Skip to main content
SuperDoc is SOC 2 Type II certified. Independent auditors verify security, privacy, and compliance controls. Drata monitors 100+ controls continuously for security and GDPR compliance. SuperDoc Editor (JS library) is fully open source and self-hosted. Your documents stay on your infrastructure. The SuperDoc team has zero access to your content. SuperDoc APIs are SOC 2 certified with no persistent document storage (data in, data out).

SOC 2 Certified

Full SOC 2 Type II compliance and reporting

Open Source

Transparent and open code

Continous monitoring

Full monitoring and alerts

SOC 2 report

An independent auditor maintains the SOC 2 report, certifying controls that protect your data. The report follows Trust Services Criteria from the AICPA’s Assurance Services Executive Committee (ASEC). It evaluates the design and effectiveness of controls for security, availability, processing integrity, confidentiality, and privacy.

Continuous control monitoring

Drata’s automation platform monitors 100+ security and privacy controls continuously, including GDPR compliance. Automated alerts and evidence collection verify compliance posture on any given day.

Team access & trainings

All employees use 2-factor authentication, have role-based access restrictions, and sign a Non-Disclosure and Confidentiality Agreement. The team completes annual security training.

Penetration tests

SuperDoc works with industry leading security firms to perform annual network and application layer penetration tests.

Secure software development

Manual and automated security checks run throughout the software development lifecycle.

Data encryption

Data is encrypted both in-transit using Transport Layer Security (TLS details) and at rest with AES256 (details).

Infrastructure

All infrastructure runs on Google Cloud Platform (GCP). No physical servers, routers, or load balancers. Production data storage uses Google Spanner and Google Cloud Storage. GCP provides built-in security, compliance, and auditing.

Multi-region data storage and automated backups

Cloud data is multi-region within the United States. Automatic backups replicate across multiple US data center locations.

Compliance, audit logs, and monitoring

Third-party monitoring software detects potential attacks and anomalous network behavior. Every user action is logged and fully auditable. GCP systems are regularly audited for ongoing security and compliance (e.g., SOC 2).

Terms of service and privacy policy

See the Terms of Service and Privacy Policy.

Vulnerability disclosure program

Found a security bug? Report it at security@superdoc.dev. The security team investigates all reported issues promptly.