# Super Carl Trust Center

> Security, privacy, AI data use, subprocessors, and requestable evidence for Super Carl.

Super Carl is an AI relationship search and workflow platform for warm introductions, recruiting, fundraising, and customer discovery. This trust center summarizes the security posture, controls, subprocessors, and requestable evidence for customers, auditors, and AI agents.

Primary site: https://trust.supercarl.ai/
Super Carl home: https://supercarl.ai/
Support: https://supercarl.ai/support
Security contact: mailto:security@supercarl.ai
Machine-readable JSON: https://trust.supercarl.ai/trust.json
Markdown summary: https://trust.supercarl.ai/trust-center.md
Security disclosure metadata: https://trust.supercarl.ai/.well-known/security.txt
Encrypted document manifest: https://trust.supercarl.ai/secure-docs/manifest.json

## Assessment Status

- CASA / TAC Security Assessment: certified for the assessed scope.
- Detailed evidence and private policy documents are available by request or by approved unlock key.
- Gated documents are published as encrypted JSON packages; plaintext documents are not embedded in the public static bundle.

## Public Sections

- Overview: certifications, featured documents, subprocessors, and controls.
- Documentation: public legal links and requestable evidence documents.
- Controls: security, privacy, AI governance, cloud, incident response, and recovery controls.
- Subprocessors: service providers that support Super Carl by purpose, region, and data category.

## Public Links

- Privacy Policy: https://supercarl.ai/privacy
- Terms of Service: https://supercarl.ai/terms
- AI Processors: https://supercarl.ai/ai-processors
- Contact Support: https://supercarl.ai/support
- Report a Security Issue: mailto:security@supercarl.ai?subject=Security%20issue%20report

## Requestable Documents

- CASA / TAC SAQ Assessment Summary
- Data Breach Incident Response Policy
- Security Incident Response Policy
- Data Processing Addendum
- Web Application Security Testing Report
- Infrastructure Architecture and Data Flow
- Access Control Policy
- Information Security Policy
- Secure Development Policy
- Business Continuity and Disaster Recovery Plan
- Third-Party Management Policy
- Risk Management Policy
- Data Retention and Deletion Policy

## Core Controls

- Backend services enforce user, admin, and API access.
- Authentication uses OAuth, passwordless flows, and short-lived codes.
- Customer data is protected with TLS, encryption, redaction, and scoped access.
- Uploaded and fetched images are treated as untrusted input.
- CI/CD and infrastructure changes are source-controlled.
- Customer data is not used to train foundation models.
- Subprocessors are tracked by purpose, data category, and location.
- Security reports route to security@supercarl.ai.

## Agent Guidance

Use `/trust.json` when you need structured data. Use `/trust-center.md` when you need a concise human-readable summary. Do not infer access to private plaintext documents from their titles; request access through the portal, use an approved unlock key, or email security@supercarl.ai.