# Super Carl Trust Center

Super Carl's trust center summarizes security posture, controls, subprocessors, and requestable evidence documents.

## Status

| Area | Status |
| --- | --- |
| CASA / TAC Security Assessment | Certified for the assessed scope |
| Encryption at Rest | Implemented |
| Transport Security | Implemented |
| Security Contact | security@supercarl.ai |
| Private Document Access | Request access or use approved unlock key |

## Security Contact

- Super Carl home: https://supercarl.ai/
- Report a security issue: security@supercarl.ai
- Contact support: https://supercarl.ai/support

## Public Legal Links

- Privacy Policy: https://supercarl.ai/privacy
- Terms of Service: https://supercarl.ai/terms
- AI Processors: https://supercarl.ai/ai-processors

## Requestable Documents

The following documents are available through request access:

- CASA / TAC SAQ Assessment Summary
- Data Breach Incident Response Policy
- Security Incident Response Policy
- Data Processing Addendum
- Web Application Security Testing Report
- Infrastructure Architecture and Data Flow
- Access Control Policy
- Information Security Policy
- Secure Development Policy
- Business Continuity and Disaster Recovery Plan
- Third-Party Management Policy
- Risk Management Policy
- Data Retention and Deletion Policy

Private documents are published as encrypted JSON packages for approved unlock-key access. Plaintext private documents are not included in the public static bundle.

## Controls

- Access Control: backend services enforce user, admin, and API access.
- Authentication and Sessions: OAuth, passwordless flows, and short-lived codes.
- Data Protection: TLS, encryption, redaction, and scoped access.
- Uploaded and Fetched Media: images are treated as untrusted input.
- Secure Development: code review, CI, and deployments are source-controlled.
- AI Data Use: AI supports product workflows; customer data is not used to train foundation models.
- Third-Party Risk: subprocessors are tracked by purpose, data category, and location.
- Incident Response: incidents are triaged, contained, investigated, communicated, and reviewed.
- Availability and Recovery: managed AWS infrastructure supports recovery practices.
- Privacy and Data Rights: public notices describe privacy, terms, and AI processor practices.
- Cloud Security: resources are separated by environment and deployment path.
- Trust Updates: customers can subscribe to updates and request private evidence.

## Subprocessors

| Provider | Purpose | Location |
| --- | --- | --- |
| Amazon Web Services | Cloud infrastructure hosting | United States |
| Google / Firebase | Authentication, integrations, push notifications, and workspace APIs | United States / global |
| OpenAI | AI model provider | United States |
| Twilio SendGrid | Transactional email delivery | United States |
| Twilio | SMS delivery and phone verification | United States |
| Stripe | Payments and subscription management | United States |
| Apple | Sign in with Apple and in-app purchase services | United States / global |
| LinkedIn | User-authorized social and professional graph integrations | United States / global |
| X | User-authorized social integration | United States / global |
| Coresignal | Professional profile and company data enrichment | United States / European Union |
| Hunter | Business contact enrichment | United States / European Union |
| MaxMind | IP-based location inference | United States |