SuperOrgs is the Agent Workforce Transformation Platform - the system of record for managing both human employees and AI agents in your organization. It provides visibility into AI agent costs, governance, utilization, and organizational structure.

What is an AI workforce management platform?

An AI workforce management platform helps organizations see, understand, and manage every AI agent alongside their human workforce. SuperOrgs tracks agent costs, monitors utilization, enforces governance policies, and provides an org chart showing both humans and AI agents.

What is Orion by SuperOrgs?

Orion is SuperOrgs' AI Workforce Specialist - an intelligent assistant that analyzes your organization's AI agent deployment, recommends optimizations, generates executive briefings, identifies underutilized agents, and helps plan your AI workforce strategy.

How does SuperOrgs track AI agent costs?

SuperOrgs connects to your AI platforms (OpenAI, Anthropic, GitHub Copilot, Cursor, etc.) and HRIS systems to automatically track spend per agent, per department, and per platform. It provides real-time cost intelligence, budget alerts, and optimization recommendations.

What is shadow AI and how does SuperOrgs help?

Shadow AI refers to AI agents and tools deployed within an organization without proper governance oversight - similar to shadow IT. SuperOrgs provides complete visibility into all AI agents, identifies unapproved agents, tracks their costs, and ensures compliance with organizational policies.

Which HRIS systems does SuperOrgs integrate with?

SuperOrgs integrates with major HRIS platforms including BambooHR, Workday, Rippling, Gusto, and ADP through Merge.dev, providing over 200 HRIS connectors. It also connects to AI platforms like Anthropic, OpenAI, GitHub Copilot, Cursor, and more.

How does SuperOrgs help with AI agent governance?

SuperOrgs provides comprehensive AI agent governance including approval workflows, compliance monitoring, audit logs, data access tracking, and policy enforcement. It ensures every AI agent in your organization is properly documented, approved, and monitored.

Can SuperOrgs show an org chart with both humans and AI agents?

Yes, SuperOrgs provides an interactive org chart powered by React Flow that visualizes your complete workforce - both human employees and AI agents - in a single unified view. You can see reporting structures, department assignments, and agent-to-human ratios at a glance.

Data Processing Addendum

Effective Date: March 25, 2026 · Version 1.0

Incorporating EU Standard Contractual Clauses (2021/914/EU) and UK Addendum

This Data Processing Addendum (“DPA”) forms part of, and is incorporated into, the SuperOrgs Terms of Service or other written agreement between SuperOrgs, Inc. (“SuperOrgs” or “Processor”) and the Customer identified in that agreement (“Controller” or “Customer”) (together, the “Principal Agreement”). This DPA applies wherever SuperOrgs processes Personal Data on behalf of Customer in the course of providing the Services.

By entering into the Principal Agreement, or by clicking to accept this DPA where that option is made available, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, on behalf of its Affiliates. All terms not defined in this DPA have the meanings given to them in the Principal Agreement or in applicable Data Protection Laws.

1. Definitions

For the purposes of this DPA, the following definitions apply:

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party, where “control” means ownership of more than 50% of the voting interests of the entity.
“Controller” means the entity that determines the purposes and means of the processing of Personal Data. In the context of this DPA, Customer is the Controller.
“Customer Data” has the meaning given in the Principal Agreement, and includes all Personal Data processed by SuperOrgs on behalf of Customer under this DPA.
“Data Protection Laws” means all applicable laws and regulations relating to the processing, privacy, and use of Personal Data, including but not limited to: the EU General Data Protection Regulation (2016/679) (“GDPR”); the UK GDPR and Data Protection Act 2018; the Swiss Federal Act on Data Protection (revised nFADP); the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”); and any other applicable national or state data protection or privacy laws.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“EEA” means the European Economic Area, comprising the member states of the European Union together with Norway, Iceland, and Liechtenstein.
“Personal Data” means any information relating to an identified or identifiable natural person processed by SuperOrgs on behalf of Customer in connection with the Services.
“Personal Data Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by SuperOrgs.
“Processing” (and its cognates “process” and “processed”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
“Processor” means the entity that processes Personal Data on behalf of the Controller. In the context of this DPA, SuperOrgs is the Processor.
“Restricted Transfer” means a transfer of Personal Data from the EEA, UK, or Switzerland to a country or territory that has not been designated as providing an adequate level of protection under applicable Data Protection Laws.
“SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission under Decision 2021/914/EU, as may be amended or replaced from time to time.
“Services” has the meaning given in the Principal Agreement, and refers to the SuperOrgs Agent Workforce Transformation Platform and associated features.
“Subprocessor” means any third-party processor engaged by SuperOrgs to process Personal Data on behalf of Customer.
“UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office under S119A(1) of the Data Protection Act 2018.

2. Scope and Roles

2.1 Scope of this DPA

This DPA applies to the processing of Personal Data by SuperOrgs on behalf of Customer in connection with the Services. It does not apply to processing of Personal Data for SuperOrgs' own purposes as a Controller, which is governed by the SuperOrgs Privacy Policy.

2.2 Roles of the Parties

The parties acknowledge and agree that:

Customer is the Controller of Personal Data processed through the Services.
SuperOrgs is the Processor acting on behalf of Customer with respect to such Personal Data.
Where Customer itself acts as a processor on behalf of its own customers or a third-party controller, Customer warrants that it has authority to appoint SuperOrgs as a sub-processor and that its instructions to SuperOrgs are consistent with its own obligations under applicable Data Protection Laws.

2.3 Customer's Compliance Obligations

Customer remains responsible for its own compliance with applicable Data Protection Laws, including:

Ensuring it has a lawful basis for processing Personal Data through the Services.
Providing adequate privacy notices to Data Subjects whose Personal Data is processed through the Services.
Obtaining any required consents from Data Subjects for the processing activities described in Schedule 1.
Ensuring that its instructions to SuperOrgs comply with applicable Data Protection Laws.

3. Processing Instructions

3.1 Instructions

SuperOrgs will process Personal Data only on documented instructions from Customer, including as set out in this DPA, the Principal Agreement, and any written instructions provided by Customer during the term of the Agreement. The processing activities described in Schedule 1 to this DPA constitute Customer's primary documented instructions.

3.2 Conflicts with Law

If SuperOrgs is required by applicable law to process Personal Data in a manner inconsistent with Customer's instructions, SuperOrgs will notify Customer before such processing unless prohibited by law from doing so. SuperOrgs will not process Personal Data beyond Customer's instructions except where required by applicable law.

3.3 Notification of Unlawful Instructions

SuperOrgs will promptly inform Customer if, in SuperOrgs' reasonable opinion, an instruction from Customer infringes applicable Data Protection Laws. SuperOrgs is not required to follow instructions that are unlawful but will await further lawful instructions from Customer.

4. Confidentiality of Personal Data

SuperOrgs will ensure that all personnel authorized to process Personal Data under this DPA are subject to binding confidentiality obligations with respect to such Personal Data, whether through contractual, statutory, or professional obligations, and that they process Personal Data only as required to perform the Services or as otherwise instructed by Customer.

SuperOrgs will limit access to Personal Data to those personnel who have a legitimate need to access such data for the purposes of providing the Services.

5. Security of Processing

5.1 Technical and Organizational Measures

SuperOrgs will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the nature, scope, context, and purposes of processing and the risks to Data Subjects. The technical and organizational measures applicable to the Services are set out in Schedule 2 to this DPA.

5.2 Security Updates

SuperOrgs may update or modify the security measures described in Schedule 2 from time to time, provided that such updates do not materially diminish the overall level of security protection afforded to Personal Data. SuperOrgs will notify Customer of any material reduction in security measures.

5.3 Customer Security Responsibilities

Customer is responsible for independently assessing the appropriateness of SuperOrgs' security measures for Customer's specific use case and risk profile, and for implementing appropriate security measures on Customer's own systems, including securing account credentials and controlling access by Authorized Users.

6. Subprocessors

6.1 Authorization to Use Subprocessors

Customer provides a general authorization for SuperOrgs to engage Subprocessors to assist in the provision of the Services, subject to the requirements of this Section 6. SuperOrgs' current list of Subprocessors is set out in Schedule 3 to this DPA.

6.2 Subprocessor Obligations

SuperOrgs will:

Enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those imposed on SuperOrgs under this DPA.
Remain liable to Customer for the performance of each Subprocessor's obligations under such agreement to the extent that SuperOrgs would be liable if it performed those obligations directly.
Ensure Subprocessors process Personal Data only for the purposes of providing the services for which they are engaged.

6.3 Changes to Subprocessors

SuperOrgs will provide Customer with at least 30 days' prior written notice of any addition or replacement of a Subprocessor. Such notice will be provided by email to the address associated with Customer's account or by updating the Subprocessor list on SuperOrgs' website. Customer may object to a new or replacement Subprocessor by notifying SuperOrgs in writing within 14 days of receiving such notice, setting out the reasonable grounds for the objection. The parties will work in good faith to resolve the objection. If the parties cannot resolve the objection within 30 days, Customer may terminate the affected Services upon written notice to SuperOrgs.

7. Data Subject Rights

7.1 Assistance with Data Subject Requests

Taking into account the nature of the processing, SuperOrgs will provide Customer with reasonable assistance to enable Customer to fulfill its obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

7.2 Requests Received Directly

Where SuperOrgs receives a Data Subject request directly that relates to Personal Data processed on behalf of Customer, SuperOrgs will promptly forward the request to Customer and will not respond to the Data Subject directly except to confirm receipt, unless directed to do so by Customer or required by law.

7.3 Timing of Assistance

SuperOrgs will respond to reasonable requests for assistance under this Section within a reasonable timeframe, taking into account the complexity of the request and the applicable statutory deadlines.

8. Personal Data Breach Notification

8.1 Notification Obligation

SuperOrgs will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a confirmed Personal Data Breach affecting Customer's Personal Data. Such notification will be made to the email address associated with Customer's account and will include, to the extent then known:

A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records affected.
The name and contact details of SuperOrgs' data protection point of contact.
A description of the likely consequences of the Personal Data Breach.
A description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

8.2 Staged Notification

Where all required information is not available within 72 hours, SuperOrgs will provide initial notification with the information available and supplement that notification as additional information becomes available.

8.3 Customer's Notification Obligations

Customer remains responsible for determining whether notification to Data Subjects or supervisory authorities is required and for making any such notifications in compliance with applicable Data Protection Laws. SuperOrgs will cooperate with and assist Customer in making required notifications.

8.4 No Admission

Notification of a Personal Data Breach by SuperOrgs does not constitute an admission of fault or liability on the part of SuperOrgs.

9. Data Protection Impact Assessments and Prior Consultation

To the extent required by applicable Data Protection Laws, SuperOrgs will provide reasonable cooperation and assistance to Customer in relation to:

Data protection impact assessments (DPIAs) conducted by Customer in connection with the processing of Personal Data through the Services, taking into account the nature of processing and information available to SuperOrgs.
Prior consultations with supervisory authorities arising from DPIAs where required under Article 36 of the GDPR or equivalent provisions of applicable law.

SuperOrgs' obligation to assist is limited to information within its possession or control and to the extent it is technically and operationally reasonable for SuperOrgs to provide such assistance.

10. Audits and Inspections

10.1 Audit Rights

Upon Customer's written request (no more than once per calendar year unless there are reasonable grounds to suspect a breach of this DPA), SuperOrgs will provide Customer with all information reasonably necessary to demonstrate compliance with the obligations of this DPA. SuperOrgs will make available to Customer and Customer's authorized representatives the information, assistance, and access required for Customer to conduct an audit or inspection of SuperOrgs' data processing activities, subject to the conditions of this Section 10.

10.2 Conditions for Audits

Audits conducted under this Section are subject to the following conditions:

Customer must give SuperOrgs at least 30 days' prior written notice specifying the scope of the proposed audit.
Audits must be conducted during normal business hours and in a manner that minimizes disruption to SuperOrgs' operations.
Audits must not involve access to systems, networks, or data belonging to SuperOrgs' other customers.
Customer must execute a confidentiality agreement reasonably acceptable to SuperOrgs before conducting any audit.
All costs associated with the audit will be borne by Customer, unless the audit reveals a material non-compliance with this DPA, in which case SuperOrgs will bear its own reasonable costs.

10.3 Third-Party Audit Reports

In lieu of or in addition to direct audits, SuperOrgs may satisfy its audit obligations by providing Customer with copies of relevant third-party audit reports or certifications (such as SOC 2 Type II reports) upon request, subject to appropriate confidentiality protections.

11. International Data Transfers

11.1 Transfers from the EEA

To the extent that the provision of the Services involves a Restricted Transfer of Personal Data from the EEA to SuperOrgs or any Subprocessor located in a country not subject to an adequacy decision, such transfers are governed by the SCCs, which are incorporated into this DPA by reference. Module Two (Controller to Processor) of the SCCs applies, with the following selections:

Clause 7 (Docking Clause): The optional docking clause is included.
Clause 9 (Use of Subprocessors): Option 2 (General Written Authorization) applies, with 30 days' notice for changes.
Clause 11 (Redress): The optional language on independent dispute resolution is not included.
Clause 13 (Supervision): The competent supervisory authority is determined by the member state in which Customer is established.
Clause 17 (Governing Law): The laws of Ireland govern the SCCs.
Clause 18 (Choice of Forum): Disputes arising from the SCCs are subject to the courts of Ireland.
Annex I: Populated as set out in Schedule 1 to this DPA.
Annex II: The technical and organizational measures described in Schedule 2 to this DPA apply.
Annex III: The list of Subprocessors set out in Schedule 3 to this DPA applies.

11.2 Transfers from the United Kingdom

To the extent that the provision of the Services involves a Restricted Transfer of Personal Data from the United Kingdom, the UK Addendum to the SCCs issued by the ICO applies. The Mandatory Clauses of the UK Addendum are incorporated into this DPA by reference. Table 1 identifies the parties; Table 2 references the SCCs as incorporated herein; Table 3 references Schedule 2; and Table 4 selects that neither party may end the UK Addendum if there is a change in the approved addendum.

11.3 Transfers from Switzerland

To the extent that the provision of the Services involves a Restricted Transfer of Personal Data from Switzerland, the SCCs as incorporated herein apply, with references to the GDPR interpreted as references to the Swiss nFADP as applicable. The competent supervisory authority for Swiss transfers is the Swiss Federal Data Protection and Information Commissioner (FDPIC).

11.4 Alternative Transfer Mechanisms

If the SCCs or other transfer mechanisms incorporated herein are invalidated, amended, or superseded by applicable Data Protection Laws, the parties will cooperate in good faith to implement an alternative lawful transfer mechanism as promptly as practicable.

12. Deletion and Return of Personal Data

12.1 Upon Termination

Upon the termination or expiration of the Principal Agreement, SuperOrgs will, at Customer's choice:

Delete all Personal Data processed on behalf of Customer from SuperOrgs' active systems within 30 days of the termination date; or
Return a machine-readable export of Customer's Personal Data (to the extent technically feasible) within 30 days of the termination date, after which SuperOrgs will delete such data from its active systems.

Customer must make its election within 14 days of the termination date. In the absence of an election, SuperOrgs will delete Customer's Personal Data by default.

12.2 Backup Retention

Notwithstanding the above, SuperOrgs may retain Personal Data contained in backup copies for up to 90 days following termination, after which such data will be permanently deleted in the ordinary course of SuperOrgs' backup purge schedule. SuperOrgs will not actively process such backup data except as required for disaster recovery purposes.

12.3 Legal Retention Obligations

SuperOrgs may retain Personal Data for longer periods where required by applicable law, in which case SuperOrgs will notify Customer of such retention requirements and will implement appropriate measures to restrict processing of such data to only what is legally required.

12.4 Certification

Upon Customer's written request, SuperOrgs will provide Customer with written certification that deletion has been completed in accordance with this Section 12.

13. Data Protection Officer

SuperOrgs has designated a privacy point of contact who can be reached at privacy@superorgs.com for all data protection inquiries. Where required by applicable Data Protection Laws, SuperOrgs will designate a Data Protection Officer and will notify Customer of the identity and contact details of such officer.

Customer is encouraged to designate its own data protection point of contact for communications with SuperOrgs regarding this DPA. Customer's primary contact is the account administrator identified in Customer's account settings, unless Customer notifies SuperOrgs otherwise.

14. Term and Termination

14.1 Term

This DPA enters into force on the date of execution of the Principal Agreement (or the date Customer accepts this DPA electronically) and continues for the duration of the Principal Agreement. This DPA automatically terminates upon the termination or expiration of the Principal Agreement.

14.2 Survival

The obligations of SuperOrgs under Sections 4, 5, 8, 12, and 15 of this DPA will survive the termination or expiration of the Principal Agreement for as long as SuperOrgs continues to process or retain any Personal Data subject to this DPA.

15. Liability and Indemnification

15.1 Allocation of Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Principal Agreement. Where both parties are responsible for damage caused to a Data Subject arising from a breach of this DPA, each party is liable for the damage attributable to their own breach.

15.2 Indemnification

Each party will indemnify and hold harmless the other party from and against any claims, damages, fines, penalties, and costs (including reasonable legal fees) imposed by a supervisory authority or awarded by a court arising from that party's breach of its obligations under this DPA or applicable Data Protection Laws.

15.3 No Third-Party Beneficiaries

Nothing in this DPA creates any rights enforceable by third parties, including Data Subjects, except as expressly provided by applicable Data Protection Laws (including the SCCs, which may confer rights on Data Subjects directly under their terms).

16. General Provisions

16.1 Order of Precedence

In the event of any conflict or inconsistency between the provisions of this DPA and the Principal Agreement with respect to the processing of Personal Data, this DPA shall take precedence. In the event of any conflict between this DPA and the SCCs incorporated herein, the SCCs shall take precedence with respect to Restricted Transfers.

16.2 Severability

If any provision of this DPA is held invalid or unenforceable, that provision will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will continue in full force and effect.

16.3 Amendments

SuperOrgs may update this DPA from time to time to reflect changes in applicable Data Protection Laws, regulatory guidance, or SuperOrgs' data processing practices. SuperOrgs will provide at least 30 days' prior written notice of material changes. If Customer reasonably objects to a material change, the parties will engage in good faith negotiations to resolve the objection. If the parties cannot agree, Customer may terminate the affected Services upon written notice.

16.4 Governing Law

This DPA is governed by the laws specified in the Principal Agreement, except that the SCCs incorporated herein are governed by the law specified therein.

16.5 Entire Agreement

This DPA, together with the Principal Agreement, the Privacy Policy, and all Schedules attached hereto, constitutes the entire agreement between the parties with respect to the processing of Personal Data by SuperOrgs on behalf of Customer and supersedes all prior agreements, representations, and understandings on that subject.

Execution

This DPA is agreed and entered into by the duly authorized representatives of the parties as of the Effective Date. Where accepted electronically through SuperOrgs' platform, Customer's acceptance constitutes a valid, binding execution of this DPA.

SuperOrgs, Inc. (Processor)	Customer (Controller)
Signature:	Signature:
Printed Name:	Printed Name:
Title:	Title:
Date:	Date:
Address:	Address:
Email:	Email:

Schedule 1 - Description of Processing Activities

Corresponds to Annex I of the SCCs

Part A: List of Parties

Element	Data Exporter (Controller)	Data Importer (Processor)
Name	Customer as identified in the Principal Agreement	SuperOrgs, Inc.
Address	Customer's registered address as provided in account registration	San Francisco, California, USA
Contact Person	Customer's account administrator	privacy@superorgs.com
Activities	Deploying and managing an AI agent workforce alongside a human workforce using the SuperOrgs platform	Providing the SuperOrgs Agent Workforce Transformation Platform and associated services
Role	Controller	Processor

Part B: Description of the Transfer and Processing

Element	Description
Categories of Data Subjects	Customer's employees, contractors, and other workers whose data is included in connected HRIS systems; Authorized Users of the SuperOrgs platform; individuals identified as owners or stakeholders of AI agents within Customer's organization.
Categories of Personal Data	Employee identifiers (name, work email, employee ID); job-related information (title, department, team, location, cost center, employment status, start date); organizational structure data (manager/direct report relationships, org hierarchy); platform usage data (login timestamps, feature interactions, Orion queries); account and billing information for Authorized Users.
Sensitive Data	SuperOrgs does not intentionally process special categories of personal data. Customer must not submit special category data (health, biometric, racial/ethnic origin, religious beliefs, etc.) unless agreed in writing with SuperOrgs.
Frequency of Transfer	Ongoing and continuous throughout the term of the Principal Agreement, in accordance with HRIS sync schedules configured by Customer (typically real-time or at regular intervals not exceeding 24 hours).
Nature of Processing	Collection, storage, organization, structuring, retrieval, use, and display of Personal Data to provide the Services, including org chart generation, agent discovery, workforce planning, governance workflows, and Orion AI analysis.
Purpose of Processing	To provide the SuperOrgs Agent Workforce Transformation Platform as described in the Principal Agreement, including: unified org chart visualization; AI agent discovery and inventory; agent workforce planning and modeling; governance and compliance tracking; cost intelligence; Orion AI workforce strategy recommendations.
Retention Period	Personal Data is retained for the duration of the active Subscription. Following termination, Personal Data is deleted within 30 days upon request, or within 90 days in the ordinary course of SuperOrgs' data management processes. Backup retention does not exceed 90 days post-termination.
Transfers to Sub-processors	Yes. See Schedule 3 for the list of approved Sub-processors.

Schedule 2 - Technical and Organizational Security Measures

Corresponds to Annex II of the SCCs

SuperOrgs implements and maintains the following technical and organizational security measures to protect Personal Data processed under this DPA:

A. Measures of Pseudonymization and Encryption

All Personal Data transmitted between Customer systems and SuperOrgs is encrypted in transit using TLS 1.3 or higher.
All Personal Data stored on SuperOrgs infrastructure is encrypted at rest using AES-256 encryption.
Database fields containing particularly sensitive identifiers are subject to additional field-level encryption.
Encryption keys are managed using industry-standard key management practices with regular rotation.

B. Measures for Ongoing Confidentiality, Integrity, Availability, and Resilience

Strict role-based access controls (RBAC) limit access to Personal Data to SuperOrgs personnel with a documented business need.
Complete multi-tenant data isolation is implemented at the database level. Customer data is logically separated from other customers' data by architecture, not configuration.
SuperOrgs' infrastructure is hosted on enterprise-grade cloud infrastructure (Amazon Web Services) with high availability and redundancy configurations.
Automated backups are performed regularly, with backup integrity verified through periodic restoration testing.
All SuperOrgs personnel with access to Personal Data are subject to binding confidentiality obligations.

C. Measures for Timely Restoration of Availability Following an Incident

SuperOrgs maintains a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) are defined and tested annually.
SuperOrgs maintains geographically redundant infrastructure to enable failover in the event of a regional outage.
Incident response runbooks are maintained and rehearsed by the SuperOrgs security team.

D. Processes for Regular Testing and Evaluation of Security Measures

SuperOrgs conducts annual third-party penetration testing of the Platform and infrastructure.
Automated vulnerability scanning and dependency analysis are performed continuously.
SuperOrgs undergoes independent audit against SOC 2 Type II controls, with certification in progress.
Security configurations are reviewed quarterly against industry benchmarks (CIS Controls, NIST CSF).
Software dependencies are monitored for known vulnerabilities using automated tooling with prompt remediation of critical and high-severity findings.

E. Measures for User Identification and Authorization

All Authorized User accounts require email-verified registration.
Multi-factor authentication (MFA) is available and strongly recommended for all accounts, and required for administrative access.
Session management enforces automatic timeout after a configurable period of inactivity.
All login events and administrative actions are logged with actor identity and timestamp.
SuperOrgs employs the principle of least privilege: personnel are granted only the minimum access required for their role.

F. Measures for the Protection of Data During Transmission

All API communications use HTTPS with TLS 1.3; connections using older TLS versions are rejected.
HRIS and AI platform integrations use OAuth 2.0 or equivalent secure authorization protocols.
Data transmitted between SuperOrgs services internally is encrypted in transit.
SuperOrgs does not transmit Personal Data via unencrypted email or file transfer protocols.

G. Measures for the Protection of Data During Storage

Personal Data is stored exclusively on SuperOrgs-controlled infrastructure or on contracted subprocessor infrastructure subject to equivalent security requirements.
Removable media containing Personal Data is prohibited without explicit authorization and encryption.
Physical access to data centers is controlled by SuperOrgs' cloud infrastructure provider (AWS) under SOC 2 and ISO 27001 certified controls.

H. Measures for Ensuring Physical Security of Locations

SuperOrgs operates as a cloud-native company and does not maintain on-premises data centers. Physical security of infrastructure is the responsibility of SuperOrgs' cloud provider (AWS), which maintains relevant physical security certifications.
SuperOrgs' office environments implement appropriate access controls and clean desk policies.

I. Measures for Events Logging and Audit

All actions within the SuperOrgs Platform are recorded in an immutable audit log capturing actor identity, action type, affected data, and timestamp.
Infrastructure and application logs are retained for a minimum of 12 months.
Logs are protected against unauthorized modification or deletion.
Anomalous activity triggers automated alerts to the SuperOrgs security team.

J. Measures for Reporting and Addressing Security Vulnerabilities

SuperOrgs maintains a responsible disclosure policy and a process for receiving and triaging external vulnerability reports at security@superorgs.com.
Critical and high-severity vulnerabilities are remediated within defined SLA windows.
SuperOrgs maintains a formal Security Incident Response Policy with defined roles, escalation paths, and communication procedures.

K. Data Minimization

SuperOrgs collects and processes only the Personal Data necessary to provide the Services, consistent with the data minimization principle.
Integration scopes are designed to request only the permissions and data fields required for each connected platform.
Customers can configure the scope of HRIS data synced to SuperOrgs through integration settings.

L. Organizational Measures

SuperOrgs conducts privacy and security awareness training for all employees on joining and annually thereafter.
SuperOrgs' privacy and security policies are reviewed and updated at least annually.
A privacy review is conducted for significant new features or changes to data processing activities before launch.
Vendor due diligence is conducted before engaging Subprocessors, including review of their security posture and privacy practices.

Schedule 3 - List of Approved Subprocessors

Corresponds to Annex III of the SCCs

The following Subprocessors are approved as of the Effective Date of this DPA. SuperOrgs will provide 30 days' advance notice of additions or replacements as described in Section 6.3 of the DPA.

Subprocessor	Country	Purpose	Data Processed
Amazon Web Services, Inc. (AWS)	United States (global regions)	Cloud infrastructure, hosting, storage, and compute for the Platform	All Customer Data processed through the Services
Stripe, Inc.	United States	Payment processing and subscription billing	Billing name, billing address, payment method metadata (no full card data stored by SuperOrgs)
Merge API, Inc.	United States	Unified HRIS integration layer for connecting Customer HRIS platforms to SuperOrgs	Employee and organizational data synced from Customer HRIS systems
Anthropic, PBC	United States	AI language model infrastructure powering Orion	Orion query content and associated workforce context data
SendGrid / Twilio	United States	Transactional email delivery (account confirmations, alerts, notifications)	Authorized User email addresses and notification content
Sentry	United States	Application error monitoring and performance tracking	Error logs and stack traces (pseudonymized; no intentional Personal Data)
Segment / Twilio	United States	Product analytics and usage event tracking	Anonymized usage events and feature interaction data
Intercom	United States	In-app customer support and messaging	Authorized User name, email, and support communications

Current as of March 25, 2026. The most current Subprocessor list is available upon request at privacy@superorgs.com. SuperOrgs will update this Schedule and notify Customer in accordance with Section 6.3 of the DPA upon any addition or change.

Schedule 4 - California-Specific Addendum (CCPA/CPRA)

This Schedule 4 applies where Customer is subject to the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”) and Personal Data processed under this DPA includes personal information of California residents.

A. Roles Under CCPA

For the purposes of the CCPA/CPRA, with respect to Customer's California resident employees and other individuals whose personal information Customer submits to the Services, Customer is the “Business” and SuperOrgs is the “Service Provider.”

B. Service Provider Obligations

SuperOrgs, as a Service Provider, agrees to:

Not sell or share (as those terms are defined in the CCPA/CPRA) the personal information of California residents processed under this DPA.
Not retain, use, or disclose personal information for any commercial purpose other than providing the Services specified in the Principal Agreement.
Not retain, use, or disclose personal information outside of the direct business relationship with Customer.
Comply with applicable obligations under the CCPA/CPRA and provide the same level of privacy protection to California residents as required by the CCPA/CPRA.
Notify Customer if SuperOrgs determines it can no longer meet its obligations under the CCPA/CPRA.

C. Combining Personal Information

SuperOrgs will not combine personal information received from Customer with personal information received from other sources, except as permitted by the CCPA/CPRA for performing the Services.

D. Customer's Right to Audit

Customer has the right to take reasonable and appropriate steps to ensure SuperOrgs uses personal information in a manner consistent with Customer's obligations under the CCPA/CPRA, including through the audit rights described in Section 10 of the DPA.

SuperOrgs Data Processing Addendum v1.0 · Effective March 25, 2026 · superorgs.com/legal