// Trust & Security Report
Supermaven, Inc.
AI code-completion plugin (VS Code, JetBrains, Neovim) with an optional in-editor chat feature that proxies to third-party LLMs (e.g. GPT-4o, Claude 3.5 Sonnet); acquired by Anysphere (maker of Cursor) in Nov 2024 and the standalone product was sunset on Nov 21-30, 2025, now folded into Cursor's Tab completion.
Certifications held
0
Maturity
Startup
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 7 unconfirmed / not-held certifications
source: supermaven.comNo public evidence. No trust center, security page, or mention of SOC 2 exists on supermaven.com (home page, privacy policy, code policy, terms of service, and about page were all checked).
source: supermaven.comNo public evidence. Not referenced on any vendor-domain page checked.
source: supermaven.comNo formal GDPR compliance statement, no EU representative, no DPA offer. The Privacy Policy only offers generic data-subject rights language: "Access, correct, update, or request deletion of your personal information" and "Withdraw your consent at any time." This is a general privacy-rights posture, not a GDPR compliance claim.
source: supermaven.comNo public evidence; no BAA, healthcare-data language, or HIPAA mention found on the privacy policy, code policy, or terms of service.
source: supermaven.comNo public evidence. Not referenced anywhere on the vendor domain.
source: supermaven.comNo public evidence. Not referenced anywhere on the vendor domain.
source: supermaven.comNo public evidence; payments appear to run through a standard billing provider but no PCI statement is published.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Not disclosed. No data-residency or region information is published on the privacy policy, code policy, or terms of service.
The Code Policy states: "Supermaven does not use Code Data to develop its products and services." It also states: "All Code Data is subject to a 7-day retention policy. Any Code Data that is uploaded to Supermaven servers will be deleted from Supermaven's internal systems within 7 days of the time of upload." Caveat: for the Chat feature, code is forwarded to whichever third-party model the user selects: "If you use Supermaven Chat, the code you upload will be sent to a third-party model provider such as OpenAI or Anthropic based on the model you select. The handling of your data by model providers is subject to their own policies." So Supermaven itself does not train on code, but chat inputs pass through third-party model providers subject to those providers' own policies.
// Security controls
Data retention (code data)
7-day retention: code uploaded to Supermaven servers is deleted from internal systems within 7 days of upload.
supermaven.comThird-party sharing
Does not share Code Data with third parties except as required by law or necessary to provide the product; infrastructure providers (e.g. AWS) may access data, and a list of third-party infrastructure providers is available to customers on request.
supermaven.comGeneral security practices
"We strive to use commercially acceptable means to protect your personal information," with the standard caveat that no transmission or storage method is 100% secure. No further technical detail (encryption specifics, audits, pen testing) is published.
supermaven.comEncryption in transit / at rest
Not documented on any vendor page checked; no public evidence of specific encryption standards.
supermaven.com// Products & data scope
data: Code snippets sent to Supermaven servers for completion; 7-day retention, no training on code.
Free forever, fast/high-quality suggestions, works with large codebases, standard model.
data: Same code-data handling as Free, plus larger 1M-token context and access to Supermaven Chat (which forwards code to third-party model providers such as OpenAI/Anthropic when used).
$10/month, 30-day free trial, largest/most intelligent model, $5/month chat credits.
data: Same as Pro, per-seat, with centralized user management and billing.
$10/month per user; no distinct enterprise security tier, DPA, or SSO was found publicly documented.
// What to watch
- Product status: Supermaven was acquired by Anysphere (Cursor) in November 2024, and the standalone product/service was publicly sunset on Nov 21-30, 2025 per Supermaven's own blog post 'Sunsetting Supermaven' (existing customers get prorated refunds; free autocomplete continues for existing Neovim/JetBrains users; VS Code users are directed to migrate to Cursor). Despite this, supermaven.com's live homepage and pricing page (checked 2026-07-09) still display active Free/Pro/Team pricing with no sunset banner, so the public-facing marketing content is stale/contradictory relative to the company's own sunset announcement. AIFOXX should verify current signup availability before listing this as an actively purchasable tool.
- No SOC 2, ISO 27001, GDPR-specific, HIPAA, or AI-governance (ISO 42001 / CSA STAR) certifications found anywhere on the vendor domain -- this is honestly represented as held=false with 'no public evidence', consistent with a small, now-sunset startup product rather than an over-claim.
- Chat feature forwards user code to third-party model providers (OpenAI, Anthropic, etc.) chosen by the user; those providers' own data-handling policies then apply, which is a pass-through risk not fully controlled by Supermaven's own 7-day retention/no-training promise.
- No DPA, no stated data region/residency, and no SSO/enterprise security controls documented publicly -- reasonable for a free/prosumer developer tool but a gap for any buyer with GDPR or enterprise procurement requirements.
// At a glance
Pricing model
Freemium: Free tier, Pro ($10/mo individual), Team ($10/mo/user); no published Enterprise tier or custom-contract security add-ons.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Supermaven, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
supermaven.com