We utilize enterprise-grade best practices to protect our customers’ data, and work with independent experts to verify our security, privacy, and compliance controls, and have achieved SOC 2 Type II compliance and reporting against stringent standards. Through an integration with Drata, we continually monitor hundreds of controls to maintain our security and GDPR compliance. SuperDoc Editor (JS library) is fully open source and self-hosted. Our team has zero access to sensitive document content. Documents are stored on our customers’ own infrastructure. SuperDoc APIs are rigorously SOC2 certifed with no persistent document storage (data in, data out model).

SOC 2 Certified

Full SOC 2 Type II compliance and reporting

Open Source

Transparent and open code

Continous monitoring

Full monitoring and alerts

SOC 2 Report

We work with an independent auditor to maintain a SOC 2 report, which objectively certifies our controls to ensure the continuous security of our customers’ data. Developed by the Assurance Services Executive Committee (ASEC) of the AICPA, the Trust Services Criteria is the set of control criteria to be used when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems at an entity, a division, or an operating unit of an entity.

Continuous Control Monitoring

SuperDoc uses Drata’s automation platform to continuously monitor 100+ security and privacy controls across the organization including GDPR compliance. Automated alerts and evidence collection allows SuperDoc to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.

Team Access & Trainings

Security is a company-wide endeavor. All employees are required to use 2-factor authentication for data access, are restricted to only appropriate access levels, and have signed a Non-Disclosure and Confidentiality Agreement when joining the company. In addition, SuperDoc teammates complete an annual security training program and employ best practices when handling customer data.

Penetration Tests

SuperDoc works with industry leading security firms to perform annual network and application layer penetration tests.

Secure Software Development

SuperDoc utilizes a variety of manual and automatic data security and vulnerability checks throughout the software development lifecycle.

Data Encryption

Data is encrypted both in-transit using Transport Layer Security (TLS details) and at rest with AES256 (details).

Infrastructure

All of our infrastructure and services run in the cloud. We do not run any routers, load balancers, DNS servers, or physical servers. We extensively use the Google Cloud Platform (GCP) and have no physical infrastructure. Our production data storage systems are Google Spanner and Google Cloud Storage (modelled on Gmail tech stack). GCP provides strong security measures, compliance, and auditing across these systems.

Multi-region data storage and automated backups

All of our cloud data is multi-region (within the United States) to avoid any impact from power outages or natural disasters. All our data is also automatically and regularly backed up and replicated across multiple US data center locations.

Compliance, Audit Logs, and Monitoring

We directly monitor and use third-party monitoring software for detecting potential attacks or anomalous network behavior. Every user action in the system is logged and fully auditable (details). Our GCP systems are also regularly audited for ongoing security and compliance (e.g., SOC 2). View the full details and reports here.

Terms of Service and Privacy Policy

Check out our dedicated Terms of Service and Privacy Policy pages.

Vulnerability Disclosure Program

If you believe you’ve discovered a bug in SuperDoc’s security, please let us know by getting in touch at security@superdoc.dev. Our security team promptly investigates all reported issues.