Security & Privacy

Superficial is built from the ground up with privacy and security at its core.
our principals
We invest heavily in security because it is critical to achieving our mission. In doing so, we follow the following guiding principles:
Continuous advancement of our security technologies and practices to get ahead of emerging threats.
Embedding a culture of security awareness across our organisation through regular security training which covers topics such as data privacy, information security, and password security.
Ensuring a robust compliance program to stay updated on industry regulations, standards, and best practices, enabling alignment with data protection and privacy requirements, reducing legal and reputational risks for the company.
Ensuring we have skilled security professionals across Application Security, Governance, Risk, Compliance & Privacy (GRCP), and Infrastructure Security
how

Compliance And Accreditation

Superficial complies with GDPR and CCPA, and we can execute a Data Processing Agreement if you require.

Masking Confidential Data

All confidential data uploaded to Superficial or shared during conversation with a Superficial agent is masked and is not shared with any third party provider - including the Large Language Models (LLMs) we use.

To learn more about how we mask confidential data, request a call with our team.

Data Removal

By default, all user conversations are deleted within 24 hours. If a user elects to have a private conversation with their agent, data is deleted immediately upon completion of the conversation.

Privacy At Core

Agents are built with security and privacy as uncompromisable foundations with a host of features built specifically to embed each into the core of what we do and how we do it.

Private Conversations

Users can select to have private conversations with their agents. During a private conversation, data is not used to customise their agent and the conversation is deleted immediately upon completion.

All user conversations are private to them by default. Organisations cannot view conversations users have with their agents.

Agent Training

Superficial agents are retrained following each conversation with their user to make them more individualised and helpful to their individual user.

Users can opt out of a conversation being used in their agent’s training by selecting to have a private conversation.
security & Privacy faqs

Is my data shared with third parties?

We mask all uploaded and conversational confidential data. Only once masked is data shared with underlying LLMs.

Does Superficial use my data to train models?

Superficial does not share data with underlying LLMs to train their models. Conversational data is used only to further customise a user’s own agent.

Is my data encrypted?

Data is encrypted at rest (AES-256) and in transit (TLS 1.2+)

Can I request my data to be deleted?

Yes - both users and their organisations can request for all data to be deleted from Superficial. Users can delete any data they have uploaded themselves, while companies can delete any data they have added.

Who owns my inputs and outputs?

You retain all rights to the inputs you provide to our services and you own any output you rightfully receive from our services to the extent permitted by law. We only receive rights in input and output necessary to provide you with our services, comply with applicable law, and enforce our policies.

How do you ensure data security?

Superficial encrypts all data at rest (AES-256) and in transit (TLS 1.2+), and uses strict access controls to limit who can access data. Our security team has an on-call rotation that has 24/7/365 coverage and is paged in case of any potential security incident. We offer a Bug Bounty Program for responsible disclosure of vulnerabilities discovered on our platform and products.

Can Superficial support my compliance with GDPR and other privacy laws?

Yes, we are able to execute a Data Processing Addendum (DPA) with customers for their use of Superficial’s agents in support of their compliance with GDPR and other privacy laws.

Who can view conversations and chat history?

Within your organisation, only end users can view their conversations. Company admins have control over companies and access but no ability to view conversations beyond their own.

Our access to conversations stored on our systems is limited to only non-confidential data already masked and only by authorised employees that require access for engineering support, investigating potential platform abuse, and legal compliance.

What sources of data are used for training your agents?

We use data from many different places including public sources, licensed third-party data, and information created by human reviewers.

Does Superficial comply with HIPAA?

Superficial is designed to adhere to the three HIPAA Rules: Privacy, Security, and Breach Notification to ensure our customers can use our service in a HIPAA compliant manner. To learn more, request a call with our team.

📅 Onboarding #2 begins july 01 2024

Join Our Next Onboarding