Takes reasonable measures to ensure that the Deidentified Data cannot be associated with an individual;
ii. Publicly commits to maintain and use the Deidentified Data only in a deidentified fashion and not attempt to re-identify the Deidentified Data; and
iii. Contractually obligates any recipient of the Deidentified Data to comply with substantially similar requirements as those set out in this Section 12 (Deidentified Data) of the Addendum.
13. Limitation of Liability.
a. Superhuman’s liability arising out of or in connection with this Addendum is subject to the limitations and exclusions of liability stated in the Agreement.
14. Term.
a. The effective date of this Addendum is the date of the latest signature of a Party or, if no such date exists, the effective date of the Agreement.
15. Survival.
a. The provisions of this Addendum survive the termination or expiration of the Agreement for so long as Superhuman or its Sub-Processors Process Customer Personal Data.
Exhibit A: Data Processing Description
1. List of Parties:
Data exporter(s):
Name: The entity identified as “Customer” in the Addendum.
Address: The address for Customer specified in the Addendum or the Agreement.
Contact details: The contact details associated with the Customer’s account, or as otherwise specified in the Addendum or the Agreement.
Activities relevant to the data transferred: See Section 2 below.
Role: When Customer is acting as controller, Controller. When Customer is acting as a processor, Processor.
Data importer(s):
Name: “Superhuman” as identified in the Addendum.
Address: The address for Superhuman as specified in the Agreement.
Contact details: The contact details for Superhuman as specified in the Addendum or the Agreement.
Activities relevant to the data transferred: See Section 2 below.
Role: Processor
2. Description of Processing
a. Subject matter, nature, and purpose of Processing: Superhuman will process Customer Personal Data solely for the purposes set out in Section 2(c) of this Addendum.
b. Anticipated duration of Processing: For the term of the Agreement plus the period from expiry or termination of the Agreement until deletion of all Customer Personal Data by Superhuman in accordance with the Agreement.
c. Typical categories of Data Subjects: Data subjects include the individuals about whom data is provided to Superhuman via the Service by (or at the direction of) Customer or its Users.
d. Categories of Customer Personal Data typically subject to Processing under the Agreement: The categories of Customer Personal Data are determined by Customer in its sole discretion and include data relating to individuals provided to Superhuman via the Service, by (or at the direction of) Customer or its Users.
e. Special categories of Personal Data: Superhuman does not intentionally collect or Process any special categories of Personal Data.
Exhibit B: Technical and Organizational Security Measures
Superhuman maintains a unified information security program governing our Services, including Grammarly, Superhuman Mail, Docs (formerly known as Coda), and Superhuman Go. The security program is led by a dedicated security organization responsible for defining, implementing, and enforcing technical and organizational measures across our Services.
Superhuman reserves the right to update or modify these measures from time to time, provided that such updates or changes do not materially decrease the overall security of the Services.
The security measures described in Section 1 below apply to the Services, unless otherwise noted in Section 2. The additional Service-specific measures described in Section 2 apply solely to the relevant Service and only to the extent Customer has procured such Service, as identified in the applicable ordering document or purchase agreement.
Section 1: Common Security Measures
1.1 Infrastructure and Network Security
The Services are hosted on enterprise-grade cloud infrastructure provided by Amazon Web Services (AWS) and/or Google Cloud Platform (GCP), located in the United States. Superhuman minimizes its attack surface by placing systems within private networks, exposing external services through load balancers, and employing web application firewalls where appropriate. Infrastructure is reviewed prior to deployment and maintained using immutable or regularly recreated configurations to ensure a known-good state.
1.2 Encryption
Customer Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 symmetric encryption. Encryption keys are managed through the applicable infrastructure provider's key management service (AWS KMS or Google Cloud KMS), and access to cryptographic keys is restricted solely to authorized personnel.
1.3 Access Control
Access to systems processing Customer Personal Data follows the principle of least privilege. Employees with access to production systems are required to authenticate using multi-factor authentication (MFA). Role-based access control (RBAC) is used to scope permissions based on job function. Production, staging, and development environments are strictly separated, and traversing environment boundaries requires independent authentication.
1.4 Vulnerability Management and Patching
Superhuman performs continuous vulnerability scanning and package monitoring across its infrastructure. Identified vulnerabilities are triaged and remediated according to severity.
1.5 Application Security
Superhuman's software development process incorporates Secure Development Lifecycle (SDL) principles. Code changes are reviewed with security considerations before deployment to production. Superhuman employs static code analysis and dynamic security testing tools, and incorporates threat modeling into the design process for new services and features.
1.6 Penetration Testing and Security Assessments
Superhuman engages reputable third-party security research firms to conduct annual penetration testing across its Services, covering web applications, cloud infrastructure, desktop applications, and mobile applications. Superhuman also maintains a bug bounty program to facilitate responsible disclosure of security vulnerabilities.
1.7 Incident Management
Superhuman maintains documented incident response policies and procedures that are regularly tested and updated at least annually. 1.8 Business Continuity and Disaster Recovery
Services are distributed across multiple availability zones to reduce the impact of localized failures. Disaster recovery procedures are tested at least annually. Outage simulations are conducted on a recurring basis.
1.9 System Monitoring, Logging, and Alerting
Superhuman logs audit events, including privileged administrative operations and security-relevant events, across all layers of its infrastructure. Logs are monitored for suspicious activity and retained for a minimum of one (1) year, with access to logs restricted to authorized security personnel.
1.10 Personnel Security
Superhuman employees undergo background checks prior to onboarding. Employees are required to complete security training during onboarding and annually thereafter. Superhuman employee workstations are configured according to Superhuman's security standards, including disk encryption, automatic locking, strong password enforcement, timely patching, and management through endpoint management solutions.
1.11 IT Governance and Policy
Superhuman maintains a written Information Security Policy, supported by policies covering data access levels, disaster recovery, infrastructure management, records of processing activities, risk management, data retention, and acceptable use. Information security policies are reviewed internally at least annually, and all employees are required to acknowledge and comply with them.
1.12 Certifications and Compliance
The Services maintain SOC 2 Type 2 and ISO 27001 certifications. Superhuman's technical and organizational measures are implemented in accordance with these standards, and Superhuman maintains controls at least as protective as those described in the applicable SOC 2 Type 2 reports. Superhuman undergoes annual third-party audits to evaluate the effectiveness of its security controls.
Section 2: Service-Specific Measures
The following measures apply in addition to the measures described in Section 1 and are specific to the identified Service. To the extent there is a conflict between this Section 2 and Section 1 above, thisSection 2 will prevail.
2.1 Grammarly (and Superhuman Go, where integrated with Grammarly)
Grammarly is hosted on Amazon Web Services (AWS). Encryption key management is provided through AWS Key Management Service (KMS). External-facing services are protected by a web application firewall (WAF). Superhuman maintains data flow maps and service inventories to track internal and external data transfers related to the Grammarly service. Superhuman is registered for AWS Enterprise Support. Additional detail on Grammarly's security posture is available at https://www.grammarly.com/security and https://www.grammarly.com/trust.
2.2 Superhuman Mail
Superhuman Mail is hosted on Google Cloud Platform (GCP). Encryption key management is provided through Google Cloud KMS. Internal service-to-service traffic is additionally protected using Google's Application Layer Transport Security (ATLS). System configuration is enforced through Google Cloud Kubernetes Engine and monitored via Google Cloud Security Scanner. User authentication is delegated to the customer's email provider (Google or Microsoft) via OAuth2; Superhuman does not independently store user credentials. The Company conducts regular incident and outage simulations, including production backup restoration, for the Superhuman Mail service. Superhuman Mail infrastructure is covered by Google's ISO 27001 certification and SOC 2 attestations.
2.3 Docs (and Superhuman Go, where integrated with Docs)
Docs is hosted on Amazon Web Services (AWS). Encryption key management is provided through AWS Key Management Service (KMS). Production data is replicated across multiple AWS Availability Zones and to a second geographical region. Access to production systems employs Just-in-Time (JIT) access grants in addition to the standard RBAC model described in Section 1.3. Unless otherwise directed by the account holder, documents are retained in primary storage for seven (7) days to allow for recovery, then permanently removed from primary storage. Deleted documents are retained in backups for an additional thirty-five (35) days, after which they are permanently purged.
2.4 Superhuman Go
Superhuman Go is an integrated service that operates within the infrastructure of Grammarly (Section 2.1) and/or Docs (Section 2.3), depending on the context of use. The Service-specific measures applicable to the hosting Service apply to Superhuman Go.