a demo
Third-party verified.
Continuously maintained.
Available on request — reach out and we'll share the right
documents for your review process.
SOC 2 Type II
Annual audit ·
report on request
Penetration testing
Regular third-party tests ·
summary available
GDPR-compliant
EU data handling &
residency controls
Data handling
Encryption at rest via AWS KMS — your keys, your control
Encryption in transit on all connections
No query results persisted in Supper-managed storage by default
Enterprise customers can bring their own S3 bucket — all outputs written to your environment
Infrastructure access
IAM roles for all internal service-to-service access
Least-privilege access enforced across the stack
Read-only connection to your warehouse — Supper never writes to your data
All Supper employees covered under DPAs
Advanced controls for
organizations that need more
than the standard stack.
The features below are available on Enterprise plans. They're
designed for organizations with strict compliance requirements,
sensitive data environments, or specific infrastructure policies
that standard cloud software can't accommodate.
Sensitive data stays where it belongs.
Supper's query engine includes field-level controls (FLC) that prevent sensitive information from ever leaving your environment — enforced at SQL runtime, before a result is returned. You define which fields are sensitive. Supper handles the rest.
Maintain a column-level list of sensitive fields — PII, PHI, or anything your compliance team flags — and choose how each is handled when a query touches it.
Permanent obfuscation
Sensitive fields are one-way hashed at SQL runtime. The raw value never reaches Supper — or anyone else. Use this for PII you never need to recover.
Reversible obfuscation
Fields are encrypted with a customer-owned key at SQL runtime. You can decrypt when needed. Use this for PHI or data where future access may be required.
All SQL queries are retained. Every field access and encryption event has a full audit trail.
Define sensitive fields in your column-level list
Set obfuscation type per field: permanent or reversible
Supper applies controls at SQL runtime - before results leave your environment
Full audit trail retained for every field access
Permissions that match how your organization actually works.
Supper follows cloud IAM best practices for user entitlements. Every permission is defined at the level that makes sense — schema, table, or column — with cascading rules that let you set broad access with precise exceptions.
Permissions are enforced at query time, not just at the UI level. If a user can't see a field, no query run on their behalf will return it — ever.
Migration Phase - 1Base entitlements set using roles — define once, apply to groups of users
Schema-level permissionsGrant or deny access to entire schemas in one rule
Table-level permissionsFine-grained control over which tables each user or role can query
Column-level permissionsRestrict individual fields — salary, SSN, health data — by user or role
Cascading allow/deny"Allow all from schema X, except table Y and field Z" — no workarounds needed
Atomic overridesMost granular rule taes precedence over inherited permissions
Your infrastructure.
Supper's intelligence.
For organizations that can't send data or model inference
outside their own environment. Supper's BYO capabilities let
you keep everything in-house while running the full platform.
Bring your own model
Provide your own API keys for OpenAI (GPT) or Anthropic (Claude) instead of Supper-managed model access. Model usage aligns with your internal procurement, security, and compliance policies — while Supper's orchestration layer, semantic modeling, and tool pipelines remain unchanged.
Organizations with strict vendor requirements can run all inference through a single provider. Supper routes different workloads to the model best suited for each task — SQL generation, natural language reasoning, business logic summarization — but BYO LLM lets you control or override that routing.
Supports OpenAI (GPT) and Anthropic (Claude)
Override model routing per workload type
Aligns with internal procurement and compliance policies
Full platform functionality preserved — only model endpoints change
We recommend enabling access to both GPT and Claude families to preserve routing flexibility and optimal performance across all workloads.
Bring your own storage
All query results and data outputs are written directly to a customer-owned AWS S3 bucket instead of Supper-managed storage. Your data never rests in a third-party environment — it stays within your AWS account and VPC.
Access is governed through customer-managed IAM policies, giving your security team full control over permissions, auditing, and data lifecycle. All Supper data sources — SaaS connectors, live warehouse queries, and agent outputs — route to the designated bucket.
All outputs written to your S3 bucket — nothing persists in Supper storage
Provisioned in your AWS account and VPC
IAM policy control owned entirely by your security team
Meets strict data residency and compliance requirements
Documentation available on request.
We know enterprise security reviews require more than a marketing page. Everything you need for a thorough evaluation is available — reach out and we'll share the right documents for your process.
Our security team is available for direct calls with your InfoSec or procurement reviewers. We've been through this process with customers at every stage of compliance maturity.
SOC 2 Type II report
Full audit report from our latest
annual assessment
Penetration testing summary
Executive summary of our most
recent third-party pen test
Security questionnaire
Pre-filled for common vendor
assessment frameworks
Privacy & security policies
Supper's internal policies governing
data handling and access
Disaster recovery documentation
RTO/RPO targets, backup strategy,
and failover procedures
Compliance statements
GDPR, HIPAA readiness, and data
residency documentation