// Trust & Security Report

    Supermaven, Inc. logo

    Supermaven, Inc.

    AI code-completion plugin (VS Code, JetBrains, Neovim) with an optional in-editor chat feature that proxies to third-party LLMs (e.g. GPT-4o, Claude 3.5 Sonnet); acquired by Anysphere (maker of Cursor) in Nov 2024 and the standalone product was sunset on Nov 21-30, 2025, now folded into Cursor's Tab completion.

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 7 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. No trust center, security page, or mention of SOC 2 exists on supermaven.com (home page, privacy policy, code policy, terms of service, and about page were all checked).

    source: supermaven.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. Not referenced on any vendor-domain page checked.

    source: supermaven.com
    GDPR
    NOT CONFIRMED

    No formal GDPR compliance statement, no EU representative, no DPA offer. The Privacy Policy only offers generic data-subject rights language: "Access, correct, update, or request deletion of your personal information" and "Withdraw your consent at any time." This is a general privacy-rights posture, not a GDPR compliance claim.

    source: supermaven.com
    HIPAA
    NOT CONFIRMED

    No public evidence; no BAA, healthcare-data language, or HIPAA mention found on the privacy policy, code policy, or terms of service.

    source: supermaven.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Not referenced anywhere on the vendor domain.

    source: supermaven.com
    CSA STAR
    NOT CONFIRMED

    No public evidence. Not referenced anywhere on the vendor domain.

    source: supermaven.com
    PCI DSS
    NOT CONFIRMED

    No public evidence; payments appear to run through a standard billing provider but no PCI statement is published.

    source: supermaven.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Not disclosed. No data-residency or region information is published on the privacy policy, code policy, or terms of service.

    The Code Policy states: "Supermaven does not use Code Data to develop its products and services." It also states: "All Code Data is subject to a 7-day retention policy. Any Code Data that is uploaded to Supermaven servers will be deleted from Supermaven's internal systems within 7 days of the time of upload." Caveat: for the Chat feature, code is forwarded to whichever third-party model the user selects: "If you use Supermaven Chat, the code you upload will be sent to a third-party model provider such as OpenAI or Anthropic based on the model you select. The handling of your data by model providers is subject to their own policies." So Supermaven itself does not train on code, but chat inputs pass through third-party model providers subject to those providers' own policies.

    // Security controls

    Data retention (code data)

    7-day retention: code uploaded to Supermaven servers is deleted from internal systems within 7 days of upload.

    supermaven.com

    Third-party sharing

    Does not share Code Data with third parties except as required by law or necessary to provide the product; infrastructure providers (e.g. AWS) may access data, and a list of third-party infrastructure providers is available to customers on request.

    supermaven.com

    General security practices

    "We strive to use commercially acceptable means to protect your personal information," with the standard caveat that no transmission or storage method is 100% secure. No further technical detail (encryption specifics, audits, pen testing) is published.

    supermaven.com

    Encryption in transit / at rest

    Not documented on any vendor page checked; no public evidence of specific encryption standards.

    supermaven.com

    // Products & data scope

    Free TierAI code completion (individual)

    data: Code snippets sent to Supermaven servers for completion; 7-day retention, no training on code.

    Free forever, fast/high-quality suggestions, works with large codebases, standard model.

    ProAI code completion + chat (individual, paid)

    data: Same code-data handling as Free, plus larger 1M-token context and access to Supermaven Chat (which forwards code to third-party model providers such as OpenAI/Anthropic when used).

    $10/month, 30-day free trial, largest/most intelligent model, $5/month chat credits.

    TeamAI code completion + chat (organization, paid)

    data: Same as Pro, per-seat, with centralized user management and billing.

    $10/month per user; no distinct enterprise security tier, DPA, or SSO was found publicly documented.

    // What to watch

    • Product status: Supermaven was acquired by Anysphere (Cursor) in November 2024, and the standalone product/service was publicly sunset on Nov 21-30, 2025 per Supermaven's own blog post 'Sunsetting Supermaven' (existing customers get prorated refunds; free autocomplete continues for existing Neovim/JetBrains users; VS Code users are directed to migrate to Cursor). Despite this, supermaven.com's live homepage and pricing page (checked 2026-07-09) still display active Free/Pro/Team pricing with no sunset banner, so the public-facing marketing content is stale/contradictory relative to the company's own sunset announcement. AIFOXX should verify current signup availability before listing this as an actively purchasable tool.
    • No SOC 2, ISO 27001, GDPR-specific, HIPAA, or AI-governance (ISO 42001 / CSA STAR) certifications found anywhere on the vendor domain -- this is honestly represented as held=false with 'no public evidence', consistent with a small, now-sunset startup product rather than an over-claim.
    • Chat feature forwards user code to third-party model providers (OpenAI, Anthropic, etc.) chosen by the user; those providers' own data-handling policies then apply, which is a pass-through risk not fully controlled by Supermaven's own 7-day retention/no-training promise.
    • No DPA, no stated data region/residency, and no SSO/enterprise security controls documented publicly -- reasonable for a free/prosumer developer tool but a gap for any buyer with GDPR or enterprise procurement requirements.

    // At a glance

    Pricing model

    Freemium: Free tier, Pro ($10/mo individual), Team ($10/mo/user); no published Enterprise tier or custom-contract security add-ons.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Supermaven, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    supermaven.com

    > Browse all vendor trust reports