// Trust & Security Report

    SuperAGI logo

    SuperAGI

    AI-native business platform ("AI Super App for Work") combining 50+ apps and digital-worker agents across Sales/CRM, Marketing, Customer Support, HR, E-Sign, and a low-code "Vibe Coder" builder, plus mobile apps. Originated as an open-source autonomous-agent framework and has since pivoted into a broad agentic SaaS suite for go-to-market and back-office teams. No public evidence of separate consumer vs. enterprise product tiers; the platform is sold as one connected suite with modular "apps" that customers install individually.

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    SuperAGI meets and maintains industry-leading certifications including SOC 2, ISO 27001, GDPR, and HIPAA helping you stay compliant with global data privacy and governance regulations from day one.

    Verify on web.superagi.com
    ISO 27001
    HELD

    SuperAGI meets and maintains industry-leading certifications including SOC 2, ISO 27001, GDPR, and HIPAA helping you stay compliant with global data privacy and governance regulations from day one.

    Verify on web.superagi.com
    GDPR (compliance posture)
    HELD

    SuperAGI shall only Process Customer Personal Data on behalf of Customer and in accordance with Customer's documented instructions... SuperAGI shall maintain appropriate technical and organizational measures for the protection of the security... confidentiality and integrity of Customer Data. / SuperAGI shall be liable for the acts and omissions of its Sub-processors to the same extent SuperAGI would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

    Verify on superagi.com
    HIPAA
    HELD

    SuperAGI meets and maintains industry-leading certifications including SOC 2, ISO 27001, GDPR, and HIPAA helping you stay compliant with global data privacy and governance regulations from day one.

    Verify on web.superagi.com
    > Show 5 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    No public evidence of a PCI DSS attestation on SuperAGI's own domain despite the platform offering an Invoices/billing app; not listed among the certifications named on the trust page.

    source: web.superagi.com
    ISO/IEC 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence. Trust page lists only SOC 2, ISO 27001, GDPR, and HIPAA; these cloud-security/privacy-extension standards are not named anywhere on the vendor's own site.

    source: web.superagi.com
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    No public evidence of ISO 42001 or any dedicated AI-governance certification. Trust page discusses agent oversight/logging informally ("every agent decision logged, auditable, and optionally human-reviewed") but does not cite a formal AI-governance standard.

    source: web.superagi.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on vendor domain or via search.

    source: web.superagi.com
    FedRAMP
    NOT CONFIRMED

    No public evidence; SuperAGI is not on the FedRAMP marketplace and no vendor page references it.

    source: web.superagi.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    SuperAGI agents run in AWS cloud; no specific region/residency guarantee (e.g., EU-only hosting) was found on the vendor's public pages. On-premises deployment is offered as an option for customers needing full data-location control.

    SuperAGI's own trust page states: "If you wish to opt out of using your data for certain AI training or analysis, our team will honor your request" - implying customer data is used for AI training/analysis by default unless the customer proactively opts out. There is no self-serve toggle described; the process is a manual request to the SuperAGI team. No tier-based distinction (e.g., paid vs. free) in training posture was found in public materials.

    // Security controls

    Encryption in transit and at rest

    SuperAGI agents run securely in AWS cloud with full encryption at rest and in transit.

    web.superagi.com

    Access control

    Granular role-based access control (RBAC) to ensure only authorized users can access or modify agent workflows.

    web.superagi.com

    Logging & auditability

    Comprehensive audit logs capture every agent interaction and system event; agent activity is centrally logged under retention policies. Every agent decision is logged, auditable, and optionally human-reviewed.

    web.superagi.com

    Deployment flexibility

    Supports on-premises deployment in addition to AWS-hosted cloud, for customers with strict data-governance requirements.

    web.superagi.com

    Security contact

    Security & Data Privacy team reachable at security@superagi.com / security@web.superagi.com for security inquiries and data-subject/opt-out requests.

    web.superagi.com

    // Products & data scope

    SuperAGI Sales/CRM & GTM suiteSales, CRM, marketing automation, prospecting/data enrichment

    data: Customer contact and company data, call recordings/logs, CRM records, uploaded CSV enrichment data

    Primary commercial focus per the current homepage; includes AI SDR/cold outreach, dialer, sequences, invoicing.

    Customer Support & Success appsSupport/CX

    data: Customer conversation transcripts across channels (chat, WhatsApp, unified inbox)

    Includes AI-assisted chat resolution/routing and a unified multi-channel inbox.

    Meetings / AI NotetakerProductivity, meeting intelligence

    data: Meeting audio/recordings, transcripts, summaries

    Joins, records, and summarizes meetings automatically - higher sensitivity data category (recorded conversations).

    HR suite (Attendance, ATS, People, Time Off, Performance)HR / HRIS

    data: Employee PII, attendance records, candidate/applicant data, performance reviews

    Broadest sensitivity data footprint of the platform; no HR-specific compliance statement (e.g., background-check handling) found beyond the general trust page.

    Vibe CoderLow-code app builder

    data: User-provided prompts/specs and generated application code

    Build and deploy web apps by chatting with AI; no separate security disclosures found for generated-code handling.

    Voice Agents / AI Business ReceptionistVoice AI

    data: Call audio, caller PII

    Answers/qualifies calls and books meetings autonomously; call recording implies telephony data handling not separately documented.

    // What to watch

    • The SOC 2, ISO 27001, and HIPAA claims are a single unqualified marketing sentence ("meets and maintains industry-leading certifications including SOC 2, ISO 27001, GDPR, and HIPAA") with no SOC 2 Type 1 vs Type 2 distinction, no named auditor, no audit date/scope, and no linked report or compliance badge/trust-portal (e.g., no SafeBase/Vanta/Drata widget found) - this is a potential over-claim pattern and should be re-verified by a human before being surfaced as a strong trust signal.
    • "HIPAA certification" is not a real, third-party-issued credential (there is no official HIPAA certifying body); the vendor's use of the word "certifications" for HIPAA is imprecise. Listing should describe this as a self-declared HIPAA compliance posture, not a certification.
    • AI training posture is opt-out, not opt-in - customer data is used for AI training/analysis by default unless the customer proactively contacts SuperAGI to opt out. This should be surfaced to prospective HR/CRM customers given the sensitivity of the data types on this platform (HR, meeting recordings, call audio).
    • Product surface has broadened significantly (CRM, HR, voice, e-sign, vibe-coding) beyond the vendor's original identity as an open-source AI agent framework; buyers should confirm which specific "app" module they are evaluating maps to the security posture described here, since no per-module compliance scoping was found.

    // At a glance

    Pricing model

    Per-app installable pricing on one platform ("50+ AI Native apps and agents... at unbelievable affordable price"); exact tiers/pricing not published on the pages captured.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on SuperAGI's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    web.superagi.com

    > Browse all vendor trust reports