// Trust & Security Report
SuperAnnotate AI, Inc.
Data annotation / human-in-the-loop platform for AI development (multimodal labeling, RLHF, SFT, agent and RAG evaluation), plus a managed expert-annotator workforce service; sold direct (enterprise/demo-gated) and as "SuperAnnotate Pro" on AWS Marketplace.
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.superannotate.com“Service Organization Controls (SOC 2) (Type II) trust service principles ... SOC 2 Type II is a compliance framework that ensures an organization consistently meets security, availability, and confidentiality standards through ongoing monitoring and evaluation. [Request]”
Verify on trust.superannotate.com“ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection ... ISO 27001 is a globally recognized standard for ISMS, providing a framework to systematically and securely manage sensitive information. [Download]”
Verify on trust.superannotate.com“GDPR: Protect the personal data and privacy of EU citizens for transaction that occur within EU member states”
Verify on trust.superannotate.com“CCPA: California Consumer Privacy Act, is legislation designed to improve the data privacy of California residents”
> Show 7 unconfirmed / not-held certifications
source: trust.superannotate.comNo public evidence of a formal HIPAA program (no BAA offering, no HIPAA line item on the trust center's own Compliance list, which only names SOC 2, ISO 27001, GDPR, CCPA). The only vendor-domain HIPAA reference found is the ambiguous line 'Our authentication system is HIPAA eligible and PCI DSS, SOC, and ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant' on the security page, which reads as boilerplate describing a third-party identity/auth subsystem rather than a SuperAnnotate corporate certification. The homepage also markets 'GDPR, CCPA & HIPAA' together as a compliance-help claim, but this is not backed by the trust center.
source: superannotate.comOnly appears inside the same ambiguous auth-system sentence ('Our authentication system is HIPAA eligible and PCI DSS, SOC, and ISO/IEC 27001... compliant') on the security page; not listed on the trust center's Compliance section and not attributable to SuperAnnotate itself with confidence.
source: superannotate.comOnly appears inside the same ambiguous auth-system sentence; not listed on the trust center's Compliance section.
source: superannotate.comOnly appears inside the same ambiguous auth-system sentence; not listed on the trust center's Compliance section.
source: trust.superannotate.comNo public evidence found on trust.superannotate.com, superannotate.com, or via search of an ISO/IEC 42001 or other AI-management-system certification.
source: trust.superannotate.comNo public evidence of CSA STAR registration or certification found on the vendor's trust center or site.
source: trust.superannotate.comNo public evidence of FedRAMP authorization found.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
United States: privacy policy states 'The Service is hosted on servers located in the United States'; security page specifies AWS us-east-1. Enterprise VPC/on-prem data-containment options are described as being actively rolled out, not yet a general offering.
The vendor's own security page states, in its FAQ, 'SuperAnnotate is committed to never using or sharing any dataset or model created by its customers.' This is a direct, on-domain commitment not to reuse or train on customer datasets or models. It is presented as a marketing/FAQ commitment rather than a signed contractual (DPA) clause, and no separate public DPA link or explicit annotation-level data-use statement was found. Given the product's core business is producing training data for customers' own models via a human-in-the-loop workforce that touches customer data, prospective customers with proprietary or regulated data should still confirm this commitment contractually (DPA) before onboarding.
// Security controls
Encryption in transit
TLS required for all requests; TLS 1.0+ supported, 1.2+ recommended
superannotate.comAccess control
Role-based access controls (RBAC); administrative access restricted; user access reviews performed
trust.superannotate.comPenetration testing
Regular third-party penetration testing; full report available on request via Account Executive
trust.superannotate.comContinuous monitoring
Trust center controls continuously monitored by Secureframe (change management, availability, confidentiality, vulnerability management, incident response, risk assessment, network/access/physical security control families listed)
trust.superannotate.comSubprocessors
Disclosed list includes AWS (hosting), Bitbucket, Jira, G Suite, Slack, HubSpot, Mixpanel, HotJar, Zendesk (list is partial, 'View all' truncated)
trust.superannotate.comAdditional controls
IP whitelisting, signed URLs with expiration, backup/disaster-recovery, new-hire screening, cybersecurity insurance
superannotate.com// Products & data scope
data: Customer-uploaded multimodal data (image, video, text, LLM prompts/outputs) processed for RLHF, SFT, RAG, and agent-evaluation workflows
Core SaaS product; primary subject of the trust center certifications
data: Same customer data, plus access by SuperAntnotate-managed annotators and QA staff
Adds a third-party-labor data-access surface beyond the software itself; not separately certified on the trust center
data: Same as core platform
Procurement-only variant; no evidence of different security posture
data: Customer-controlled infrastructure
Vendor states it is 'actively building' VPC and on-prem support so data never leaves customer infrastructure; not yet confirmed as generally available
// What to watch
- Homepage over-claim risk: the marketing homepage groups 'GDPR, CCPA & HIPAA' together under 'Enterprise-grade security and compliance,' but the vendor's own trust center (trust.superannotate.com) Compliance section lists only SOC 2, ISO 27001, GDPR, and CCPA - HIPAA is absent. Do not credit a HIPAA certification.
- Host/subprocessor-vs-vendor conflation risk: the security page's line 'Our authentication system is HIPAA eligible and PCI DSS, SOC, and ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant' reads as generic third-party auth-provider boilerplate (commonly used by identity providers such as Auth0), not a SuperAnnotate corporate certification. Graded held=false for PCI DSS, ISO 27017, and ISO 27018 accordingly.
- Customer-data reuse: the vendor's security page FAQ states 'SuperAnnotate is committed to never using or sharing any dataset or model created by its customers' - a favorable on-domain no-training commitment. It is an FAQ/marketing statement, not a linked DPA clause, and no public DPA link was found. Recommend contract-level (DPA/BAA) confirmation before listing as safe for highly sensitive or regulated data.
- No ISO/IEC 42001 (AI management system) or CSA STAR certification found, despite being an AI-focused vendor - a gap worth surfacing given some peers are pursuing AI-governance certs.
- Enterprise VPC/on-prem deployment is explicitly described by the vendor as in progress, not yet a stable offering - avoid marketing this vendor as 'self-hostable' without qualification.
// At a glance
Pricing model
Enterprise/contract pricing (demo-gated on the main site); also purchasable as SuperAnnotate Pro via AWS Marketplace
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on SuperAnnotate AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-05. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.superannotate.com