// Trust & Security Report

    SuperAnnotate AI, Inc. logo

    SuperAnnotate AI, Inc.

    Data annotation / human-in-the-loop platform for AI development (multimodal labeling, RLHF, SFT, agent and RAG evaluation), plus a managed expert-annotator workforce service; sold direct (enterprise/demo-gated) and as "SuperAnnotate Pro" on AWS Marketplace.

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Service Organization Controls (SOC 2) (Type II) trust service principles ... SOC 2 Type II is a compliance framework that ensures an organization consistently meets security, availability, and confidentiality standards through ongoing monitoring and evaluation. [Request]

    Verify on trust.superannotate.com
    ISO/IEC 27001:2022
    HELD

    ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection ... ISO 27001 is a globally recognized standard for ISMS, providing a framework to systematically and securely manage sensitive information. [Download]

    Verify on trust.superannotate.com
    GDPR
    HELD

    GDPR: Protect the personal data and privacy of EU citizens for transaction that occur within EU member states

    Verify on trust.superannotate.com
    CCPA
    HELD

    CCPA: California Consumer Privacy Act, is legislation designed to improve the data privacy of California residents

    Verify on trust.superannotate.com
    > Show 7 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence of a formal HIPAA program (no BAA offering, no HIPAA line item on the trust center's own Compliance list, which only names SOC 2, ISO 27001, GDPR, CCPA). The only vendor-domain HIPAA reference found is the ambiguous line 'Our authentication system is HIPAA eligible and PCI DSS, SOC, and ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant' on the security page, which reads as boilerplate describing a third-party identity/auth subsystem rather than a SuperAnnotate corporate certification. The homepage also markets 'GDPR, CCPA & HIPAA' together as a compliance-help claim, but this is not backed by the trust center.

    source: trust.superannotate.com
    PCI DSS
    NOT CONFIRMED

    Only appears inside the same ambiguous auth-system sentence ('Our authentication system is HIPAA eligible and PCI DSS, SOC, and ISO/IEC 27001... compliant') on the security page; not listed on the trust center's Compliance section and not attributable to SuperAnnotate itself with confidence.

    source: superannotate.com
    ISO/IEC 27017
    NOT CONFIRMED

    Only appears inside the same ambiguous auth-system sentence; not listed on the trust center's Compliance section.

    source: superannotate.com
    ISO/IEC 27018
    NOT CONFIRMED

    Only appears inside the same ambiguous auth-system sentence; not listed on the trust center's Compliance section.

    source: superannotate.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence found on trust.superannotate.com, superannotate.com, or via search of an ISO/IEC 42001 or other AI-management-system certification.

    source: trust.superannotate.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or certification found on the vendor's trust center or site.

    source: trust.superannotate.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found.

    source: trust.superannotate.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    United States: privacy policy states 'The Service is hosted on servers located in the United States'; security page specifies AWS us-east-1. Enterprise VPC/on-prem data-containment options are described as being actively rolled out, not yet a general offering.

    The vendor's own security page states, in its FAQ, 'SuperAnnotate is committed to never using or sharing any dataset or model created by its customers.' This is a direct, on-domain commitment not to reuse or train on customer datasets or models. It is presented as a marketing/FAQ commitment rather than a signed contractual (DPA) clause, and no separate public DPA link or explicit annotation-level data-use statement was found. Given the product's core business is producing training data for customers' own models via a human-in-the-loop workforce that touches customer data, prospective customers with proprietary or regulated data should still confirm this commitment contractually (DPA) before onboarding.

    // Security controls

    Encryption in transit

    TLS required for all requests; TLS 1.0+ supported, 1.2+ recommended

    superannotate.com

    Encryption at rest

    Data encrypted at rest 'in accordance with industry standards'

    superannotate.com

    SSO

    Single sign-on offered

    superannotate.com

    2FA

    Two-factor authentication offered

    superannotate.com

    Access control

    Role-based access controls (RBAC); administrative access restricted; user access reviews performed

    trust.superannotate.com

    Penetration testing

    Regular third-party penetration testing; full report available on request via Account Executive

    trust.superannotate.com

    Continuous monitoring

    Trust center controls continuously monitored by Secureframe (change management, availability, confidentiality, vulnerability management, incident response, risk assessment, network/access/physical security control families listed)

    trust.superannotate.com

    Subprocessors

    Disclosed list includes AWS (hosting), Bitbucket, Jira, G Suite, Slack, HubSpot, Mixpanel, HotJar, Zendesk (list is partial, 'View all' truncated)

    trust.superannotate.com

    Additional controls

    IP whitelisting, signed URLs with expiration, backup/disaster-recovery, new-hire screening, cybersecurity insurance

    superannotate.com

    // Products & data scope

    SuperAnnotate PlatformData annotation / labeling and dataset management

    data: Customer-uploaded multimodal data (image, video, text, LLM prompts/outputs) processed for RLHF, SFT, RAG, and agent-evaluation workflows

    Core SaaS product; primary subject of the trust center certifications

    Managed Annotation / Expert Workforce ServicesHuman-in-the-loop labor (BPO-style annotation)

    data: Same customer data, plus access by SuperAntnotate-managed annotators and QA staff

    Adds a third-party-labor data-access surface beyond the software itself; not separately certified on the trust center

    SuperAnnotate Pro (AWS Marketplace)Cloud-hosted, procured via AWS Marketplace

    data: Same as core platform

    Procurement-only variant; no evidence of different security posture

    Enterprise VPC / On-Prem (in rollout)Enterprise deployment option

    data: Customer-controlled infrastructure

    Vendor states it is 'actively building' VPC and on-prem support so data never leaves customer infrastructure; not yet confirmed as generally available

    // What to watch

    • Homepage over-claim risk: the marketing homepage groups 'GDPR, CCPA & HIPAA' together under 'Enterprise-grade security and compliance,' but the vendor's own trust center (trust.superannotate.com) Compliance section lists only SOC 2, ISO 27001, GDPR, and CCPA - HIPAA is absent. Do not credit a HIPAA certification.
    • Host/subprocessor-vs-vendor conflation risk: the security page's line 'Our authentication system is HIPAA eligible and PCI DSS, SOC, and ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant' reads as generic third-party auth-provider boilerplate (commonly used by identity providers such as Auth0), not a SuperAnnotate corporate certification. Graded held=false for PCI DSS, ISO 27017, and ISO 27018 accordingly.
    • Customer-data reuse: the vendor's security page FAQ states 'SuperAnnotate is committed to never using or sharing any dataset or model created by its customers' - a favorable on-domain no-training commitment. It is an FAQ/marketing statement, not a linked DPA clause, and no public DPA link was found. Recommend contract-level (DPA/BAA) confirmation before listing as safe for highly sensitive or regulated data.
    • No ISO/IEC 42001 (AI management system) or CSA STAR certification found, despite being an AI-focused vendor - a gap worth surfacing given some peers are pursuing AI-governance certs.
    • Enterprise VPC/on-prem deployment is explicitly described by the vendor as in progress, not yet a stable offering - avoid marketing this vendor as 'self-hostable' without qualification.

    // At a glance

    Pricing model

    Enterprise/contract pricing (demo-gated on the main site); also purchasable as SuperAnnotate Pro via AWS Marketplace

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on SuperAnnotate AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-05. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.superannotate.com

    > Browse all vendor trust reports