Security Review
Security review quick answers.
This page gives security, legal, procurement, and technical reviewers a public-safe first pass. Deeper diligence materials may be provided to qualified evaluators under NDA or customer agreement.
Is SupraOS generally available?
SupraOS is running paid pilots and onboarding additional pilots by fit and capacity. Features, integrations, deployment models, and security controls may vary by engagement and environment.
Does SupraOS train shared models on customer data by default?
No. Customer data is not used to train shared models by default.
Can SupraOS start read-only?
Yes. The intended first step is read-only Company Scan and source coverage mapping before action authority is granted.
How does SupraOS bound autonomy?
Autonomy is bounded by Charters, source scopes, autonomy modes, policies, permissions, approvals, evidence requirements, Receipts, and human accountable owners.
Can SupraOS act without human approval?
Only inside the autonomy mode and authority boundaries defined by an approved Charter. High-risk actions require policy checks, approval, and evidence requirements before execution.
Does SupraOS use agents?
Yes. SupraOS-managed agents may be assigned to Work Objects inside approved Charters. They receive narrow mandates, source scopes, permission boundaries, approval rules, evidence requirements, and Receipt obligations.
How are high-risk actions controlled?
High-risk actions should be evaluated by policy, require approval, and produce evidence and Receipts before completion.
Does SupraOS support private cloud or VPC deployment?
Private cloud, VPC, and hybrid patterns are part of the design direction and may be available depending on engagement and environment. Do not assume universal availability without written confirmation.
Where does customer data live?
The design goal is to keep source-of-truth data in customer systems where appropriate and store only structured state, metadata, selected artifacts, Receipts, and proof required for governed execution.
Does SupraOS claim SOC 2 or ISO certification?
SupraOS does not claim completed certifications unless formally completed. SupraOS is designed with enterprise controls in mind and may pursue certifications as the platform matures.
How does SupraOS use external intelligence?
External intelligence is source-linked, confidence-scored, and separated from internal system evidence. It informs recommendations and Charters; it does not bypass approval gates.
How are Receipts different from logs?
Logs are per-system operational records. SupraOS Receipts are workflow-level proof objects that bind intent, policy, approvals, agent actions, evidence, systems touched, and outcome.
How do I contact security?
Email info@supraos.co for security review requests or responsible disclosure until a dedicated security inbox is published.
Need deeper diligence?
Qualified evaluators can request security review materials or start with a read-only Company Scan.