Security Statement

Our Approach to Security

At Supahuman, we understand that security and data protection are foundational to the trust our clients place in us. The following outlines our approach to safeguarding your data and maintaining the integrity of our systems.

Infrastructure and Hosting

The Supahuman AI platform is hosted on Amazon Web Services (AWS) in Australia. Our infrastructure is architected for 99.9% uptime with built-in redundancy and failover capabilities.

Our platform operates on a multi-tenant architecture with logical data separation. This design is guided by ISO 27001 and NZISM (New Zealand Information Security Manual) best practices, ensuring enterprise-grade data security and compliance with regional standards.

Data Protection

Encryption

All data is encrypted both in transit and at rest. We use industry-standard TLS encryption for data transmission and AES-256 encryption for stored data. This applies to customer content, configuration data, and any information processed through our platform.

Access Controls

We implement granular access controls and maintain comprehensive audit logging. User management includes secure login with multi-factor authentication via customer identity providers (SSO integration), along with detailed permission settings that allow organisations to control exactly who can access what.

Data Handling

Your data remains yours. We implement strict data-handling protocols that ensure your information is processed securely within your designated environment. We do not share customer data with third parties without explicit authorisation, and we comply with the Privacy Act requirements in both New Zealand and Australia.

AI-Specific Security Measures

Given the nature of our AI-powered services, we have implemented additional safeguards specific to generative AI systems.

Model Training and Data Usage

Customer data is not used for model training unless explicitly agreed and documented in writing. Where fine-tuning is part of a client engagement, we maintain strict controls over what data is used and how, with clear audit trails throughout the process.

Transparency and Traceability

Our Trust Center feature provides visibility into AI decision-making. Users can see which AI agents and tools contributed to a response, which data sources were accessed, and the reasoning trace the AI followed to reach its conclusions. This transparency is configurable by administrators to balance clarity with security requirements.

Compliance Moderation

Administrators can define compliance rule sets that AI outputs are checked against before delivery. This allows organisations in regulated environments to maintain their compliance standards while benefiting from AI automation.

Security Incident Response

We maintain a documented Security Breach Notifications Policy that outlines our procedures for responding to any security incident. Our approach covers detection, assessment, containment, notification, and remediation.

Key Elements

Detection and Assessment: Upon detection of a potential security breach, our incident response team assesses the severity, impact, and scope.

Containment: Immediate steps are taken to contain and limit any breach to prevent further unauthorised access or damage.

Notification: We notify affected parties without undue delay, in accordance with legal and regulatory requirements. For incidents involving customer data, notification includes the nature of the breach, data types involved, potential impact, and measures taken.

Review and Improvement: After managing any breach, we conduct a review to evaluate response effectiveness and identify improvements to security practices.

Regulatory Compliance

Our security practices are designed to support compliance with relevant privacy and data protection regulations in our operating regions.

RegulationApplicationNZ Privacy Act 2020Data handling, consent, cross-border transfers, breach notificationAU Privacy Act 1988Australian Privacy Principles, security of personal informationISO 27001 (guidance)Information security management system frameworkNZISM (guidance)NZ government security standards and best practices

Ongoing Commitment

Security is not a one-time achievement but an ongoing commitment. We regularly review and update our security practices, conduct penetration testing, and maintain continuous monitoring of our systems. Our security policies are reviewed annually and updated as necessary to reflect changes in legal, regulatory, or operational requirements.

We also invest in our team, ensuring all employees, contractors, and third-party service providers who have access to our information systems understand and comply with our security requirements.

Available Documentation

The following documentation is available on request to support your due diligence and procurement processes:

Insurance Certificates: Current certificates of currency for professional indemnity, public liability, and cyber liability insurance.

Penetration Testing: Certificates and reports from independent penetration testing conducted on our platform.

Security Policies: Copies of our information security policies, data handling procedures, and incident response documentation.

Security Risk Assessment: A granular Security Risk Assessment that validates detailed controls across our infrastructure, application security, and operational practices.

These documents are provided under NDA where appropriate. Please contact us to request access.

Questions and Further Information

We welcome questions about our security practices. For further information or to discuss specific security requirements for your organisation, please contact us:

Email: security@supahuman.ai

‍