// Trust & Security Report
SuperAGI
AI-native business platform ("AI Super App for Work") combining 50+ apps and digital-worker agents across Sales/CRM, Marketing, Customer Support, HR, E-Sign, and a low-code "Vibe Coder" builder, plus mobile apps. Originated as an open-source autonomous-agent framework and has since pivoted into a broad agentic SaaS suite for go-to-market and back-office teams. No public evidence of separate consumer vs. enterprise product tiers; the platform is sold as one connected suite with modular "apps" that customers install individually.
Certifications held
4
Maturity
Growth
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on web.superagi.com“SuperAGI meets and maintains industry-leading certifications including SOC 2, ISO 27001, GDPR, and HIPAA helping you stay compliant with global data privacy and governance regulations from day one.”
Verify on web.superagi.com“SuperAGI meets and maintains industry-leading certifications including SOC 2, ISO 27001, GDPR, and HIPAA helping you stay compliant with global data privacy and governance regulations from day one.”
Verify on superagi.com“SuperAGI shall only Process Customer Personal Data on behalf of Customer and in accordance with Customer's documented instructions... SuperAGI shall maintain appropriate technical and organizational measures for the protection of the security... confidentiality and integrity of Customer Data. / SuperAGI shall be liable for the acts and omissions of its Sub-processors to the same extent SuperAGI would be liable if performing the services of each Sub-processor directly under the terms of this DPA.”
Verify on web.superagi.com“SuperAGI meets and maintains industry-leading certifications including SOC 2, ISO 27001, GDPR, and HIPAA helping you stay compliant with global data privacy and governance regulations from day one.”
> Show 5 unconfirmed / not-held certifications
source: web.superagi.comNo public evidence of a PCI DSS attestation on SuperAGI's own domain despite the platform offering an Invoices/billing app; not listed among the certifications named on the trust page.
source: web.superagi.comNo public evidence. Trust page lists only SOC 2, ISO 27001, GDPR, and HIPAA; these cloud-security/privacy-extension standards are not named anywhere on the vendor's own site.
source: web.superagi.comNo public evidence of ISO 42001 or any dedicated AI-governance certification. Trust page discusses agent oversight/logging informally ("every agent decision logged, auditable, and optionally human-reviewed") but does not cite a formal AI-governance standard.
source: web.superagi.comNo public evidence found on vendor domain or via search.
source: web.superagi.comNo public evidence; SuperAGI is not on the FedRAMP marketplace and no vendor page references it.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
SuperAGI agents run in AWS cloud; no specific region/residency guarantee (e.g., EU-only hosting) was found on the vendor's public pages. On-premises deployment is offered as an option for customers needing full data-location control.
SuperAGI's own trust page states: "If you wish to opt out of using your data for certain AI training or analysis, our team will honor your request" - implying customer data is used for AI training/analysis by default unless the customer proactively opts out. There is no self-serve toggle described; the process is a manual request to the SuperAGI team. No tier-based distinction (e.g., paid vs. free) in training posture was found in public materials.
// Security controls
Encryption in transit and at rest
SuperAGI agents run securely in AWS cloud with full encryption at rest and in transit.
web.superagi.comAccess control
Granular role-based access control (RBAC) to ensure only authorized users can access or modify agent workflows.
web.superagi.comLogging & auditability
Comprehensive audit logs capture every agent interaction and system event; agent activity is centrally logged under retention policies. Every agent decision is logged, auditable, and optionally human-reviewed.
web.superagi.comDeployment flexibility
Supports on-premises deployment in addition to AWS-hosted cloud, for customers with strict data-governance requirements.
web.superagi.comSecurity contact
Security & Data Privacy team reachable at security@superagi.com / security@web.superagi.com for security inquiries and data-subject/opt-out requests.
web.superagi.com// Products & data scope
data: Customer contact and company data, call recordings/logs, CRM records, uploaded CSV enrichment data
Primary commercial focus per the current homepage; includes AI SDR/cold outreach, dialer, sequences, invoicing.
data: Customer conversation transcripts across channels (chat, WhatsApp, unified inbox)
Includes AI-assisted chat resolution/routing and a unified multi-channel inbox.
data: Meeting audio/recordings, transcripts, summaries
Joins, records, and summarizes meetings automatically - higher sensitivity data category (recorded conversations).
data: Employee PII, attendance records, candidate/applicant data, performance reviews
Broadest sensitivity data footprint of the platform; no HR-specific compliance statement (e.g., background-check handling) found beyond the general trust page.
data: User-provided prompts/specs and generated application code
Build and deploy web apps by chatting with AI; no separate security disclosures found for generated-code handling.
data: Call audio, caller PII
Answers/qualifies calls and books meetings autonomously; call recording implies telephony data handling not separately documented.
// What to watch
- The SOC 2, ISO 27001, and HIPAA claims are a single unqualified marketing sentence ("meets and maintains industry-leading certifications including SOC 2, ISO 27001, GDPR, and HIPAA") with no SOC 2 Type 1 vs Type 2 distinction, no named auditor, no audit date/scope, and no linked report or compliance badge/trust-portal (e.g., no SafeBase/Vanta/Drata widget found) - this is a potential over-claim pattern and should be re-verified by a human before being surfaced as a strong trust signal.
- "HIPAA certification" is not a real, third-party-issued credential (there is no official HIPAA certifying body); the vendor's use of the word "certifications" for HIPAA is imprecise. Listing should describe this as a self-declared HIPAA compliance posture, not a certification.
- AI training posture is opt-out, not opt-in - customer data is used for AI training/analysis by default unless the customer proactively contacts SuperAGI to opt out. This should be surfaced to prospective HR/CRM customers given the sensitivity of the data types on this platform (HR, meeting recordings, call audio).
- Product surface has broadened significantly (CRM, HR, voice, e-sign, vibe-coding) beyond the vendor's original identity as an open-source AI agent framework; buyers should confirm which specific "app" module they are evaluating maps to the security posture described here, since no per-module compliance scoping was found.
// At a glance
Pricing model
Per-app installable pricing on one platform ("50+ AI Native apps and agents... at unbelievable affordable price"); exact tiers/pricing not published on the pages captured.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on SuperAGI's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
web.superagi.com